csaf_opensuse - opensuse-su-2019:0161-1

opensuse-su-2019:0161-1

Vulnerability from csaf_opensuse

Published

2019-03-23 10:55

Modified

2019-03-23 10:55

Summary

Security update for java-11-openjdk

Notes

Title of the patch

Security update for java-11-openjdk

Description of the patch

This update for java-11-openjdk to version 11.0.2+7 fixes the following issues: Security issues fixed: - CVE-2019-2422: Better FileChannel transfer performance (bsc#1122293) - CVE-2019-2426: Improve web server connections - CVE-2018-11212: Improve JPEG processing (bsc#1122299) - Better route routing - Better interface enumeration - Better interface lists - Improve BigDecimal support - Improve robot support - Better icon support - Choose printer defaults - Proper allocation handling - Initial class initialization - More reliable p11 transactions - Improve NIO stability - Better loading of classloader classes - Strengthen Windows Access Bridge Support - Improved data set handling - Improved LSA authentication - Libsunmscapi improved interactions Non-security issues fix: - Do not resolve by default the added JavaEE modules (bsc#1120431) - ~2.5% regression on compression benchmark starting with 12-b11 - java.net.http.HttpClient hangs on 204 reply without Content-length 0 - Add additional TeliaSonera root certificate - Add more ld preloading related info to hs_error file on Linux - Add test to exercise server-side client hello processing - AES encrypt performance regression in jdk11b11 - AIX: ProcessBuilder: Piping between created processes does not work. - AIX: Some class library files are missing the Classpath exception - AppCDS crashes for some uses with JRuby - Automate vtable/itable stub size calculation - BarrierSetC1::generate_referent_check() confuses register allocator - Better HTTP Redirection - Catastrophic size_t underflow in BitMap::*_large methods - Clip.isRunning() may return true after Clip.stop() was called - Compiler thread creation should be bounded by available space in memory and Code Cache - com.sun.net.httpserver.HttpServer returns Content-length header for 204 response code - Default mask register for avx512 instructions - Delayed starting of debugging via jcmd - Disable all DES cipher suites - Disable anon and NULL cipher suites - Disable unsupported GCs for Zero - Epsilon alignment adjustments can overflow max TLAB size - Epsilon elastic TLAB sizing may cause misalignment - HotSpot update for vm_version.cpp to recognise updated VS2017 - HttpClient does not retrieve files with large sizes over HTTP/1.1 - IIOException 'tEXt chunk length is not proper' on opening png file - Improve TLS connection stability again - InitialDirContext ctor sometimes throws NPE if the server has sent a disconnection - Inspect stack during error reporting - Instead of circle rendered in appl window, but ellipse is produced JEditor Pane - Introduce diagnostic flag to abort VM on failed JIT compilation - Invalid assert(HeapBaseMinAddress > 0) in ReservedHeapSpace::initialize_compressed_heap - jar has issues with UNC-path arguments for the jar -C parameter [windows] - java.net.http HTTP client should allow specifying Origin and Referer headers - java.nio.file.Files.writeString writes garbled UTF-16 instead of UTF-8 - JDK 11.0.1 l10n resource file update - JDWP Transport Listener: dt_socket thread crash - JVMTI ResourceExhausted should not be posted in CompilerThread - LDAPS communication failure with jdk 1.8.0_181 - linux: Poor StrictMath performance due to non-optimized compilation - Missing synchronization when reading counters for live threads and peak thread count - NPE in SupportedGroupsExtension - OpenDataException thrown when constructing CompositeData for StackTraceElement - Parent class loader may not have a referred ClassLoaderData instance when obtained in Klass::class_in_module_of_loader - Populate handlers while holding streamHandlerLock - ppc64: Enable POWER9 CPU detection - print_location is not reliable enough (printing register info) - Reconsider default option for ClassPathURLCheck change done in JDK-8195874 - Register to register spill may use AVX 512 move instruction on unsupported platform. - s390: Use of shift operators not covered by cpp standard - serviceability/sa/TestUniverse.java#id0 intermittently fails with assert(get_instanceKlass()->is_loaded()) failed: must be at least loaded - SIGBUS in CodeHeapState::print_names() - SIGSEGV in MethodArityHistogram() with -XX:+CountCompiledCalls - Soft reference reclamation race in com.sun.xml.internal.stream.util.ThreadLocalBufferAllocator - Swing apps are slow if displaying from a remote source to many local displays - switch jtreg to 4.2b13 - Test library OSInfo.getSolarisVersion cannot determine Solaris version - TestOptionsWithRanges.java is very slow - TestOptionsWithRanges.java of '-XX:TLABSize=2147483648' fails intermittently - The Japanese message of FileNotFoundException garbled - The 'supported_groups' extension in ServerHellos - ThreadInfoCompositeData.toCompositeData fails to map ThreadInfo to CompositeData - TimeZone.getDisplayName given Locale.US doesn't always honor the Locale. - TLS 1.2 Support algorithm in SunPKCS11 provider - TLS 1.3 handshake server name indication is missing on a session resume - TLS 1.3 server fails if ClientHello doesn't have pre_shared_key and psk_key_exchange_modes - TLS 1.3 interop problems with OpenSSL 1.1.1 when used on the client side with mutual auth - tz: Upgrade time-zone data to tzdata2018g - Undefined behaviour in ADLC - Update avx512 implementation - URLStreamHandler initialization race - UseCompressedOops requirement check fails fails on 32-bit system - windows: Update OS detection code to recognize Windows Server 2019 - x86: assert on unbound assembler Labels used as branch targets - x86: jck tests for ldc2_w bytecode fail - x86: sharedRuntimeTrig/sharedRuntimeTrans compiled without optimization - '-XX:OnOutOfMemoryError' uses fork instead of vfork This update was imported from the SUSE:SLE-15:Update update project.

