The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit.
An input validation flaw was discovered in the medialib library in the 2D component. A specially crafted image could trigger Java Virtual Machine memory corruption when processed. A remote attacker, or an untrusted Java application or applet, could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-0429 to this issue.
Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2014-0456, CVE-2014-2397 and CVE-2014-2421 to these issues.
Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2014-0457, CVE-2014-0455 and CVE-2014-0461 to these issues.
Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2014-2412, CVE-2014-0451, CVE-2014-0458, CVE-2014-2423, CVE-2014-0452, CVE-2014-2414, CVE-2014-2402, CVE-2014-0446, CVE-2014-2413, CVE-2014-0454, CVE-2014-2427 and CVE-2014-0459 to these issues.
Multiple flaws were identified in the Java Naming and Directory Interface (JNDI) DNS client. These flaws could make it easier for a remote attacker to perform DNS spoofing attacks. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-0460 to this issue.
It was discovered that the JAXP component did not properly prevent access to arbitrary files when a SecurityManager was present. This flaw could cause a Java application using JAXP to leak sensitive information, or affect application availability. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-2403 to this issue.
It was discovered that the Security component in OpenJDK could leak some timing information when performing PKCS#1 unpadding. This could possibly lead to the disclosure of some information that was meant to be protected by encryption. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-0453 to this issue.
It was discovered that the fix for CVE-2013-5797 did not properly resolve input sanitization flaws in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting (XSS) attacks. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-2398 to this issue.
An insecure temporary file use flaw was found in the way the unpack200 utility created log files. A local attacker could possibly use this flaw to perform a symbolic link attack and overwrite arbitrary files with the privileges of the user running unpack200. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-1876 to this issue.
More information about these vulnerabilities can be found in the security advisory issued by Red Hat:
| Product: | Affected Version(s): | Risk Level: | Actions: |
|---|---|---|---|
| Avaya Aura® Experience Portal | 7.0, 7.0.1 | Low | For 7.0, install 7.0 Security Updates. Refer to the Security Updates page for details. For 7.0.1, install 7.0.1 Security Updates. Refer to the Security Updates page for details. |
| Avaya IP Office Server Edition | 8.1 thru 9.1.3 | Medium | Upgrade to 9.1.4 or later. |
| Avaya IP Office Application Server | 9.0 thru 9.1.3 | Medium | Upgrade to 9.1.4 or later. |
| Avaya one-X® Client Enablement Services | 6.2 including SP1 and SP2 | Medium | Upgrade to 6.2 SP3 or later. |
Recommended Actions for System Products:
Avaya strongly recommends following networking and
security best practices by implementing firewalls, ACLs,
physical security or other appropriate access restrictions.
Though Avaya believes such restrictions should always be in
place, risk to Avaya products and the surrounding network
from this potential vulnerability may be mitigated by
ensuring these practices are implemented until such time as
an Avaya provided product update or the recommended Avaya
action is applied.
Further restrictions as deemed necessary based on the
customer's security policies may be required during this
interim period, but the System Product operating system or
application should not be modified unless the change is
approved by Avaya. Making changes that are not approved may
void the Avaya product service contract.
When determining risk, Avaya takes into account many factors as outlined by Avaya's Security Vulnerability Classification Policy. The following table describes factors that mitigate the risk of specific vulnerabilities for affected Avaya products:
| Vulnerability | Mitigating Factors |
|---|---|
|
CVE-2014-0429 CVE-2014-0446 CVE-2014-0451 CVE-2014-0452 CVE-2014-0454 CVE-2014-0455 CVE-2014-0456 CVE-2014-0457 CVE-2014-0458 CVE-2014-0459 CVE-2014-0461 CVE-2014-2397 CVE-2014-2402 CVE-2014-2412 CVE-2014-2413 CVE-2014-2414 CVE-2014-2421 CVE-2014-2423 CVE-2014-2427 |
These are a Low risk for Experience Portal because openjdk is not used by default. These are a Low risk for all other affected products because execution of untrusted Java application or applets is not possible without non-standard direct user interaction. |
| CVE-2014-0453 | This is a Low risk for Experience Portal because openjdk is not used by default. This is a Medium risk for all other affected products due to the potential for exposure of sensitive data. |
|
CVE-2014-0460 |
This is a Low risk for Experience Portal because openjdk is not used by default. This is a Medium risk for all other affected products because of the potential for DNS spoofing attacks which could also allow man in the middle attacks. |
| CVE-2014-1876 | This is a Low risk for Experience Portal because openjdk is not used default. This is a Low risk for all other affected products because use of the unpack200 utility is not used by default and would require non-standard direct user interaction. |
| CVE-2014-2398 | This is a Low risk for Experience Portal because openjdk is not used by default. This is a Low risk for all other affected products because generating javadoc documents would require non-standard direct user interaction. |
| CVE-2014-2403 | This is a Low risk for Experience Portal because openjdk is not used by default. This is a Medium risk for all other affected products due to the potential for exposure of sensitive data and/or affect application availability. |
Avaya software-only products operate on general-purpose operating systems. Occasionally vulnerabilities may be discovered in the underlying operating system or applications that come with the operating system. These vulnerabilities often do not impact the software-only product directly but may threaten the integrity of the underlying platform.
In the case of this advisory Avaya software-only products are not affected by the vulnerability directly but the underlying Linux platform may be. Customers should determine on which Linux operating system the product was installed and then follow that vendor's guidance.
| Product: | Actions: |
|---|---|
| Avaya Aura® Experience Portal | Depending on the Operating System installed, the affected package may be installed on the underlying Operating System supporting the EP application. |
Recommended Actions for Software-Only Products:
In the event that the affected package is installed, Avaya recommends following recommended actions supplied by Red Hat regarding their Enterprise Linux.
Additional information may also be available via the Avaya support website and through your Avaya account representative. Please contact your Avaya product support representative, or dial 1-800-242-2121, with any questions.
ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS PROVIDED "AS IS". AVAYA INC., ON BEHALF ITSELF AND ITS SUBSIDIARIES AND AFFILIATES (HEREINAFTER COLLECTIVELY REFERRED TO AS "AVAYA"), DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE, AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS RECOMMENDED WILL ELIMINATE SECURITY OR VIRUS THREATS TO CUSTOMERS' SYSTEMS. IN NO EVENT SHALL AVAYA BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING OUT OF OR IN CONNECTION WITH THE INFORMATION OR RECOMMENDED ACTIONS PROVIDED HEREIN, INCLUDING DIRECT, INDIRECT, INCIDENTAL, STATUTORY, CONSEQUENTIAL DAMAGES, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
THE INFORMATION PROVIDED HERE DOES NOT AFFECT THE SUPPORT AGREEMENTS IN PLACE FOR AVAYA PRODUCTS. SUPPORT FOR AVAYA PRODUCTS CONTINUES TO BE EXECUTED AS PER EXISTING AGREEMENTS WITH AVAYA.
V 1.0 - May 02, 2014 - Initial Statement issued.
V 2.0 - February 16, 2015 - Changed EP and one-X CES affected versions and actions.
V 3.0 - October 14, 2015 - Changed IPOSE and IPOAS affected versions and actions,
and set advisory status to final.
Avaya customers or Business Partners should report any security issues found with Avaya products via the standard support process.
Independent security researchers can contact Avaya at
securityalerts@avaya.com.
Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.
© 2014 Avaya Inc. All Rights Reserved. All trademarks identifying Avaya products by the ® or ™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners.