A flaw was found in the way the Libraries component of OpenJDK verified Online Certificate Status Protocol (OCSP) responses. An OCSP response with no nextUpdate date specified was incorrectly handled as having unlimited validity, possibly causing a revoked X.509 certificate to be interpreted as valid.
Platform | Package | Release Date | Advisory |
---|---|---|---|
Amazon Linux 1 | java-1.6.0-openjdk | 2015-08-24 22:26 | ALAS-2015-586 |
Amazon Linux 1 | java-1.7.0-openjdk | 2015-07-22 10:00 | ALAS-2015-570 |
Amazon Linux 1 | java-1.8.0-openjdk | 2015-07-22 10:00 | ALAS-2015-571 |
Score Type | Score | Vector | |
---|---|---|---|
Amazon Linux | CVSSv2 | 4.3 | AV:N/AC:M/Au:N/C:N/I:P/A:N |
NVD | CVSSv2 | 7.6 | AV:N/AC:H/Au:N/C:C/I:C/A:C |