Patchnames

openSUSE-2019-161

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for java-11-openjdk",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for java-11-openjdk to version 11.0.2+7 fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2019-2422: Better FileChannel transfer performance (bsc#1122293)\n- CVE-2019-2426: Improve web server connections\n- CVE-2018-11212: Improve JPEG processing (bsc#1122299)\n- Better route routing\n- Better interface enumeration\n- Better interface lists\n- Improve BigDecimal support\n- Improve robot support\n- Better icon support\n- Choose printer defaults\n- Proper allocation handling\n- Initial class initialization\n- More reliable p11 transactions\n- Improve NIO stability\n- Better loading of classloader classes\n- Strengthen Windows Access Bridge Support\n- Improved data set handling\n- Improved LSA authentication\n- Libsunmscapi improved interactions\n\nNon-security issues fix:\n\n- Do not resolve by default the added JavaEE modules (bsc#1120431)\n- ~2.5% regression on compression benchmark starting with 12-b11\n- java.net.http.HttpClient hangs on 204 reply without Content-length 0\n- Add additional TeliaSonera root certificate\n- Add more ld preloading related info to hs_error file on Linux\n- Add test to exercise server-side client hello processing\n- AES encrypt performance regression in jdk11b11\n- AIX: ProcessBuilder: Piping between created processes does not work.\n- AIX: Some class library files are missing the Classpath exception\n- AppCDS crashes for some uses with JRuby\n- Automate vtable/itable stub size calculation\n- BarrierSetC1::generate_referent_check() confuses register allocator\n- Better HTTP Redirection\n- Catastrophic size_t underflow in BitMap::*_large methods\n- Clip.isRunning() may return true after Clip.stop() was called\n- Compiler thread creation should be bounded by available space in memory and Code Cache\n- com.sun.net.httpserver.HttpServer returns Content-length header for 204 response code\n- Default mask register for avx512 instructions\n- Delayed starting of debugging via jcmd\n- Disable all DES cipher suites\n- Disable anon and NULL cipher suites\n- Disable unsupported GCs for Zero\n- Epsilon alignment adjustments can overflow max TLAB size\n- Epsilon elastic TLAB sizing may cause misalignment\n- HotSpot update for vm_version.cpp to recognise updated VS2017\n- HttpClient does not retrieve files with large sizes over HTTP/1.1\n- IIOException \u0027tEXt chunk length is not proper\u0027 on opening png file\n- Improve TLS connection stability again\n- InitialDirContext ctor sometimes throws NPE if the server has sent a disconnection\n- Inspect stack during error reporting\n- Instead of circle rendered in appl window, but ellipse is produced JEditor Pane\n- Introduce diagnostic flag to abort VM on failed JIT compilation\n- Invalid assert(HeapBaseMinAddress \u003e 0) in ReservedHeapSpace::initialize_compressed_heap\n- jar has issues with UNC-path arguments for the jar -C parameter [windows]\n- java.net.http HTTP client should allow specifying Origin and Referer headers\n- java.nio.file.Files.writeString writes garbled UTF-16 instead of UTF-8\n- JDK 11.0.1 l10n resource file update\n- JDWP Transport Listener: dt_socket thread crash\n- JVMTI ResourceExhausted should not be posted in CompilerThread\n- LDAPS communication failure with jdk 1.8.0_181\n- linux: Poor StrictMath performance due to non-optimized compilation\n- Missing synchronization when reading counters for live threads and peak thread count\n- NPE in SupportedGroupsExtension\n- OpenDataException thrown when constructing CompositeData for StackTraceElement\n- Parent class loader may not have a referred ClassLoaderData instance when obtained in Klass::class_in_module_of_loader\n- Populate handlers while holding streamHandlerLock\n- ppc64: Enable POWER9 CPU detection\n- print_location is not reliable enough (printing register info)\n- Reconsider default option for ClassPathURLCheck change done in JDK-8195874\n- Register to register spill may use AVX 512 move instruction on unsupported platform.\n- s390: Use of shift operators not covered by cpp standard\n- serviceability/sa/TestUniverse.java#id0 intermittently fails with assert(get_instanceKlass()-\u003eis_loaded()) failed: must be at least loaded\n- SIGBUS in CodeHeapState::print_names()\n- SIGSEGV in MethodArityHistogram() with -XX:+CountCompiledCalls\n- Soft reference reclamation race in com.sun.xml.internal.stream.util.ThreadLocalBufferAllocator\n- Swing apps are slow if displaying from a remote source to many local displays\n- switch jtreg to 4.2b13\n- Test library OSInfo.getSolarisVersion cannot determine Solaris version\n- TestOptionsWithRanges.java is very slow\n- TestOptionsWithRanges.java of \u0027-XX:TLABSize=2147483648\u0027 fails intermittently\n- The Japanese message of FileNotFoundException garbled\n- The \u0027supported_groups\u0027 extension in ServerHellos\n- ThreadInfoCompositeData.toCompositeData fails to map ThreadInfo to CompositeData\n- TimeZone.getDisplayName given Locale.US doesn\u0027t always honor the Locale.