Bug 1602141 (CVE-2018-2938) - CVE-2018-2938 Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, and 8u181 (Java DB)
Summary: CVE-2018-2938 Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, an...
Alias: CVE-2018-2938
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
Blocks: Embargoed1594250
TreeView+ depends on / blocked
Reported: 2018-07-17 21:07 UTC by Tomas Hoger
Modified: 2021-02-16 23:58 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-07-17 21:12:08 UTC

Attachments (Terms of Use)

Description Tomas Hoger 2018-07-17 21:07:03 UTC
Oracle Java SE 6u201, 7u191, and 8u181 fixes an unspecified vulnerability in the Java DB component (CVE-2018-2938).  Upstream has CVSS scored this issue as: 9.0/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

External Reference:


Comment 1 Tomas Hoger 2018-07-17 21:12:08 UTC
This issue did not affect Oracle Java SE packages as shipped via Oracle Java for Red Hat Enterprise Linux channels, as they did not include the Java DB / Apache Derby component.

Comment 2 Tomas Hoger 2018-07-17 21:14:39 UTC
The issue was addressed upstream by removing Java DB from the Oracle Java SE distribution.  Quoting from the upstream release notes:

  Removed Features and Options

  ➜ Removal of Java DB 

  Java DB, also known as Apache Derby, has been removed in this release.

  We recommend that you obtain the latest Apache Derby directly from the
  Apache project at:


  JDK-8197871 (not public) 


Comment 5 Tomas Hoger 2018-07-24 20:32:59 UTC
The Oracle CPU was updated and now has this note for this CVE:

  CVE-2018-2938 addresses CVE-2018-1313

Apparently, this CVE is a duplicate of a Derby issue that has been made public previously - CVE-2018-1313 / bug 1575639.

Note You need to log in before you can comment on or make changes to this bug.