Security Advisory Critical: java-1.8.0-oracle security update

Advisory: RHSA-2017:0175-3
Type: Security Advisory
Severity: Critical
Issued on: 2017-01-19
Last updated on: 2017-01-19
Affected Products: Oracle Java for Red Hat Enterprise Linux Desktop (v. 6)
Oracle Java for Red Hat Enterprise Linux Desktop (v. 7)
Oracle Java for Red Hat Enterprise Linux HPC Node (v. 6)
Oracle Java for Red Hat Enterprise Linux HPC Node (v. 7)
Oracle Java for Red Hat Enterprise Linux Server (v. 6)
Oracle Java for Red Hat Enterprise Linux Server (v. 7)
Oracle Java for Red Hat Enterprise Linux Workstation (v. 6)
Oracle Java for Red Hat Enterprise Linux Workstation (v. 7)
CVEs (cve.mitre.org): CVE-2016-5546
CVE-2016-5547
CVE-2016-5548
CVE-2016-5549
CVE-2016-5552
CVE-2016-8328
CVE-2017-3231
CVE-2017-3241
CVE-2017-3252
CVE-2017-3253
CVE-2017-3259
CVE-2017-3261
CVE-2017-3262
CVE-2017-3272
CVE-2017-3289

Details

An update for java-1.8.0-oracle is now available for Oracle Java for Red Hat
Enterprise Linux 6 and Oracle Java for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

Oracle Java SE version 8 includes the Oracle Java Runtime Environment and the
Oracle Java Software Development Kit.

This update upgrades Oracle Java SE 8 to version 8 Update 121.

Security Fix(es):

* This update fixes multiple vulnerabilities in the Oracle Java Runtime
Environment and the Oracle Java Software Development Kit. Further information
about these flaws can be found on the Oracle Java SE Critical Patch Update
Advisory page, listed in the References section. (CVE-2016-2183, CVE-2016-5546,
CVE-2016-5547, CVE-2016-5548, CVE-2016-5549, CVE-2016-5552, CVE-2016-8328,
CVE-2017-3231, CVE-2017-3241, CVE-2017-3252, CVE-2017-3253, CVE-2017-3259,
CVE-2017-3261, CVE-2017-3262, CVE-2017-3272, CVE-2017-3289)

This update mitigates the CVE-2016-2183 issue by adding 3DES cipher suites to
the list of legacy algorithms (defined using the jdk.tls.legacyAlgorithms
security property) so they are only used if connecting TLS/SSL client and server
do not share any other non-legacy cipher suite.


Solution

For details on how to apply this update, which includes the changes described in
this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Oracle Java must be restarted for this update to take
effect.

Updated packages

Oracle Java for Red Hat Enterprise Linux Desktop (v. 6)

IA-32:
java-1.8.0-oracle-1.8.0.121-1jpp.1.el6_8.i686.rpm     MD5: 93e8e6adc158c4aa5fa683d16384d543
SHA-256: d879e76d5381cd0805e33e15ca834becb8d2057b9937d96b867989060d2ecb0f
java-1.8.0-oracle-devel-1.8.0.121-1jpp.1.el6_8.i686.rpm     MD5: 45534b217102ff36336eb8050ae97f31
SHA-256: a4a1279401201fef60b7882534a81ebaf7acb29c11bb51b283e60e57565c7916
java-1.8.0-oracle-javafx-1.8.0.121-1jpp.1.el6_8.i686.rpm     MD5: 2c632862c7a94dd80ac5da20b6f02849
SHA-256: c5eb24a43588c164ef17e83343ba3181f23c7fa7bb08073ac5462dcb1747793f
java-1.8.0-oracle-jdbc-1.8.0.121-1jpp.1.el6_8.i686.rpm     MD5: c99f193d73845bd4739297b8692c7907
SHA-256: 0623771f838a91979a75715c3b4769b6fac85887d772a706d73bf4c8c0c01cdc
java-1.8.0-oracle-plugin-1.8.0.121-1jpp.1.el6_8.i686.rpm     MD5: 53357a73d5db8c4472016660e557f086
SHA-256: c2a377ea4cdaae6c757169f499fa02c7144258a665a49c44f36baf3ebc1d4401
java-1.8.0-oracle-src-1.8.0.121-1jpp.1.el6_8.i686.rpm     MD5: 191308beb5dd13a6428816c9c3b2872d
SHA-256: 4fd94949229fa52291cf45a72e59afba647ec46f3653e1af871b59781e2ecec5
 