\n- TLS 1.2 Support algorithm in SunPKCS11 provider\n- TLS 1.3 handshake server name indication is missing on a session resume\n- TLS 1.3 server fails if ClientHello doesn\u0027t have pre_shared_key and psk_key_exchange_modes\n- TLS 1.3 interop problems with OpenSSL 1.1.1 when used on the client side with mutual auth\n- tz: Upgrade time-zone data to tzdata2018g\n- Undefined behaviour in ADLC\n- Update avx512 implementation\n- URLStreamHandler initialization race\n- UseCompressedOops requirement check fails fails on 32-bit system\n- windows: Update OS detection code to recognize Windows Server 2019\n- x86: assert on unbound assembler Labels used as branch targets\n- x86: jck tests for ldc2_w bytecode fail\n- x86: sharedRuntimeTrig/sharedRuntimeTrans compiled without optimization\n- \u0027-XX:OnOutOfMemoryError\u0027 uses fork instead of vfork\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-2019-161",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2019_0161-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2019:0161-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ORCDRSEWQ6BJYEU2ZLJO4T4GEPU43V5Y/#ORCDRSEWQ6BJYEU2ZLJO4T4GEPU43V5Y"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2019:0161-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ORCDRSEWQ6BJYEU2ZLJO4T4GEPU43V5Y/#ORCDRSEWQ6BJYEU2ZLJO4T4GEPU43V5Y"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1120431",
        "url": "https://bugzilla.suse.com/1120431"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1122293",
        "url": "https://bugzilla.suse.com/1122293"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1122299",
        "url": "https://bugzilla.suse.com/1122299"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-11212 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-11212/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-2422 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-2422/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-2426 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-2426/"
      }
    ],
    "title": "Security update for java-11-openjdk",
    "tracking": {
      "current_release_date": "2019-03-23T10:55:18Z",
      "generator": {
        "date": "2019-03-23T10:55:18Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2019:0161-1",
      "initial_release_date": "2019-03-23T10:55:18Z",
      "revision_history": [
        {
          "date": "2019-03-23T10:55:18Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "java-11-openjdk-javadoc-11.0.2.0-lp150.2.12.1.noarch",
                "product": {
                  "name": "java-11-openjdk-javadoc-11.0.2.0-lp150.2.12.1.noarch",
                  "product_id": "java-11-openjdk-javadoc-11.0.2.0-lp150.2.12.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "java-11-openjdk-11.0.2.0-lp150.2.12.1.x86_64",
                "product": {
                  "name": "java-11-openjdk-11.0.2.0-lp150.2.12.1.x86_64",
                  "product_id": "java-11-openjdk-11.0.2.0-lp150.2.12.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "java-11-openjdk-accessibility-11.0.2.0-lp150.2.12.1.x86_64",
                "product": {
                  "name": "java-11-openjdk-accessibility-11.0.2.0-lp150.2.12.1.x86_64",
                  "product_id": "java-11-openjdk-accessibility-11.0.2.0-lp150.2.12.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "java-11-openjdk-demo-11.0.2.0-lp150.2.12.1.x86_64",
                "product": {
                  "name": "java-11-openjdk-demo-11.0.2.0-lp150.2.12.1.x86_64",
                  "product_id": "java-11-openjdk-demo-11.0.2.0-lp150.2.12.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "java-11-openjdk-devel-11.0.2.0-lp150.2.12.1.x86_64",
                "product": {
                  "name": "java-11-openjdk-devel-11.0.2.0-lp150.2.12.1.x86_64",
                  "product_id": "java-11-openjdk-devel-11.0.2.0-lp150.2.12.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "java-11-openjdk-headless-11.0.2.0-lp150.2.12.1.x86_64",
                "product": {
                  "name": "java-11-openjdk-headless-11.0.2.0-lp150.2.12.1.x86_64",
                  "product_id": "java-11-openjdk-headless-11.0.2.0-lp150.2.12.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "java-11-openjdk-jmods-11.0.2.0-lp150.2.12.1.x86_64",
                "product": {
                  "name": "java-11-openjdk-jmods-11.0.2.0-lp150.2.12.1.x86_64",
                  "product_id": "java-11-openjdk-jmods-11.0.2.0-lp150.2.12.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "java-11-openjdk-src-11.0.2.0-lp150.2.12.1.x86_64",
                "product": {
                  "name": "java-11-openjdk-src-11.0.2.0-lp150.2.12.1.x86_64",
                  "product_id": "java-11-openjdk-src-11.0.2.0-lp150.2.12.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.0",
                "product": {
                  "name": "openSUSE Leap 15.0",
                  "product_id": "openSUSE Leap 15.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.0"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "java-11-openjdk-11.0.2.0-lp150.2.12.1.x86_64 as component of openSUSE Leap 15.0",
          "product_id": "openSUSE Leap 15.0:java-11-openjdk-11.0.2.0-lp150.2.12.1.x86_64"
        },
        "product_reference": "java-11-openjdk-11.0.2.0-lp150.2.12.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "java-11-openjdk-accessibility-11.0.2.0-lp150.2.12.1.x86_64 as component of openSUSE Leap 15.0",
