1
PublicDateAtUSN: 2017-04-24
2
Candidate: CVE-2017-3539
5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3539
6
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
7
https://www.java.com/en/jre-jdk-cryptoroadmap.html
8
http://www.oracle.com/technetwork/java/javase/8u131-relnotes-3565278.html
9
https://usn.ubuntu.com/usn/usn-3275-1
10
https://usn.ubuntu.com/usn/usn-3275-2
12
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE
13
(subcomponent: Security). Supported versions that are affected are Java SE:
14
6u141, 7u131 and 8u121; Java SE Embedded: 8u121. Difficult to exploit
15
vulnerability allows unauthenticated attacker with network access via
16
multiple protocols to compromise Java SE, Java SE Embedded. Successful
17
attacks require human interaction from a person other than the attacker.
18
Successful attacks of this vulnerability can result in unauthorized update,
19
insert or delete access to some of Java SE, Java SE Embedded accessible
20
data. Note: This vulnerability applies to Java deployments, typically in
21
clients running sandboxed Java Web Start applications or sandboxed Java
22
applets, that load and run untrusted code (e.g., code that comes from the
23
internet) and rely on the Java sandbox for security. This vulnerability
24
does not apply to Java deployments, typically in servers, that load and run
25
only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base
26
Score 3.1 (Integrity impacts). CVSS Vector:
27
(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).
29
It was discovered that OpenJDK allowed MD5 to be used as an algorithm
30
for JAR integrity verification. An attacker could possibly use this
31
to modify the contents of a JAR file without detection.
33
sbeattie> see openjdk cryptography roadmap
34
https://www.java.com/en/jre-jdk-cryptoroadmap.html
35
sbeattie> update treats JAR files signed with MD5 as unsigned JARs by
36
default. The jdk.jar.disabledAlgorithms security property can be
37
modified to work around this; see the openjdk release notes in the
38
References section for more details.
45
upstream_openjdk-7: needs-triage
46
precise_openjdk-7: ignored (reached end-of-life)
47
precise/esm_openjdk-7: DNE (precise was needs-triage)
48
trusty_openjdk-7: released (7u131-2.6.9-0ubuntu0.14.04.1)
49
vivid/stable-phone-overlay_openjdk-7: DNE
50
vivid/ubuntu-core_openjdk-7: DNE
52
yakkety_openjdk-7: DNE
59
upstream_openjdk-6: needs-triage
60
precise_openjdk-6: ignored (reached end-of-life)
61
precise/esm_openjdk-6: DNE (precise was needs-triage)
62
trusty_openjdk-6: needs-triage
63
vivid/stable-phone-overlay_openjdk-6: DNE
64
vivid/ubuntu-core_openjdk-6: DNE
66
yakkety_openjdk-6: DNE
73
upstream_openjdk-8: needs-triage
74
precise_openjdk-8: DNE
75
precise/esm_openjdk-8: DNE
77
vivid/stable-phone-overlay_openjdk-8: DNE
78
vivid/ubuntu-core_openjdk-8: DNE
79
xenial_openjdk-8: released (8u131-b11-0ubuntu1.16.04.2)
80
yakkety_openjdk-8: released (8u131-b11-0ubuntu1.16.10.2)
81
zesty_openjdk-8: released (8u131-b11-0ubuntu1.17.04.1)
82
artful_openjdk-8: not-affected (8u131-b11-1)
83
bionic_openjdk-8: not-affected (8u131-b11-1)
84
devel_openjdk-8: not-affected (8u131-b11-1)