QID 198608
Date Published: 2021-12-21
QID 198608: Ubuntu Security Notification for Open Java Development Toolkit (OpenJDK) Vulnerabilities (USN-5202-1)
The ftp client implementation inopenjdk accepted alternate server ip addresses when connecting with ftppassive mode.
Openjdk did not properly handle jar filescontaining multiple manifest files.
The hotspot vm in openjdk did not properlyperform range check elimination in some situations.
Openjdk preferred certain weak ciphers bydefault.
The rich text format (rtf) parser in openjdk did notproperly restrict the amount of memory allocated in some situations.
The rich text format (rtf) reader in openjdk did notproperly restrict the amount of memory allocated in some situations.
The hashmap and hashset implementations inopenjdk did not properly validate load factors during deserialization.
The keytool component in openjdk did not properlyhandle certificates with validity ending dates in the far future.
The http server implementation in openjdkdid not properly handle tls session close in some situations.
The kerberos implementation in openjdk did notcorrectly report subject principals when using kerberos constraineddelegation.
The tls implementation in openjdk did not properlyhandle tls handshakes in certain situations where a java application isacting as a tls server.
Openjdk did not properly restrict the amount ofmemory allocated when processing bmp images.
The hotspot vm in openjdk 8 did not properly performvalidation of inner class index values in some situations.
The tls implementation in openjdk used non-constant time comparisons during tls handshakes.
An attacker controlling an ftp server that an applicationconnects to could possibly use this to expose sensitive information(rudimentary port scans).
An attacker could possibly usethis to bypass jar signature verification.
An attacker couldpossibly use this to construct a java class that could bypass javasandbox restrictions.
An attacker could possibly use this to expose sensitiveinformation.
Anattacker could use this to specially craft an rtf file that caused a denialof service.
Anattacker could use this to specially craft an rtf file that caused a denialof service.
Anattacker could use this to cause a denial of service (excessive memoryconsumption).
Anattacker could use this to specially craft a certificate that when importedcould corrupt a keystore.
A remoteattacker could possibly use this to cause a denial of service (applicationinfinite loop).
An attacker could possibly use this to cause incorrect kerberostickets to be used.
A remote attacker could possibly use this to causea denial of service (application crash).
An attacker could use this tospecially craft a bmp image file that could cause a denial of service.
An attackercould use this to specially craft a class file that when loaded could causea denial of service (java vm crash).
A remote attacker coulduse this to expose sensitive information.
- USN-5202-1 -
ubuntu.com/security/notices/USN-5202-1
CVEs related to QID 198608
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| USN-5202-1 | Ubuntu Linux |
ubuntu.com/security/notices/USN-5202-1 |