SVG:Advisory-SVG-2015-9707

From EGIWiki
Revision as of 14:43, 26 November 2015 by Cornwall (talk | contribs)
Jump to: navigation, search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Advisory-SVG-2015-9707




** WHITE information - Unlimited distribution allowed                       **  

** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **

EGI SVG   ADVISORY [EGI-SVG-2015-9707] 

Title:       EGI SVG Advisory - Various Java CVE's with max CVSS score.  

Date:        2015-10-29  
Updated:     2015-11-26


URL:         https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-9707

Introduction
============

Various vulnerabilities have been publicly announced concerning Java, some of which 
have the maximum CVSS (Common Vulnerability Scoring System) score of 10, but details 
including the attack vectors are not specified. 

We cannot determine the exact effect these vulnerabilities may have in EGI from the 
information currently available. 

Since they have high CVSS scores if and when information becomes available publicly 
there is a fair chance that updating will become urgent, so we are recommending that 
sites update in the coming days. 

**UPDATE** 

Updates are now available resolving these for SL5, SL6 and SL7.

There is no further information on these vulnerabilities. 



Details
=======

Scientific Linux announced 'critical' updates concerning openjdk listing 17 CVE's [R 1]

1 example of a CVE with CVSS score of 10 [R 2]

It would appear that all sources of java (from Oracle and OpenJDK) were vulnerable, 
but fixes are available for most Operating systems. 


Risk category
=============

It is not possible to establish the risk category for EGI as insufficient details o
f the vulnerabilities have been released.  However, since the CVSS score is the maximum 
of 10 for some of them, there is a fair chance that some may be considered at least 'high risk' 
in the EGI environment if and when public information and public exploits become available. 


Affected software
=================

It would appear that this issue affects multiple versions of Java 6, Java 7 and Java 8. 

Versions of Java provided with Scientific Linux, Debian and Ubuntu are stated as being affected. 

See OS provider for more details. 

**UPDATE** 

Scientific Linux has issued updates to resolve these vulnerabilities for SL5, SL6 and 

SL7.  See [R 3] 



Component installation information
==================================

See appropriate OS provider sites.


Recommendations
===============

Sites are recommended to update to a non-vulnerable version of OpenJDK in the coming days. 


Credit
======

SVG was alerted to this by Ian Neilson

References
==========

[R 1] https://www.scientificlinux.org/sl-errata/slsa-20151920-1/

[R 2] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4883

[R 3] https://www.scientificlinux.org/sl-errata/slsa-20152086-1/

Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

We are currently revising the vulnerability issue handling procedure so suggestions 
and comments are welcome. 



Timeline  
========
Yyyy-mm-dd

2015-10-21 Scientific Linux announced java-1.7.0-openjdk security update
2015-10-26 Ian Neilson alerted SVG to the Scientific Linux security announcement 
2015-10-27 SVG decided to send an advisory to sites recommending updating
2015-10-29 Advisory sent to sites
2015-11-26 Update as scientific linux has provided patches.