x86_64:
java-1.8.0-oracle-1.8.0.121-1jpp.1.el6_8.x86_64.rpm     MD5: ad40088a3f5d54612fc8d3f16013495e
SHA-256: 1624ec4d23efbbf2f6863fb5694a7378c8050f37baae0fd83a0eaf1075280fc6
java-1.8.0-oracle-devel-1.8.0.121-1jpp.1.el6_8.x86_64.rpm     MD5: 4a11a607a538a10f707b764c4a76b6ba
SHA-256: f577956fb1e3117698b3e4cd699f7f005f5b0944bdf2ce5375a4fb079925d322
java-1.8.0-oracle-javafx-1.8.0.121-1jpp.1.el6_8.x86_64.rpm     MD5: d44c37f751a09f5bd9b944d03871699a
SHA-256: 4be373adcc5e77558e0562dde4ab7f6bfba2ed3cb7d539aa35d817f51161d90b
java-1.8.0-oracle-jdbc-1.8.0.121-1jpp.1.el6_8.x86_64.rpm     MD5: dee7b9af60a3ec54375faf0584944793
SHA-256: 9e0023e9fd286aee6b98edc8c378b52fb21a1718d0b1fc4905a30c9f60ec3b9c
java-1.8.0-oracle-plugin-1.8.0.121-1jpp.1.el6_8.x86_64.rpm     MD5: decd56a3a694bc05d8dca5ac34466e0e
SHA-256: 41cf9826d365e0071203c62410e3ca69d283280c48a69a0286b0a426ed0bce30
java-1.8.0-oracle-src-1.8.0.121-1jpp.1.el6_8.x86_64.rpm     MD5: 1d7caab84ab2d376986b8eac5bcc8cdf
SHA-256: cb2748402e1351a88cb18c21c3f2490b1a607d2c3f9eca89ee1e2fc41bb5bb06
 
Oracle Java for Red Hat Enterprise Linux Desktop (v. 7)

x86_64:
java-1.8.0-oracle-1.8.0.121-1jpp.1.el7_3.x86_64.rpm     MD5: 855226eedeca73253cf558f54f397bc2
SHA-256: e03e48d4b1e3dc0f291c69f9026a17b3a4cec70ba57e3aa7573b309ec0f751de
java-1.8.0-oracle-devel-1.8.0.121-1jpp.1.el7_3.x86_64.rpm     MD5: ca7462f3dcc5b0d9bdfb5f50f277cab5
SHA-256: f83d4b773a0e64eb1f50279ce670325e892d27283aae5ee42f33ff18fccfd238
java-1.8.0-oracle-javafx-1.8.0.121-1jpp.1.el7_3.x86_64.rpm     MD5: e516674e8ba73221578f4fcefd14d256
SHA-256: 1bd487bd063d0f8cc4ca9a2454426a86bc320f3357c3dc8e18186cc25185fb5f
java-1.8.0-oracle-jdbc-1.8.0.121-1jpp.1.el7_3.x86_64.rpm     MD5: ced99edae5dd7d44d0e0503ebb958635
SHA-256: 1c4e5d7a7633836625b5231dbce4e1cdb9d665635f491746b830d7f3ea998bff
java-1.8.0-oracle-plugin-1.8.0.121-1jpp.1.el7_3.x86_64.rpm     MD5: a4b4bb65366deacff5cb482274f1281f
SHA-256: 38b6e1a60a8e4a455c1ce740b941d134bccae85f1cbc309f66b0807a32a54751
java-1.8.0-oracle-src-1.8.0.121-1jpp.1.el7_3.x86_64.rpm     MD5: 6b92d5923eb447c9f3e2d45da5b7291c
SHA-256: 50fc0655f7a1e4e7386c2f006d30b1d433c82ea030455d6be593fcf703b2a908
 
