It was discovered that the Kerberos implementation in the Security component of OpenJDK used RSA-MD5 checksum in Ticket Granting Service (TGS) requests even though MD5 algorithm is no longer considered safe for such use case. A remote attacker could possibly use this flaw to manipulate TGS requests.
Public now via Oracle CPU January 2020: https://www.oracle.com/security-alerts/cpujan2020.html#AppendixJAVA Fixed in Oracle Java SE 13.0.2, 11.0.6, 8u241, and 7u251.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:0128 https://access.redhat.com/errata/RHSA-2020:0128
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:0122 https://access.redhat.com/errata/RHSA-2020:0122
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2020:0157 https://access.redhat.com/errata/RHSA-2020:0157
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:0196 https://access.redhat.com/errata/RHSA-2020:0196
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:0202 https://access.redhat.com/errata/RHSA-2020:0202
Typo error? Checkum -> checksum
Thanks, corrected.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:0231 https://access.redhat.com/errata/RHSA-2020:0231
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:0232 https://access.redhat.com/errata/RHSA-2020:0232
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:0541 https://access.redhat.com/errata/RHSA-2020:0541
OpenJDK-7 upstream commit: http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/42545cbbd2e6 OpenJDK-8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/2c97a7a401c6 OpenJDK-11 upstream commit: http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/e55db875d0ed
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2020:0632 https://access.redhat.com/errata/RHSA-2020:0632
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-2601
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:3386 https://access.redhat.com/errata/RHSA-2020:3386
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Via RHSA-2020:3388 https://access.redhat.com/errata/RHSA-2020:3388
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Via RHSA-2020:3387 https://access.redhat.com/errata/RHSA-2020:3387
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Via RHSA-2020:5585 https://access.redhat.com/errata/RHSA-2020:5585