          "product_id": "openSUSE Leap 15.0:java-11-openjdk-accessibility-11.0.2.0-lp150.2.12.1.x86_64"
        },
        "product_reference": "java-11-openjdk-accessibility-11.0.2.0-lp150.2.12.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "java-11-openjdk-demo-11.0.2.0-lp150.2.12.1.x86_64 as component of openSUSE Leap 15.0",
          "product_id": "openSUSE Leap 15.0:java-11-openjdk-demo-11.0.2.0-lp150.2.12.1.x86_64"
        },
        "product_reference": "java-11-openjdk-demo-11.0.2.0-lp150.2.12.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "java-11-openjdk-devel-11.0.2.0-lp150.2.12.1.x86_64 as component of openSUSE Leap 15.0",
          "product_id": "openSUSE Leap 15.0:java-11-openjdk-devel-11.0.2.0-lp150.2.12.1.x86_64"
        },
        "product_reference": "java-11-openjdk-devel-11.0.2.0-lp150.2.12.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "java-11-openjdk-headless-11.0.2.0-lp150.2.12.1.x86_64 as component of openSUSE Leap 15.0",
          "product_id": "openSUSE Leap 15.0:java-11-openjdk-headless-11.0.2.0-lp150.2.12.1.x86_64"
        },
        "product_reference": "java-11-openjdk-headless-11.0.2.0-lp150.2.12.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "java-11-openjdk-javadoc-11.0.2.0-lp150.2.12.1.noarch as component of openSUSE Leap 15.0",
          "product_id": "openSUSE Leap 15.0:java-11-openjdk-javadoc-11.0.2.0-lp150.2.12.1.noarch"
        },
        "product_reference": "java-11-openjdk-javadoc-11.0.2.0-lp150.2.12.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "java-11-openjdk-jmods-11.0.2.0-lp150.2.12.1.x86_64 as component of openSUSE Leap 15.0",
          "product_id": "openSUSE Leap 15.0:java-11-openjdk-jmods-11.0.2.0-lp150.2.12.1.x86_64"
        },
        "product_reference": "java-11-openjdk-jmods-11.0.2.0-lp150.2.12.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "java-11-openjdk-src-11.0.2.0-lp150.2.12.1.x86_64 as component of openSUSE Leap 15.0",
          "product_id": "openSUSE Leap 15.0:java-11-openjdk-src-11.0.2.0-lp150.2.12.1.x86_64"
        },
        "product_reference": "java-11-openjdk-src-11.0.2.0-lp150.2.12.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-11212",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-11212"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in libjpeg 9a and 9d. The alloc_sarray function in jmemmgr.c allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted file.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.0:java-11-openjdk-11.0.2.0-lp150.2.12.1.x86_64",
          "openSUSE Leap 15.0:java-11-openjdk-accessibility-11.0.2.0-lp150.2.12.1.x86_64",
          "openSUSE Leap 15.0:java-11-openjdk-demo-11.0.2.0-lp150.2.12.1.x86_64",
          "openSUSE Leap 15.0:java-11-openjdk-devel-11.0.2.0-lp150.2.12.1.x86_64",
          "openSUSE Leap 15.0:java-11-openjdk-headless-11.0.2.0-lp150.2.12.1.x86_64",
          "openSUSE Leap 15.0:java-11-openjdk-javadoc-11.0.2.0-lp150.2.12.1.noarch",
          "openSUSE Leap 15.0:java-11-openjdk-jmods-11.0.2.0-lp150.2.12.1.x86_64",
          "openSUSE Leap 15.0:java-11-openjdk-src-11.0.2.0-lp150.2.12.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-11212",
          "url": "https://www.suse.com/security/cve/CVE-2018-11212"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1122299 for CVE-2018-11212",
          "url": "https://bugzilla.suse.com/1122299"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.0:java-11-openjdk-11.0.2.0-lp150.2.12.1.x86_64",
            "openSUSE Leap 15.0:java-11-openjdk-accessibility-11.0.2.0-lp150.2.12.1.x86_64",
            "openSUSE Leap 15.0:java-11-openjdk-demo-11.0.2.0-lp150.2.12.1.x86_64",
            "openSUSE Leap 15.0:java-11-openjdk-devel-11.0.2.0-lp150.2.12.1.x86_64",
            "openSUSE Leap 15.0:java-11-openjdk-headless-11.0.2.0-lp150.2.12.1.x86_64",
            "openSUSE Leap 15.0:java-11-openjdk-javadoc-11.0.2.0-lp150.2.12.1.noarch",
            "openSUSE Leap 15.0:java-11-openjdk-jmods-11.0.2.0-lp150.2.12.1.x86_64",
            "openSUSE Leap 15.0:java-11-openjdk-src-11.0.2.0-lp150.2.12.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.0"
          },
          "products": [
            "openSUSE Leap 15.0:java-11-openjdk-11.0.2.0-lp150.2.12.1.x86_64",
            "openSUSE Leap 15.0:java-11-openjdk-accessibility-11.0.2.0-lp150.2.12.1.x86_64",
            "openSUSE Leap 15.0:java-11-openjdk-demo-11.0.2.0-lp150.2.12.1.x86_64",
            "openSUSE Leap 15.0:java-11-openjdk-devel-11.0.2.0-lp150.2.12.1.x86_64",
            "openSUSE Leap 15.0:java-11-openjdk-headless-11.0.2.0-lp150.2.12.1.x86_64",
            "openSUSE Leap 15.0:java-11-openjdk-javadoc-11.0.2.0-lp150.2.12.1.noarch",
            "openSUSE Leap 15.0:java-11-openjdk-jmods-11.0.2.0-lp150.2.12.1.x86_64",
            "openSUSE Leap 15.0:java-11-openjdk-src-11.0.2.0-lp150.2.12.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2019-03-23T10:55:18Z",
          "details": "low"
        }
      ],
      "title": "CVE-2018-11212"
    },
    {
