It was discovered that the Libraries component of OpenJDK did not restrict the set of algorithms used for JAR integrity verification. This flaw could allow an attacker to modify content of the JAR file that used weak signing key or hash algorithm.
Platform | Package | Release Date | Advisory |
---|---|---|---|
Amazon Linux 1 | java-1.6.0-openjdk | 2017-02-06 18:00 | ALAS-2017-795 |
Amazon Linux 1 | java-1.7.0-openjdk | 2016-11-18 12:30 | ALAS-2016-771 |
Amazon Linux 1 | java-1.7.0-openjdk | 2017-06-06 16:33 | ALAS-2017-835 |
Amazon Linux 1 | java-1.8.0-openjdk | 2016-10-27 17:00 | ALAS-2016-759 |
Amazon Linux 1 | java-1.8.0-openjdk | 2017-05-09 23:21 | ALAS-2017-827 |
Score Type | Score | Vector | |
---|---|---|---|
Amazon Linux | CVSSv2 | 2.6 | AV:N/AC:H/Au:N/C:N/I:P/A:N |
Amazon Linux | CVSSv3 | 3.1 | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N |
NVD | CVSSv2 | 4.3 | AV:N/AC:M/Au:N/C:N/I:P/A:N |
NVD | CVSSv3 | 3.1 | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N |