|Main page||Software Security Checklist||Issue Handling||Advisories||Notes On Risk||Advisory Template||More|
** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI SVG ADVISORY [EGI-SVG-2015-9707] Title: EGI SVG Advisory - Various Java CVE's with max CVSS score. Date: 2015-10-29 Updated: 2015-11-26 URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-9707 Introduction ============ Various vulnerabilities have been publicly announced concerning Java, some of which have the maximum CVSS (Common Vulnerability Scoring System) score of 10, but details including the attack vectors are not specified. We cannot determine the exact effect these vulnerabilities may have in EGI from the information currently available. Since they have high CVSS scores if and when information becomes available publicly there is a fair chance that updating will become urgent, so we are recommending that sites update in the coming days. **UPDATE** Updates are now available resolving these for SL5, SL6 and SL7 [R 3] We have no further informaiton on these vulnerabilities. Details ======= Scientific Linux announced 'critical' updates concerning openjdk listing 17 CVE's [R 1] 1 example of a CVE with CVSS score of 10 [R 2] It would appear that all sources of java (from Oracle and OpenJDK) were vulnerable, but fixes are available for most Operating systems. Risk category ============= It is not possible to establish the risk category for EGI as insufficient details o f the vulnerabilities have been released. However, since the CVSS score is the maximum of 10 for some of them, there is a fair chance that some may be considered at least 'high risk' in the EGI environment if and when public information and public exploits become available. Affected software ================= It would appear that this issue affects multiple versions of Java 6, Java 7 and Java 8. Versions of Java provided with Scientific Linux, Debian and Ubuntu are stated as being affected. See OS provider for more details. **UPDATE** Scientific Linux has issued updates to resolve these vulnerabilities for SL5, SL6 and SL7. See [R 3] Component installation information ================================== See appropriate OS provider sites. Recommendations =============== Sites are recommended to update to a non-vulnerable version of OpenJDK in the coming days if they have not done so already. Credit ====== SVG was alerted to this by Ian Neilson References ========== [R 1] https://www.scientificlinux.org/sl-errata/slsa-20151920-1/ [R 2] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4883 [R 3] https://www.scientificlinux.org/sl-errata/slsa-20152086-1/ Comments ======== Comments or questions should be sent to svg-rat at mailman.egi.eu We are currently revising the vulnerability issue handling procedure so suggestions and comments are welcome. Timeline ======== Yyyy-mm-dd 2015-10-21 Scientific Linux announced java-1.7.0-openjdk security update 2015-10-26 Ian Neilson alerted SVG to the Scientific Linux security announcement 2015-10-27 SVG decided to send an advisory to sites recommending updating 2015-10-29 Advisory sent to sites 2015-11-26 Update as scientific linux has provided patches.