Oracle Java for Red Hat Enterprise Linux HPC Node (v. 6)

x86_64:
java-1.8.0-oracle-1.8.0.121-1jpp.1.el6_8.x86_64.rpm     MD5: ad40088a3f5d54612fc8d3f16013495e
SHA-256: 1624ec4d23efbbf2f6863fb5694a7378c8050f37baae0fd83a0eaf1075280fc6
java-1.8.0-oracle-devel-1.8.0.121-1jpp.1.el6_8.x86_64.rpm     MD5: 4a11a607a538a10f707b764c4a76b6ba
SHA-256: f577956fb1e3117698b3e4cd699f7f005f5b0944bdf2ce5375a4fb079925d322
java-1.8.0-oracle-javafx-1.8.0.121-1jpp.1.el6_8.x86_64.rpm     MD5: d44c37f751a09f5bd9b944d03871699a
SHA-256: 4be373adcc5e77558e0562dde4ab7f6bfba2ed3cb7d539aa35d817f51161d90b
java-1.8.0-oracle-jdbc-1.8.0.121-1jpp.1.el6_8.x86_64.rpm     MD5: dee7b9af60a3ec54375faf0584944793
SHA-256: 9e0023e9fd286aee6b98edc8c378b52fb21a1718d0b1fc4905a30c9f60ec3b9c
java-1.8.0-oracle-plugin-1.8.0.121-1jpp.1.el6_8.x86_64.rpm     MD5: decd56a3a694bc05d8dca5ac34466e0e
SHA-256: 41cf9826d365e0071203c62410e3ca69d283280c48a69a0286b0a426ed0bce30
java-1.8.0-oracle-src-1.8.0.121-1jpp.1.el6_8.x86_64.rpm     MD5: 1d7caab84ab2d376986b8eac5bcc8cdf
SHA-256: cb2748402e1351a88cb18c21c3f2490b1a607d2c3f9eca89ee1e2fc41bb5bb06
 
Oracle Java for Red Hat Enterprise Linux HPC Node (v. 7)

x86_64:
java-1.8.0-oracle-1.8.0.121-1jpp.1.el7_3.x86_64.rpm     MD5: 855226eedeca73253cf558f54f397bc2
SHA-256: e03e48d4b1e3dc0f291c69f9026a17b3a4cec70ba57e3aa7573b309ec0f751de
java-1.8.0-oracle-devel-1.8.0.121-1jpp.1.el7_3.x86_64.rpm     MD5: ca7462f3dcc5b0d9bdfb5f50f277cab5
SHA-256: f83d4b773a0e64eb1f50279ce670325e892d27283aae5ee42f33ff18fccfd238
java-1.8.0-oracle-javafx-1.8.0.121-1jpp.1.el7_3.x86_64.rpm     MD5: e516674e8ba73221578f4fcefd14d256
SHA-256: 1bd487bd063d0f8cc4ca9a2454426a86bc320f3357c3dc8e18186cc25185fb5f
java-1.8.0-oracle-src-1.8.0.121-1jpp.1.el7_3.x86_64.rpm     MD5: 6b92d5923eb447c9f3e2d45da5b7291c
SHA-256: 50fc0655f7a1e4e7386c2f006d30b1d433c82ea030455d6be593fcf703b2a908
 
Oracle Java for Red Hat Enterprise Linux Server (v. 6)

