OpenJDK 11.0.3 Released

Jones, Philip philip.m.jones at siemens.com
Wed Apr 17 06:54:02 UTC 2019 

Andrew



Can I check the CVEs referenced below?



Oracle put out their update a few hours later and the Java items they pulled out refer to two CVEs



https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html#AppendixJAVA


CVE#

Product

Component

Protocol

Remote
Exploit
without
Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions<http://www.oracle.com/technetwork/topics/security/advisorymatrixglossary-101807.html>)

Supported Versions Affected

Notes

Base
Score

Attack
Vector

Attack
Complex

Privs
Req'd

User
Interact

Scope

Confid-
entiality

Inte-
grity

Avail-
ability

CVE-2019-2602

Java SE, Java SE Embedded

Libraries

Multiple

Yes

7.5

Network

Low

None

None

Un-
changed

None

None

High

Java SE: 7u211, 8u202, 11.0.2, 12; Java SE Embedded: 8u201

See Note 3

CVE-2019-2684

Java SE, Java SE Embedded

RMI

Multiple

Yes

5.9

Network

High

None

None

Un-
changed

None

High

None

Java SE: 7u211, 8u202, 11.0.2, 12; Java SE Embedded: 8u201

See Note 1




and your email refers to 3 security fixes and also has two CVEs



New in OpenJDK 11.0.3:



* Security fixes

  - S8211936, CVE-2019-2602: Better String parsing

  - S8214809: CDS storage improvements

  - S8218453, CVE-2019-2698: More dynamic RMI interactions




The first, CVE-2019-2602, matches up exactly.



The second Oracle announced CVE, CVE-2019-2684, does not occur in your email.



On https://access.redhat.com/security/cve/cve-2019-2684 there is detail of this and it says:

Bugzilla:1700564: CVE-2019-2684 OpenJDK: Incorrect skeleton selection in RMI registry server-side dispatch handling (RMI, 8218453)



All that matches up with the third fix you list, so RMI and 8218453 all tie up, but the CVE you refer to is CVE-2019-2698.



The detail for that https://access.redhat.com/security/cve/cve-2019-2698 says:



Bugzilla:1700447: CVE-2019-2698 OpenJDK: Font layout engine out of bounds access setCurrGlyphID() (2D, 8219022)



So is a different issue.



Regards



Philip



-----Original Message-----
From: jdk-updates-dev <jdk-updates-dev-bounces at openjdk.java.net> On Behalf Of Andrew John Hughes
Sent: 16 April 2019 22:37
To: 'jdk-updates-dev at openjdk.java.net' <jdk-updates-dev at openjdk.java.net>
Subject: OpenJDK 11.0.3 Released



-----------------
Siemens Industry Software Limited is a limited company registered in England and Wales.
Registered number: 3476850.
Registered office: Faraday House, Sir William Siemens Square, Frimley, Surrey, GU16 8QD.

More information about the jdk-updates-dev mailing list