Bug 1639293 (CVE-2018-3169) - CVE-2018-3169 OpenJDK: Improper field access checks (Hotspot, 8199226)
Summary: CVE-2018-3169 OpenJDK: Improper field access checks (Hotspot, 8199226)
Status: CLOSED ERRATA
Alias: CVE-2018-3169
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
(Show other bugs)
Version: unspecified
Hardware: All Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=critical,public=20181016,repor...
Keywords: Security
Depends On: 1639730 1646175 1649856 1633820 1633821 1633822 1639728 1639729 1639731 1639732 1639733 1639734 1639736 1639737 1639780 1646173 1646174 1649854 1649855 1652094 1652099 1652100
Blocks: 1633819
TreeView+ depends on / blocked
 
Reported: 2018-10-15 13:09 UTC by Tomas Hoger
Modified: 2018-12-18 21:53 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-12-18 21:53:48 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2942 None None None 2018-10-17 21:22 UTC
Red Hat Product Errata RHSA-2018:2943 None None None 2018-10-17 21:22 UTC
Red Hat Product Errata RHSA-2018:3000 None None None 2018-10-24 22:05 UTC
Red Hat Product Errata RHSA-2018:3001 None None None 2018-10-24 22:06 UTC
Red Hat Product Errata RHSA-2018:3002 None None None 2018-10-24 22:06 UTC
Red Hat Product Errata RHSA-2018:3003 None None None 2018-10-24 22:07 UTC
Red Hat Product Errata RHSA-2018:3350 None None None 2018-10-30 09:18 UTC
Red Hat Product Errata RHSA-2018:3409 None None None 2018-10-30 16:59 UTC
Red Hat Product Errata RHSA-2018:3521 None None None 2018-11-07 18:13 UTC
Red Hat Product Errata RHSA-2018:3533 None None None 2018-11-09 11:49 UTC
Red Hat Product Errata RHSA-2018:3534 None None None 2018-11-09 11:49 UTC
Red Hat Product Errata RHSA-2018:3671 None None None 2018-11-26 15:42 UTC
Red Hat Product Errata RHSA-2018:3672 None None None 2018-11-26 15:43 UTC
Red Hat Product Errata RHSA-2018:3779 None None None 2018-12-05 15:53 UTC
Red Hat Product Errata RHSA-2018:3852 None None None 2018-12-18 15:50 UTC

Description Tomas Hoger 2018-10-15 13:09:30 UTC
It was discovered that the Hotspot component of OpenJDK did not perform access checks correctly in certain cases when performing field link resolution.  An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions.

Comment 1 Tomas Hoger 2018-10-16 20:52:40 UTC
Public now via Oracle CPU October 2018:

https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixJAVA

The issue was fixed in Oracle JDK 11.0.1, 8u191, and 7u201.

Comment 3 errata-xmlrpc 2018-10-17 21:21:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2942 https://access.redhat.com/errata/RHSA-2018:2942

Comment 4 errata-xmlrpc 2018-10-17 21:22:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:2943 https://access.redhat.com/errata/RHSA-2018:2943

Comment 5 Tomas Hoger 2018-10-19 20:32:33 UTC
OpenJDK-8 upstream commit:
http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/rev/3af740792979

OpenJDK-11 upstream commit:
http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/5370691ecaff

Comment 6 errata-xmlrpc 2018-10-24 22:05:35 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2018:3000 https://access.redhat.com/errata/RHSA-2018:3000

Comment 7 errata-xmlrpc 2018-10-24 22:06:12 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2018:3001 https://access.redhat.com/errata/RHSA-2018:3001

Comment 8 errata-xmlrpc 2018-10-24 22:06:48 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2018:3002 https://access.redhat.com/errata/RHSA-2018:3002

Comment 9 errata-xmlrpc 2018-10-24 22:07:30 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2018:3003 https://access.redhat.com/errata/RHSA-2018:3003

Comment 11 errata-xmlrpc 2018-10-30 09:18:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3350 https://access.redhat.com/errata/RHSA-2018:3350

Comment 12 errata-xmlrpc 2018-10-30 16:59:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:3409 https://access.redhat.com/errata/RHSA-2018:3409

Comment 13 errata-xmlrpc 2018-11-07 18:13:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3521 https://access.redhat.com/errata/RHSA-2018:3521

Comment 14 errata-xmlrpc 2018-11-09 11:49:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2018:3533 https://access.redhat.com/errata/RHSA-2018:3533

Comment 15 errata-xmlrpc 2018-11-09 11:49:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2018:3534 https://access.redhat.com/errata/RHSA-2018:3534

Comment 18 errata-xmlrpc 2018-11-26 15:42:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2018:3671 https://access.redhat.com/errata/RHSA-2018:3671

Comment 19 errata-xmlrpc 2018-11-26 15:43:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2018:3672 https://access.redhat.com/errata/RHSA-2018:3672

Comment 20 errata-xmlrpc 2018-12-05 15:52:56 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 5.6
  Red Hat Satellite 5.7

Via RHSA-2018:3779 https://access.redhat.com/errata/RHSA-2018:3779

Comment 21 errata-xmlrpc 2018-12-18 15:50:57 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 5.8

Via RHSA-2018:3852 https://access.redhat.com/errata/RHSA-2018:3852


Note You need to log in before you can comment on or make changes to this bug.