IA-32:
java-1.8.0-oracle-1.8.0.121-1jpp.1.el6_8.i686.rpm     MD5: 93e8e6adc158c4aa5fa683d16384d543
SHA-256: d879e76d5381cd0805e33e15ca834becb8d2057b9937d96b867989060d2ecb0f
java-1.8.0-oracle-devel-1.8.0.121-1jpp.1.el6_8.i686.rpm     MD5: 45534b217102ff36336eb8050ae97f31
SHA-256: a4a1279401201fef60b7882534a81ebaf7acb29c11bb51b283e60e57565c7916
java-1.8.0-oracle-javafx-1.8.0.121-1jpp.1.el6_8.i686.rpm     MD5: 2c632862c7a94dd80ac5da20b6f02849
SHA-256: c5eb24a43588c164ef17e83343ba3181f23c7fa7bb08073ac5462dcb1747793f
java-1.8.0-oracle-jdbc-1.8.0.121-1jpp.1.el6_8.i686.rpm     MD5: c99f193d73845bd4739297b8692c7907
SHA-256: 0623771f838a91979a75715c3b4769b6fac85887d772a706d73bf4c8c0c01cdc
java-1.8.0-oracle-plugin-1.8.0.121-1jpp.1.el6_8.i686.rpm     MD5: 53357a73d5db8c4472016660e557f086
SHA-256: c2a377ea4cdaae6c757169f499fa02c7144258a665a49c44f36baf3ebc1d4401
java-1.8.0-oracle-src-1.8.0.121-1jpp.1.el6_8.i686.rpm     MD5: 191308beb5dd13a6428816c9c3b2872d
SHA-256: 4fd94949229fa52291cf45a72e59afba647ec46f3653e1af871b59781e2ecec5
 
x86_64:
java-1.8.0-oracle-1.8.0.121-1jpp.1.el6_8.x86_64.rpm     MD5: ad40088a3f5d54612fc8d3f16013495e
SHA-256: 1624ec4d23efbbf2f6863fb5694a7378c8050f37baae0fd83a0eaf1075280fc6
java-1.8.0-oracle-devel-1.8.0.121-1jpp.1.el6_8.x86_64.rpm     MD5: 4a11a607a538a10f707b764c4a76b6ba
SHA-256: f577956fb1e3117698b3e4cd699f7f005f5b0944bdf2ce5375a4fb079925d322
java-1.8.0-oracle-javafx-1.8.0.121-1jpp.1.el6_8.x86_64.rpm     MD5: d44c37f751a09f5bd9b944d03871699a
SHA-256: 4be373adcc5e77558e0562dde4ab7f6bfba2ed3cb7d539aa35d817f51161d90b
java-1.8.0-oracle-jdbc-1.8.0.121-1jpp.1.el6_8.x86_64.rpm     MD5: dee7b9af60a3ec54375faf0584944793
SHA-256: 9e0023e9fd286aee6b98edc8c378b52fb21a1718d0b1fc4905a30c9f60ec3b9c
java-1.8.0-oracle-plugin-1.8.0.121-1jpp.1.el6_8.x86_64.rpm     MD5: decd56a3a694bc05d8dca5ac34466e0e
SHA-256: 41cf9826d365e0071203c62410e3ca69d283280c48a69a0286b0a426ed0bce30
java-1.8.0-oracle-src-1.8.0.121-1jpp.1.el6_8.x86_64.rpm     MD5: 1d7caab84ab2d376986b8eac5bcc8cdf
SHA-256: cb2748402e1351a88cb18c21c3f2490b1a607d2c3f9eca89ee1e2fc41bb5bb06
 
Oracle Java for Red Hat Enterprise Linux Server (v. 7)

x86_64:
java-1.8.0-oracle-1.8.0.121-1jpp.1.el7_3.x86_64.rpm     MD5: 855226eedeca73253cf558f54f397bc2
SHA-256: e03e48d4b1e3dc0f291c69f9026a17b3a4cec70ba57e3aa7573b309ec0f751de
java-1.8.0-oracle-devel-1.8.0.121-1jpp.1.el7_3.x86_64.rpm     MD5: ca7462f3dcc5b0d9bdfb5f50f277cab5
SHA-256: f83d4b773a0e64eb1f50279ce670325e892d27283aae5ee42f33ff18fccfd238
java-1.8.0-oracle-javafx-1.8.0.121-1jpp.1.el7_3.x86_64.rpm     MD5: e516674e8ba73221578f4fcefd14d256
SHA-256: 1bd487bd063d0f8cc4ca9a2454426a86bc320f3357c3dc8e18186cc25185fb5f
java-1.8.0-oracle-jdbc-1.8.0.121-1jpp.1.el7_3.x86_64.rpm     MD5: ced99edae5dd7d44d0e0503ebb958635
SHA-256: 1c4e5d7a7633836625b5231dbce4e1cdb9d665635f491746b830d7f3ea998bff
java-1.8.0-oracle-plugin-1.8.0.121-1jpp.1.el7_3.x86_64.rpm     MD5: a4b4bb65366deacff5cb482274f1281f
SHA-256: 38b6e1a60a8e4a455c1ce740b941d134bccae85f1cbc309f66b0807a32a54751
java-1.8.0-oracle-src-1.8.0.121-1jpp.1.el7_3.x86_64.rpm     MD5: 6b92d5923eb447c9f3e2d45da5b7291c
SHA-256: 50fc0655f7a1e4e7386c2f006d30b1d433c82ea030455d6be593fcf703b2a908
 
