SB2019032528 - Red Hat Satellite 5 update for java-1.8.0-ibm

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Division by zero (CVE-ID: CVE-2018-11212)

The vulnerability allows a remote attacker to cause DoS condition.

The weakness exists due to division by zero error within the libjpeg library within the libjpeg-turbo in alloc_sarray() function of jmemmgr.c file. A remote attacker can pass a specially crafted file the to affected application and cause application to crash.

2) Buffer overflow (CVE-ID: CVE-2018-12547)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to the jio_snprintf() and jio_vsnprintf() native methods ignored the length parameter. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

3) Input validation error (CVE-ID: CVE-2018-12549)

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to the OpenJ9 JIT compiler may incorrectly omit a null check on the receiver object of an Unsafe call when accelerating it. A remote attacker can pass specially crafted input to the application and execute arbitrary code on the system.

4) Information disclosure (CVE-ID: CVE-2019-2422)

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The weakness exists due to unspecified flaw in Libraries component. A remote attacker can gain access to sensitive information on the system.

5) Denial of service (CVE-ID: CVE-2019-2449)

The vulnerability allows a remote attacker to cause DoS condition.

The weakness exists due to unspecified flaw in Deployment component. A remote attacker cause the service to crash.

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2019:0640