      "cve": "CVE-2019-2422",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-2422"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 7u201, 8u192 and 11.0.1; Java SE Embedded: 8u191. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.0:java-11-openjdk-11.0.2.0-lp150.2.12.1.x86_64",
          "openSUSE Leap 15.0:java-11-openjdk-accessibility-11.0.2.0-lp150.2.12.1.x86_64",
          "openSUSE Leap 15.0:java-11-openjdk-demo-11.0.2.0-lp150.2.12.1.x86_64",
          "openSUSE Leap 15.0:java-11-openjdk-devel-11.0.2.0-lp150.2.12.1.x86_64",
          "openSUSE Leap 15.0:java-11-openjdk-headless-11.0.2.0-lp150.2.12.1.x86_64",
          "openSUSE Leap 15.0:java-11-openjdk-javadoc-11.0.2.0-lp150.2.12.1.noarch",
          "openSUSE Leap 15.0:java-11-openjdk-jmods-11.0.2.0-lp150.2.12.1.x86_64",
          "openSUSE Leap 15.0:java-11-openjdk-src-11.0.2.0-lp150.2.12.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-2422",
          "url": "https://www.suse.com/security/cve/CVE-2019-2422"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1122293 for CVE-2019-2422",
          "url": "https://bugzilla.suse.com/1122293"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.0:java-11-openjdk-11.0.2.0-lp150.2.12.1.x86_64",
            "openSUSE Leap 15.0:java-11-openjdk-accessibility-11.0.2.0-lp150.2.12.1.x86_64",
            "openSUSE Leap 15.0:java-11-openjdk-demo-11.0.2.0-lp150.2.12.1.x86_64",
            "openSUSE Leap 15.0:java-11-openjdk-devel-11.0.2.0-lp150.2.12.1.x86_64",
            "openSUSE Leap 15.0:java-11-openjdk-headless-11.0.2.0-lp150.2.12.1.x86_64",
            "openSUSE Leap 15.0:java-11-openjdk-javadoc-11.0.2.0-lp150.2.12.1.noarch",
            "openSUSE Leap 15.0:java-11-openjdk-jmods-11.0.2.0-lp150.2.12.1.x86_64",
            "openSUSE Leap 15.0:java-11-openjdk-src-11.0.2.0-lp150.2.12.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "openSUSE Leap 15.0:java-11-openjdk-11.0.2.0-lp150.2.12.1.x86_64",
            "openSUSE Leap 15.0:java-11-openjdk-accessibility-11.0.2.0-lp150.2.12.1.x86_64",
            "openSUSE Leap 15.0:java-11-openjdk-demo-11.0.2.0-lp150.2.12.1.x86_64",
            "openSUSE Leap 15.0:java-11-openjdk-devel-11.0.2.0-lp150.2.12.1.x86_64",
            "openSUSE Leap 15.0:java-11-openjdk-headless-11.0.2.0-lp150.2.12.1.x86_64",
            "openSUSE Leap 15.0:java-11-openjdk-javadoc-11.0.2.0-lp150.2.12.1.noarch",
            "openSUSE Leap 15.0:java-11-openjdk-jmods-11.0.2.0-lp150.2.12.1.x86_64",
            "openSUSE Leap 15.0:java-11-openjdk-src-11.0.2.0-lp150.2.12.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2019-03-23T10:55:18Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2019-2422"
    },
    {
      "cve": "CVE-2019-2426",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-2426"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u201, 8u192 and 11.0.1; Java SE Embedded: 8u191. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.0:java-11-openjdk-11.0.2.0-lp150.2.12.1.x86_64",
          "openSUSE Leap 15.0:java-11-openjdk-accessibility-11.0.2.0-lp150.2.12.1.x86_64",
          "openSUSE Leap 15.0:java-11-openjdk-demo-11.0.2.0-lp150.2.12.1.x86_64",
          "openSUSE Leap 15.0:java-11-openjdk-devel-11.0.2.0-lp150.2.12.1.x86_64",
          "openSUSE Leap 15.0:java-11-openjdk-headless-11.0.2.0-lp150.2.12.1.x86_64",
          "openSUSE Leap 15.0:java-11-openjdk-javadoc-11.0.2.0-lp150.2.12.1.noarch",
          "openSUSE Leap 15.0:java-11-openjdk-jmods-11.0.2.0-lp150.2.12.1.x86_64",
          "openSUSE Leap 15.0:java-11-openjdk-src-11.0.2.0-lp150.2.12.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-2426",
          "url": "https://www.suse.com/security/cve/CVE-2019-2426"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1134297 for CVE-2019-2426",
          "url": "https://bugzilla.suse.com/1134297"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.0:java-11-openjdk-11.0.2.0-lp150.2.12.1.x86_64",
            "openSUSE Leap 15.0:java-11-openjdk-accessibility-11.0.2.0-lp150.2.12.1.x86_64",
            "openSUSE Leap 15.0:java-11-openjdk-demo-11.0.2.0-lp150.2.12.1.x86_64",
            "openSUSE Leap 15.0:java-11-openjdk-devel-11.0.2.0-lp150.2.12.1.x86_64",
            "openSUSE Leap 15.0:java-11-openjdk-headless-11.0.2.0-lp150.2.12.1.x86_64",
            "openSUSE Leap 15.0:java-11-openjdk-javadoc-11.0.2.0-lp150.2.12.1.noarch",
            "openSUSE Leap 15.0:java-11-openjdk-jmods-11.0.2.0-lp150.2.12.1.x86_64",
            "openSUSE Leap 15.0:java-11-openjdk-src-11.0.2.0-lp150.2.12.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "openSUSE Leap 15.0:java-11-openjdk-11.0.2.0-lp150.2.12.1.x86_64",
            "openSUSE Leap 15.0:java-11-openjdk-accessibility-11.0.2.0-lp150.2.12.1.x86_64",
            "openSUSE Leap 15.0:java-11-openjdk-demo-11.0.2.0-lp150.2.12.1.x86_64",
            "openSUSE Leap 15.0:java-11-openjdk-devel-11.0.2.0-lp150.2.12.1.x86_64",
            "openSUSE Leap 15.0:java-11-openjdk-headless-11.0.2.0-lp150.2.12.1.x86_64",
            "openSUSE Leap 15.0:java-11-openjdk-javadoc-11.0.2.0-lp150.2.12.1.noarch",
            "openSUSE Leap 15.0:java-11-openjdk-jmods-11.0.2.0-lp150.2.12.1.x86_64",
            "openSUSE Leap 15.0:java-11-openjdk-src-11.0.2.0-lp150.2.12.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2019-03-23T10:55:18Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2019-2426"
    }
  ]
}

