{"id":"USN-3194-1","summary":"openjdk-7 vulnerabilities","details":"Karthik Bhargavan and Gaetan Leurent discovered that the DES and\nTriple DES ciphers were vulnerable to birthday attacks.  A remote\nattacker could possibly use this flaw to obtain clear text data from\nlong encrypted sessions. This update moves those algorithms to the\nlegacy algorithm set and causes them to be used only if no non-legacy\nalgorithms can be negotiated. (CVE-2016-2183)\n\nIt was discovered that OpenJDK accepted ECSDA signatures using\nnon-canonical DER encoding. An attacker could use this to modify or\nexpose sensitive data. (CVE-2016-5546)\n\nIt was discovered that OpenJDK did not properly verify object\nidentifier (OID) length when reading Distinguished Encoding Rules\n(DER) records, as used in x.509 certificates and elsewhere. An\nattacker could use this to cause a denial of service (memory\nconsumption). (CVE-2016-5547)\n\nIt was discovered that covert timing channel vulnerabilities existed\nin the DSA implementations in OpenJDK. A remote attacker could use\nthis to expose sensitive information. (CVE-2016-5548)\n\nIt was discovered that the URLStreamHandler class in OpenJDK did not\nproperly parse user information from a URL. A remote attacker could\nuse this to expose sensitive information. (CVE-2016-5552)\n\nIt was discovered that the URLClassLoader class in OpenJDK did not\nproperly check access control context when downloading class files. A\nremote attacker could use this to expose sensitive information.\n(CVE-2017-3231)\n\nIt was discovered that the Remote Method Invocation (RMI)\nimplementation in OpenJDK performed deserialization of untrusted\ninputs. A remote attacker could use this to execute arbitrary\ncode. (CVE-2017-3241)\n\nIt was discovered that the Java Authentication and Authorization\nService (JAAS) component of OpenJDK did not properly perform user\nsearch LDAP queries. An attacker could use a specially constructed\nLDAP entry to expose or modify sensitive information. (CVE-2017-3252)\n\nIt was discovered that the PNGImageReader class in OpenJDK did not\nproperly handle iTXt and zTXt chunks. An attacker could use this to\ncause a denial of service (memory consumption). (CVE-2017-3253)\n\nIt was discovered that integer overflows existed in the\nSocketInputStream and SocketOutputStream classes of OpenJDK. An\nattacker could use this to expose sensitive information.\n(CVE-2017-3261)\n\nIt was discovered that the atomic field updaters in the\njava.util.concurrent.atomic package in OpenJDK did not properly\nrestrict access to protected field members. An attacker could use\nthis to specially craft a Java application or applet that could bypass\nJava sandbox restrictions. (CVE-2017-3272)\n\nIt was discovered that a vulnerability existed in the class\nconstruction implementation in OpenJDK. An attacker could use this\nto specially craft a Java application or applet that could bypass\nJava sandbox restrictions. (CVE-2017-3289)\n","modified":"2026-02-10T04:41:05Z","published":"2017-02-09T05:44:32Z","related":["UBUNTU-CVE-2016-2183","UBUNTU-CVE-2016-5546","UBUNTU-CVE-2016-5547","UBUNTU-CVE-2016-5548","UBUNTU-CVE-2016-5552","UBUNTU-CVE-2017-3231","UBUNTU-CVE-2017-3241","UBUNTU-CVE-2017-3252","UBUNTU-CVE-2017-3253","UBUNTU-CVE-2017-3261","UBUNTU-CVE-2017-3272","UBUNTU-CVE-2017-3289"],"upstream":["CVE-2016-2183","CVE-2016-5546","CVE-2016-5547","CVE-2016-5548","CVE-2016-5552","CVE-2017-3231","CVE-2017-3241","CVE-2017-3252","CVE-2017-3253","CVE-2017-3261","CVE-2017-3272","CVE-2017-3289","UBUNTU-CVE-2016-2183","UBUNTU-CVE-2016-5546","UBUNTU-CVE-2016-5547","UBUNTU-CVE-2016-5548","UBUNTU-CVE-2016-5552","UBUNTU-CVE-2017-3231","UBUNTU-CVE-2017-3241","UBUNTU-CVE-2017-3252","UBUNTU-CVE-2017-3253","UBUNTU-CVE-2017-3261","UBUNTU-CVE-2017-3272","UBUNTU-CVE-2017-3289"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-3194-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2016-2183"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2016-5546"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2016-5547"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2016-5548"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2016-5552"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-3231"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-3241"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-3252"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-3253"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-3261"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-3272"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-3289"}],"affected":[{"package":{"name":"openjdk-7","ecosystem":"Ubuntu:14.04:LTS","purl":"pkg:deb/ubuntu/openjdk-7@7u121-2.6.8-1ubuntu0.14.04.3?arch=source&distro=trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7u121-2.6.8-1ubuntu0.14.04.3"}]}],"versions":["7u25-2.3.12-4ubuntu3","7u25-2.3.12-4ubuntu5","7u45-2.4.3-3ubuntu1","7u45-2.4.3-3ubuntu2","7u45-2.4.3-4ubuntu1","7u45-2.4.3-4ubuntu2","7u51-2.4.4-1ubuntu1","7u51-2.4.5-1ubuntu1","7u51-2.4.6~pre1-1ubuntu2","7u51-2.4.6-1ubuntu3","7u51-2.4.6-1ubuntu4","7u55-2.4.7-1ubuntu1","7u65-2.5.1-4ubuntu1~0.14.04.1","7u65-2.5.1-4ubuntu1~0.14.04.2","7u65-2.5.2-3~14.04","7u71-2.5.3-0ubuntu0.14.04.1","7u75-2.5.4-1~trusty1","7u79-2.5.5-0ubuntu0.14.04.2","7u79-2.5.6-0ubuntu1.14.04.1","7u85-2.6.1-5ubuntu0.14.04.1","7u91-2.6.3-0ubuntu0.14.04.1","7u95-2.6.4-0ubuntu0.14.04.1","7u95-2.6.4-0ubuntu0.14.04.2","7u101-2.6.6-0ubuntu0.14.04.1","7u111-2.6.7-0ubuntu0.14.04.3","7u121-2.6.8-1ubuntu0.14.04.1"],"ecosystem_specific":{"binaries":[{"binary_name":"icedtea-7-jre-jamvm","binary_version":"7u121-2.6.8-1ubuntu0.14.04.3"},{"binary_name":"openjdk-7-demo","binary_version":"7u121-2.6.8-1ubuntu0.14.04.3"},{"binary_name":"openjdk-7-jdk","binary_version":"7u121-2.6.8-1ubuntu0.14.04.3"},{"binary_name":"openjdk-7-jre","binary_version":"7u121-2.6.8-1ubuntu0.14.04.3"},{"binary_name":"openjdk-7-jre-headless","binary_version":"7u121-2.6.8-1ubuntu0.14.04.3"},{"binary_name":"openjdk-7-jre-lib","binary_version":"7u121-2.6.8-1ubuntu0.14.04.3"},{"binary_name":"openjdk-7-jre-zero","binary_version":"7u121-2.6.8-1ubuntu0.14.04.3"},{"binary_name":"openjdk-7-source","binary_version":"7u121-2.6.8-1ubuntu0.14.04.3"}],"availability":"No subscription required"},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:14.04:LTS","cves":[{"id":"CVE-2016-2183","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"low"}]},{"id":"CVE-2016-5546","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2016-5547","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2016-5548","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2016-5552","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2017-3231","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"},{"type":"Ubuntu","score":"low"}]},{"id":"CVE-2017-3241","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2017-3252","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2017-3253","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2017-3261","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"},{"type":"Ubuntu","score":"low"}]},{"id":"CVE-2017-3272","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2017-3289","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-3194-1.json"}}],"schema_version":"1.7.3"}