Oracle Java for Red Hat Enterprise Linux Workstation (v. 6)

IA-32:
java-1.8.0-oracle-1.8.0.121-1jpp.1.el6_8.i686.rpm     MD5: 93e8e6adc158c4aa5fa683d16384d543
SHA-256: d879e76d5381cd0805e33e15ca834becb8d2057b9937d96b867989060d2ecb0f
java-1.8.0-oracle-devel-1.8.0.121-1jpp.1.el6_8.i686.rpm     MD5: 45534b217102ff36336eb8050ae97f31
SHA-256: a4a1279401201fef60b7882534a81ebaf7acb29c11bb51b283e60e57565c7916
java-1.8.0-oracle-javafx-1.8.0.121-1jpp.1.el6_8.i686.rpm     MD5: 2c632862c7a94dd80ac5da20b6f02849
SHA-256: c5eb24a43588c164ef17e83343ba3181f23c7fa7bb08073ac5462dcb1747793f
java-1.8.0-oracle-jdbc-1.8.0.121-1jpp.1.el6_8.i686.rpm     MD5: c99f193d73845bd4739297b8692c7907
SHA-256: 0623771f838a91979a75715c3b4769b6fac85887d772a706d73bf4c8c0c01cdc
java-1.8.0-oracle-plugin-1.8.0.121-1jpp.1.el6_8.i686.rpm     MD5: 53357a73d5db8c4472016660e557f086
SHA-256: c2a377ea4cdaae6c757169f499fa02c7144258a665a49c44f36baf3ebc1d4401
java-1.8.0-oracle-src-1.8.0.121-1jpp.1.el6_8.i686.rpm     MD5: 191308beb5dd13a6428816c9c3b2872d
SHA-256: 4fd94949229fa52291cf45a72e59afba647ec46f3653e1af871b59781e2ecec5
 
x86_64:
java-1.8.0-oracle-1.8.0.121-1jpp.1.el6_8.x86_64.rpm     MD5: ad40088a3f5d54612fc8d3f16013495e
SHA-256: 1624ec4d23efbbf2f6863fb5694a7378c8050f37baae0fd83a0eaf1075280fc6
java-1.8.0-oracle-devel-1.8.0.121-1jpp.1.el6_8.x86_64.rpm     MD5: 4a11a607a538a10f707b764c4a76b6ba
SHA-256: f577956fb1e3117698b3e4cd699f7f005f5b0944bdf2ce5375a4fb079925d322
java-1.8.0-oracle-javafx-1.8.0.121-1jpp.1.el6_8.x86_64.rpm     MD5: d44c37f751a09f5bd9b944d03871699a
SHA-256: 4be373adcc5e77558e0562dde4ab7f6bfba2ed3cb7d539aa35d817f51161d90b
java-1.8.0-oracle-jdbc-1.8.0.121-1jpp.1.el6_8.x86_64.rpm     MD5: dee7b9af60a3ec54375faf0584944793
SHA-256: 9e0023e9fd286aee6b98edc8c378b52fb21a1718d0b1fc4905a30c9f60ec3b9c
java-1.8.0-oracle-plugin-1.8.0.121-1jpp.1.el6_8.x86_64.rpm     MD5: decd56a3a694bc05d8dca5ac34466e0e
SHA-256: 41cf9826d365e0071203c62410e3ca69d283280c48a69a0286b0a426ed0bce30
java-1.8.0-oracle-src-1.8.0.121-1jpp.1.el6_8.x86_64.rpm     MD5: 1d7caab84ab2d376986b8eac5bcc8cdf
SHA-256: cb2748402e1351a88cb18c21c3f2490b1a607d2c3f9eca89ee1e2fc41bb5bb06
 