CVE-2019-2426 (GCVE-0-2019-2426)

Vulnerability from cvelistv5

Published

2019-01-16 19:00

Modified

2024-10-02 16:19

Severity ?

CWE

Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data.

Summary

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u201, 8u192 and 11.0.1; Java SE Embedded: 8u191. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

References

►

URL

Tags

	https://security.netapp.com/advisory/ntap-20190118-0001/	x_refsource_CONFIRM
	https://security.gentoo.org/glsa/201903-14	vendor-advisory, x_refsource_GENTOO
	http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/106590	vdb-entry, x_refsource_BID
	http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00059.html	vendor-advisory, x_refsource_SUSE
	http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00013.html	vendor-advisory, x_refsource_SUSE
	https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03958en_us	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Oracle Corporation	Java	Version: Java SE: 7u201, 8u192, 11.0.1 Version: Java SE Embedded: 8u191

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T18:49:47.739Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20190118-0001/"
          },
          {
            "name": "GLSA-201903-14",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/201903-14"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
          },
          {
            "name": "106590",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/106590"
          },
          {
            "name": "openSUSE-SU-2019:1439",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00059.html"
          },
          {
            "name": "openSUSE-SU-2019:1500",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00013.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03958en_us"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2019-2426",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-02T14:02:59.357141Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-02T16:19:50.688Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Java",
          "vendor": "Oracle Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "Java SE: 7u201, 8u192, 11.0.1"
            },
            {
              "status": "affected",
              "version": "Java SE Embedded: 8u191"
            }
          ]
        }
      ],
      "datePublic": "2019-01-15T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u201, 8u192 and 11.0.1; Java SE Embedded: 8u191. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Java SE accessible data.",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-10-02T18:06:05",
        "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "shortName": "oracle"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20190118-0001/"
        },
        {
          "name": "GLSA-201903-14",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/201903-14"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
        },
        {
          "name": "106590",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/106590"
        },
        {
          "name": "openSUSE-SU-2019:1439",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00059.html"
        },
        {
          "name": "openSUSE-SU-2019:1500",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00013.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03958en_us"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert_us@oracle.com",
          "ID": "CVE-2019-2426",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Java",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_value": "Java SE: 7u201, 8u192, 11.0.1"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "Java SE Embedded: 8u191"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Oracle Corporation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u201, 8u192 and 11.0.1; Java SE Embedded: 8u191. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Java SE accessible data."
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://security.netapp.com/advisory/ntap-20190118-0001/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20190118-0001/"
            },
            {
              "name": "GLSA-201903-14",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/201903-14"
            },
            {
              "name": "http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html",
              "refsource": "CONFIRM",
              "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
            },
            {
              "name": "106590",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/106590"
            },
            {
              "name": "openSUSE-SU-2019:1439",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00059.html"
            },
            {
              "name": "openSUSE-SU-2019:1500",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00013.html"
            },
            {
              "name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03958en_us",
              "refsource": "CONFIRM",
              "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03958en_us"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
    "assignerShortName": "oracle",
    "cveId": "CVE-2019-2426",
    "datePublished": "2019-01-16T19:00:00",
    "dateReserved": "2018-12-14T00:00:00",
    "dateUpdated": "2024-10-02T16:19:50.688Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-2422 (GCVE-0-2019-2422)

Vulnerability from cvelistv5

Published

2019-01-16 19:00

Modified

2024-10-02 16:20

Severity ?

CWE

Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data.

Summary

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 7u201, 8u192 and 11.0.1; Java SE Embedded: 8u191. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).

References

►

URL

Tags

	https://access.redhat.com/errata/RHSA-2019:0462	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:0464	vendor-advisory, x_refsource_REDHAT
	https://security.netapp.com/advisory/ntap-20190118-0001/	x_refsource_CONFIRM
	https://access.redhat.com/errata/RHSA-2019:0435	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:0416	vendor-advisory, x_refsource_REDHAT
	https://security.gentoo.org/glsa/201903-14	vendor-advisory, x_refsource_GENTOO
	http://www.securityfocus.com/bid/106596	vdb-entry, x_refsource_BID
	https://access.redhat.com/errata/RHSA-2019:0474	vendor-advisory, x_refsource_REDHAT
	http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html	x_refsource_CONFIRM
	https://access.redhat.com/errata/RHSA-2019:0469	vendor-advisory, x_refsource_REDHAT
	https://usn.ubuntu.com/3875-1/	vendor-advisory, x_refsource_UBUNTU
	https://access.redhat.com/errata/RHSA-2019:0473	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:0472	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:0436	vendor-advisory, x_refsource_REDHAT
	http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00028.html	vendor-advisory, x_refsource_SUSE
	https://seclists.org/bugtraq/2019/Mar/27	mailing-list, x_refsource_BUGTRAQ
	https://www.debian.org/security/2019/dsa-4410	vendor-advisory, x_refsource_DEBIAN
	https://access.redhat.com/errata/RHSA-2019:0640	vendor-advisory, x_refsource_REDHAT
	https://lists.debian.org/debian-lts-announce/2019/03/msg00033.html	mailing-list, x_refsource_MLIST
	https://usn.ubuntu.com/3942-1/	vendor-advisory, x_refsource_UBUNTU
	https://usn.ubuntu.com/3949-1/	vendor-advisory, x_refsource_UBUNTU
	https://access.redhat.com/errata/RHSA-2019:1238	vendor-advisory, x_refsource_REDHAT
	http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00059.html	vendor-advisory, x_refsource_SUSE
	http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00013.html	vendor-advisory, x_refsource_SUSE
	https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03958en_us	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Oracle Corporation	Java	Version: Java SE: 7u201, 8u192, 11.0.1 Version: Java SE Embedded: 8u191

