SVG:Advisory-SVG-2015-9707

From EGIWiki
Revision as of 16:07, 29 October 2015 by Cornwall (talk | contribs) (Created page with "{{svg-header}} <pre> ** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restricti...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Advisory-SVG-2015-9707




** WHITE information - Unlimited distribution allowed                       **  

** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **

EGI SVG   ADVISORY [EGI-SVG-2015-9707] 

Title:       EGI SVG Advisory - Various Java CVE's with max CVSS score.  

Date:        2015-10-29  
Updated:    


URL:         https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-9707

Introduction
============

Various vulnerabilities have been publicly announced concerning Java, some of which 
have the maximum CVSS (Common Vulnerability Scoring System) score of 10, but details 
including the attack vectors are not specified. 

We cannot determine the exact effect these vulnerabilities may have in EGI from the 
information currently available. 

Since they have high CVSS scores if and when information becomes available publicly 
there is a fair chance that updating will become urgent, so we are recommending that 
sites update in the coming days. 


Details
=======

Scientific Linux announced 'critical' updates concerning openjdk listing 17 CVE's [R 1]

1 example of a CVE with CVSS score of 10 [R 2]

It would appear that all sources of java (from Oracle and OpenJDK) were vulnerable, 
but fixes are available for most Operating systems. 


Risk category
=============

It is not possible to establish the risk category for EGI as insufficient details o
f the vulnerabilities have been released.  However, since the CVSS score is the maximum 
of 10 for some of them, there is a fair chance that some may be considered at least 'high risk' 
in the EGI environment if and when public information and public exploits become available. 


Affected software
=================

It would appear that this issue affects multiple versions of Java 6, Java 7 and Java 8. 

Versions of Java provided with Scientific Linux, Debian and Ubuntu are stated as being affected. 

See OS provider for more details. 


Component installation information
==================================

See appropriate OS provider sites.


Recommendations
===============

Sites are recommended to update to a non-vulnerable version of OpenJDK in the coming days. 


Credit
======

SVG was alerted to this by Ian Neilson

References
==========

[R 1] https://www.scientificlinux.org/sl-errata/slsa-20151920-1/

[R 2] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4883


Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

We are currently revising the vulnerability issue handling procedure so suggestions 
and comments are welcome. 



Timeline  
========
Yyyy-mm-dd

2015-10-21 Scientific Linux announced java-1.7.0-openjdk security update
2015-10-26 Ian Neilson alerted SVG to the Scientific Linux security announcement 
2015-10-27 SVG decided to send an advisory to sites recommending updating
2015-10-29 Advisory sent to sites