Bug 1602141 (CVE-2018-2938)

Summary: CVE-2018-2938 Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, and 8u181 (Java DB)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: java-qa
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-17 21:12:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1594250    

Description Tomas Hoger 2018-07-17 21:07:03 UTC 
Oracle Java SE 6u201, 7u191, and 8u181 fixes an unspecified vulnerability in the Java DB component (CVE-2018-2938).  Upstream has CVSS scored this issue as: 9.0/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

External Reference:

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html#AppendixJAVA
Comment 1 Tomas Hoger 2018-07-17 21:12:08 UTC 
This issue did not affect Oracle Java SE packages as shipped via Oracle Java for Red Hat Enterprise Linux channels, as they did not include the Java DB / Apache Derby component.
Comment 2 Tomas Hoger 2018-07-17 21:14:39 UTC 
The issue was addressed upstream by removing Java DB from the Oracle Java SE distribution.  Quoting from the upstream release notes:

  Removed Features and Options

  other-libs/javadb
  ➜ Removal of Java DB 

  Java DB, also known as Apache Derby, has been removed in this release.

  We recommend that you obtain the latest Apache Derby directly from the
  Apache project at:

  https://db.apache.org/derby

  JDK-8197871 (not public) 

http://www.oracle.com/technetwork/java/javase/8u181-relnotes-4479407.html
http://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html#R170_191
http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html#R160_201
Comment 5 Tomas Hoger 2018-07-24 20:32:59 UTC 
The Oracle CPU was updated and now has this note for this CVE:

  CVE-2018-2938 addresses CVE-2018-1313

Apparently, this CVE is a duplicate of a Derby issue that has been made public previously - CVE-2018-1313 / bug 1575639.