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T18:49:46.377Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2019:0462",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0462"
          },
          {
            "name": "RHSA-2019:0464",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0464"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20190118-0001/"
          },
          {
            "name": "RHSA-2019:0435",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0435"
          },
          {
            "name": "RHSA-2019:0416",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0416"
          },
          {
            "name": "GLSA-201903-14",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/201903-14"
          },
          {
            "name": "106596",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/106596"
          },
          {
            "name": "RHSA-2019:0474",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0474"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
          },
          {
            "name": "RHSA-2019:0469",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0469"
          },
          {
            "name": "USN-3875-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/3875-1/"
          },
          {
            "name": "RHSA-2019:0473",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0473"
          },
          {
            "name": "RHSA-2019:0472",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0472"
          },
          {
            "name": "RHSA-2019:0436",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0436"
          },
          {
            "name": "openSUSE-SU-2019:0346",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00028.html"
          },
          {
            "name": "20190320 [SECURITY] [DSA 4410-1] openjdk-8 security update",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Mar/27"
          },
          {
            "name": "DSA-4410",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2019/dsa-4410"
          },
          {
            "name": "RHSA-2019:0640",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0640"
          },
          {
            "name": "[debian-lts-announce] 20190327 [SECURITY] [DLA 1732-1] openjdk-7 security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00033.html"
          },
          {
            "name": "USN-3942-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/3942-1/"
          },
          {
            "name": "USN-3949-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/3949-1/"
          },
          {
            "name": "RHSA-2019:1238",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1238"
          },
          {
            "name": "openSUSE-SU-2019:1439",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00059.html"
          },
          {
            "name": "openSUSE-SU-2019:1500",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00013.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03958en_us"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2019-2422",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-02T14:03:02.619178Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-02T16:20:23.900Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Java",
          "vendor": "Oracle Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "Java SE: 7u201, 8u192, 11.0.1"
            },
            {
              "status": "affected",
              "version": "Java SE Embedded: 8u191"
            }
          ]
        }
      ],
      "datePublic": "2019-01-15T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 7u201, 8u192 and 11.0.1; Java SE Embedded: 8u191. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Java SE accessible data.",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-10-02T18:06:03",
        "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "shortName": "oracle"
      },
      "references": [
        {
          "name": "RHSA-2019:0462",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0462"
        },
        {
          "name": "RHSA-2019:0464",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0464"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20190118-0001/"
        },
        {
          "name": "RHSA-2019:0435",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0435"
        },
        {
          "name": "RHSA-2019:0416",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0416"
        },
        {
          "name": "GLSA-201903-14",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/201903-14"
        },
        {
          "name": "106596",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/106596"
        },
        {
          "name": "RHSA-2019:0474",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0474"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
        },
        {
          "name": "RHSA-2019:0469",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0469"
        },
        {
          "name": "USN-3875-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/3875-1/"
        },
        {
          "name": "RHSA-2019:0473",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0473"
        },
        {
          "name": "RHSA-2019:0472",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0472"
        },
        {
          "name": "RHSA-2019:0436",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0436"
        },
        {
          "name": "openSUSE-SU-2019:0346",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00028.html"
        },
        {
          "name": "20190320 [SECURITY] [DSA 4410-1] openjdk-8 security update",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2019/Mar/27"
        },
        {
          "name": "DSA-4410",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2019/dsa-4410"
        },
        {
          "name": "RHSA-2019:0640",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0640"
        },
        {
          "name": "[debian-lts-announce] 20190327 [SECURITY] [DLA 1732-1] openjdk-7 security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00033.html"
        },
        {
          "name": "USN-3942-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/3942-1/"
        },
        {
          "name": "USN-3949-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/3949-1/"
        },
        {
          "name": "RHSA-2019:1238",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1238"
        },
        {
          "name": "openSUSE-SU-2019:1439",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00059.html"
        },
        {
          "name": "openSUSE-SU-2019:1500",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00013.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03958en_us"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert_us@oracle.com",
          "ID": "CVE-2019-2422",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Java",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_value": "Java SE: 7u201, 8u192, 11.0.1"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "Java SE Embedded: 8u191"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Oracle Corporation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 7u201, 8u192 and 11.0.1; Java SE Embedded: 8u191. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Java SE accessible data."
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2019:0462",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0462"
            },
            {
              "name": "RHSA-2019:0464",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0464"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20190118-0001/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20190118-0001/"
            },
            {
              "name": "RHSA-2019:0435",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0435"
            },
            {
              "name": "RHSA-2019:0416",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0416"
            },
            {
              "name": "GLSA-201903-14",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/201903-14"
            },
            {
              "name": "106596",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/106596"
            },
            {
              "name": "RHSA-2019:0474",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0474"
            },
            {
              "name": "http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html",
              "refsource": "CONFIRM",
              "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
            },
            {
              "name": "RHSA-2019:0469",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0469"
            },
            {
              "name": "USN-3875-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/3875-1/"
            },
            {
              "name": "RHSA-2019:0473",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0473"
            },
            {
              "name": "RHSA-2019:0472",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0472"
            },
            {
              "name": "RHSA-2019:0436",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0436"
            },
            {
              "name": "openSUSE-SU-2019:0346",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00028.html"
            },
            {
              "name": "20190320 [SECURITY] [DSA 4410-1] openjdk-8 security update",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2019/Mar/27"
            },
            {
              "name": "DSA-4410",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2019/dsa-4410"
            },
            {
              "name": "RHSA-2019:0640",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0640"
            },
            {
              "name": "[debian-lts-announce] 20190327 [SECURITY] [DLA 1732-1] openjdk-7 security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00033.html"
            },
            {
              "name": "USN-3942-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/3942-1/"
            },
            {
              "name": "USN-3949-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/3949-1/"
            },
            {
              "name": "RHSA-2019:1238",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1238"
            },
            {
              "name": "openSUSE-SU-2019:1439",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00059.html"
            },
            {
              "name": "openSUSE-SU-2019:1500",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00013.html"
            },
            {
              "name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03958en_us",
              "refsource": "CONFIRM",
              "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03958en_us"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
    "assignerShortName": "oracle",
    "cveId": "CVE-2019-2422",
    "datePublished": "2019-01-16T19:00:00",
    "dateReserved": "2018-12-14T00:00:00",
    "dateUpdated": "2024-10-02T16:20:23.900Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2018-11212 (GCVE-0-2018-11212)

Vulnerability from cvelistv5

Published

2018-05-16 17:00

Modified

2024-08-05 08:01

Severity ?

CWE

Summary

An issue was discovered in libjpeg 9a and 9d. The alloc_sarray function in jmemmgr.c allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted file.