Oracle Java for Red Hat Enterprise Linux Workstation (v. 7)

x86_64:
java-1.8.0-oracle-1.8.0.121-1jpp.1.el7_3.x86_64.rpm     MD5: 855226eedeca73253cf558f54f397bc2
SHA-256: e03e48d4b1e3dc0f291c69f9026a17b3a4cec70ba57e3aa7573b309ec0f751de
java-1.8.0-oracle-devel-1.8.0.121-1jpp.1.el7_3.x86_64.rpm     MD5: ca7462f3dcc5b0d9bdfb5f50f277cab5
SHA-256: f83d4b773a0e64eb1f50279ce670325e892d27283aae5ee42f33ff18fccfd238
java-1.8.0-oracle-javafx-1.8.0.121-1jpp.1.el7_3.x86_64.rpm     MD5: e516674e8ba73221578f4fcefd14d256
SHA-256: 1bd487bd063d0f8cc4ca9a2454426a86bc320f3357c3dc8e18186cc25185fb5f
java-1.8.0-oracle-jdbc-1.8.0.121-1jpp.1.el7_3.x86_64.rpm     MD5: ced99edae5dd7d44d0e0503ebb958635
SHA-256: 1c4e5d7a7633836625b5231dbce4e1cdb9d665635f491746b830d7f3ea998bff
java-1.8.0-oracle-plugin-1.8.0.121-1jpp.1.el7_3.x86_64.rpm     MD5: a4b4bb65366deacff5cb482274f1281f
SHA-256: 38b6e1a60a8e4a455c1ce740b941d134bccae85f1cbc309f66b0807a32a54751
java-1.8.0-oracle-src-1.8.0.121-1jpp.1.el7_3.x86_64.rpm     MD5: 6b92d5923eb447c9f3e2d45da5b7291c
SHA-256: 50fc0655f7a1e4e7386c2f006d30b1d433c82ea030455d6be593fcf703b2a908
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1369383 - CVE-2016-2183 SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32)
1413554 - CVE-2017-3272 OpenJDK: insufficient protected field access checks in atomic field updaters (Libraries, 8165344)
1413562 - CVE-2017-3289 OpenJDK: insecure class construction (Hotspot, 8167104)
1413583 - CVE-2017-3253 OpenJDK: imageio PNGImageReader failed to honor ignoreMetadata for iTXt and zTXt chunks (2D, 8166988)
1413653 - CVE-2017-3261 OpenJDK: integer overflow in SocketOutputStream boundary check (Networking, 8164147)
1413717 - CVE-2017-3231 OpenJDK: URLClassLoader insufficient access control checks (Networking, 8151934)
1413764 - CVE-2016-5547 OpenJDK: missing ObjectIdentifier length check (Libraries, 8168705)
1413882 - CVE-2016-5552 OpenJDK: incorrect URL parsing in URLStreamHandler (Networking, 8167223)
1413906 - CVE-2017-3252 OpenJDK: LdapLoginModule incorrect userDN extraction (JAAS, 8161743)
1413911 - CVE-2016-5546 OpenJDK: incorrect ECDSA signature extraction from the DER input (Libraries, 8168714)
1413920 - CVE-2016-5548 OpenJDK: DSA implementation timing attack (Libraries, 8168728)
1413923 - CVE-2016-5549 OpenJDK: ECDSA implementation timing attack (Libraries, 8168724)
1413955 - CVE-2017-3241 OpenJDK: untrusted input deserialization in RMI registry and DCG (RMI, 8156802)
1414162 - CVE-2017-3262 Oracle JDK: unspecified vulnerability fixed in 8u121 (Java Mission Control)
1414163 - CVE-2017-3259 Oracle JDK: unspecified vulnerability fixed in 6u141, 7u131, and 8u121 (Deployment)
1414164 - CVE-2016-8328 Oracle JDK: unspecified vulnerability fixed in 8u121 (Java Mission Control)


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/