SB2019090224 - Red Hat Enterprise Linux 6 Supplementary update for java-1.8.0-ibm

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019090224

SB2019090224 - Red Hat Enterprise Linux 6 Supplementary update for java-1.8.0-ibm

Published: September 2, 2019 Updated: April 24, 2025

Security Bulletin ID SB2019090224
Severity
High
Patch available
YES
Number of vulnerabilities 7
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 14% Medium 57% Low 29%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2019-2762)

The vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., via a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts).


2) Input validation error (CVE-ID: CVE-2019-2769)

The vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., via a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts).


3) Protection Mechanism Failure (CVE-ID: CVE-2019-2786)

The vulnerability allows a remote attacker to bypass certain restrictions.

The vulnerability exists due to the the AccessController class implementation in the Security component failed in certain cases. A remote attacker can use an untrusted Java application or applet to bypass certain Java sandbox restrictions.

The vulnerability affects openjdk-jre package of an implementation of the Java Platform, Standard Edition (Java SE).

4) Improper access control (CVE-ID: CVE-2019-2816)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).


5) Use-after-free (CVE-ID: CVE-2019-7317)

The vulnerability allows a remote attacker to cause DoS condition.

The vulnerability exists due to a use-after-free memory error in the png_image_free function, as defined in the png.c source code file when calling on png_safe_execute. A remote attacker can send specially crafted data, trigger a call on png_safe_execute and trigger memory corruption, resulting in a DoS condition.


6) Out-of-bounds write (CVE-ID: CVE-2019-11772)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to the String.getBytes(int, int, byte[], int) method does not verify that the provided byte array is non-null nor that the provided index is in bounds when compiled by the JIT. A remote attacker can trigger an out-of-bounds write and execute arbitrary code on the target system.


7) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2019-11775)

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to the loop versioner may fail to privatize a value that is pulled out of the loop by versioning. A remote user can perform unauthorized actions by bypassing illegal character restrictions.


Remediation

Install update from vendor's website.

References