References

►

URL

Tags

	http://www.securityfocus.com/bid/106583	vdb-entry, x_refsource_BID
	https://usn.ubuntu.com/3706-2/	vendor-advisory, x_refsource_UBUNTU
	https://access.redhat.com/errata/RHSA-2019:0474	vendor-advisory, x_refsource_REDHAT
	https://usn.ubuntu.com/3706-1/	vendor-advisory, x_refsource_UBUNTU
	https://lists.debian.org/debian-lts-announce/2019/01/msg00015.html	mailing-list, x_refsource_MLIST
	https://access.redhat.com/errata/RHSA-2019:0469	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:0473	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:0472	vendor-advisory, x_refsource_REDHAT
	http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00028.html	vendor-advisory, x_refsource_SUSE
	https://access.redhat.com/errata/RHSA-2019:0640	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:1238	vendor-advisory, x_refsource_REDHAT
	http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00059.html	vendor-advisory, x_refsource_SUSE
	http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00013.html	vendor-advisory, x_refsource_SUSE
	https://access.redhat.com/errata/RHSA-2019:2052	vendor-advisory, x_refsource_REDHAT
	https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html	x_refsource_CONFIRM
	https://www.oracle.com/security-alerts/cpuapr2022.html	x_refsource_MISC
	https://security.netapp.com/advisory/ntap-20190118-0001/	x_refsource_CONFIRM
	https://github.com/ChijinZ/security_advisories/tree/master/libjpeg-v9a	x_refsource_MISC
	http://www.ijg.org/	x_refsource_MISC
	https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03958en_us	x_refsource_CONFIRM
	https://github.com/zzyyrr/divide-by-zero-in-libjpeg-9d.git	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T08:01:52.817Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "106583",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/106583"
          },
          {
            "name": "USN-3706-2",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/3706-2/"
          },
          {
            "name": "RHSA-2019:0474",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0474"
          },
          {
            "name": "USN-3706-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/3706-1/"
          },
          {
            "name": "[debian-lts-announce] 20190122 [SECURITY] [DLA 1638-1] libjpeg-turbo security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00015.html"
          },
          {
            "name": "RHSA-2019:0469",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0469"
          },
          {
            "name": "RHSA-2019:0473",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0473"
          },
          {
            "name": "RHSA-2019:0472",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0472"
          },
          {
            "name": "openSUSE-SU-2019:0346",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00028.html"
          },
          {
            "name": "RHSA-2019:0640",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0640"
          },
          {
            "name": "RHSA-2019:1238",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1238"
          },
          {
            "name": "openSUSE-SU-2019:1439",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00059.html"
          },
          {
            "name": "openSUSE-SU-2019:1500",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00013.html"
          },
          {
            "name": "RHSA-2019:2052",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2052"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20190118-0001/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ChijinZ/security_advisories/tree/master/libjpeg-v9a"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.ijg.org/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03958en_us"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/zzyyrr/divide-by-zero-in-libjpeg-9d.git"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2018-05-16T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in libjpeg 9a and 9d. The alloc_sarray function in jmemmgr.c allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted file."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-04-19T23:19:25",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "106583",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/106583"
        },
        {
          "name": "USN-3706-2",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/3706-2/"
        },
        {
          "name": "RHSA-2019:0474",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0474"
        },
        {
          "name": "USN-3706-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/3706-1/"
        },
        {
          "name": "[debian-lts-announce] 20190122 [SECURITY] [DLA 1638-1] libjpeg-turbo security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00015.html"
        },
        {
          "name": "RHSA-2019:0469",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0469"
        },
        {
          "name": "RHSA-2019:0473",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0473"
        },
        {
          "name": "RHSA-2019:0472",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0472"
        },
        {
          "name": "openSUSE-SU-2019:0346",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00028.html"
        },
        {
          "name": "RHSA-2019:0640",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0640"
        },
        {
          "name": "RHSA-2019:1238",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1238"
        },
        {
          "name": "openSUSE-SU-2019:1439",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00059.html"
        },
        {
          "name": "openSUSE-SU-2019:1500",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00013.html"
        },
        {
          "name": "RHSA-2019:2052",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2052"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20190118-0001/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ChijinZ/security_advisories/tree/master/libjpeg-v9a"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.ijg.org/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03958en_us"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/zzyyrr/divide-by-zero-in-libjpeg-9d.git"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-11212",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in libjpeg 9a and 9d. The alloc_sarray function in jmemmgr.c allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted file."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "106583",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/106583"
            },
            {
              "name": "USN-3706-2",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/3706-2/"
            },
            {
              "name": "RHSA-2019:0474",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0474"
            },
            {
              "name": "USN-3706-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/3706-1/"
            },
            {
              "name": "[debian-lts-announce] 20190122 [SECURITY] [DLA 1638-1] libjpeg-turbo security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00015.html"
            },
            {
              "name": "RHSA-2019:0469",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0469"
            },
            {
              "name": "RHSA-2019:0473",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0473"
            },
            {
              "name": "RHSA-2019:0472",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0472"
            },
            {
              "name": "openSUSE-SU-2019:0346",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00028.html"
            },
            {
              "name": "RHSA-2019:0640",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0640"
            },
            {
              "name": "RHSA-2019:1238",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1238"
            },
            {
              "name": "openSUSE-SU-2019:1439",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00059.html"
            },
            {
              "name": "openSUSE-SU-2019:1500",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00013.html"
            },
            {
              "name": "RHSA-2019:2052",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2052"
            },
            {
              "name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html",
              "refsource": "CONFIRM",
              "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20190118-0001/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20190118-0001/"
            },
            {
              "name": "https://github.com/ChijinZ/security_advisories/tree/master/libjpeg-v9a",
              "refsource": "MISC",
              "url": "https://github.com/ChijinZ/security_advisories/tree/master/libjpeg-v9a"
            },
            {
              "name": "http://www.ijg.org/",
              "refsource": "MISC",
              "url": "http://www.ijg.org/"
            },
            {
              "name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03958en_us",
              "refsource": "CONFIRM",
              "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03958en_us"
            },
            {
              "name": "https://github.com/zzyyrr/divide-by-zero-in-libjpeg-9d.git",
              "refsource": "MISC",
              "url": "https://github.com/zzyyrr/divide-by-zero-in-libjpeg-9d.git"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-11212",
    "datePublished": "2018-05-16T17:00:00",
    "dateReserved": "2018-05-16T00:00:00",
    "dateUpdated": "2024-08-05T08:01:52.817Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

opensuse-su-2019:0161-1

Vulnerability from csaf_opensuse

CVE-2019-2426 (GCVE-0-2019-2426)

Vulnerability from cvelistv5

CVE-2019-2422 (GCVE-0-2019-2422)

Vulnerability from cvelistv5

CVE-2018-11212 (GCVE-0-2018-11212)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature