usn-3130-1
Vulnerability from osv_ubuntu
It was discovered that OpenJDK did not restrict the set of algorithms used for Jar integrity verification. An attacker could use this to modify without detection the content of a JAR file, affecting system integrity. (CVE-2016-5542)
It was discovered that the JMX component of OpenJDK did not sufficiently perform classloader consistency checks. An attacker could use this to bypass Java sandbox restrictions. (CVE-2016-5554)
It was discovered that the Hotspot component of OpenJDK did not properly check received Java Debug Wire Protocol (JDWP) packets. An attacker could use this to send debugging commands to a Java application with debugging enabled. (CVE-2016-5573)
It was discovered that the Hotspot component of OpenJDK did not properly check arguments of the System.arraycopy() function in certain cases. An attacker could use this to bypass Java sandbox restrictions. (CVE-2016-5582)
It was discovered that OpenJDK did not properly handle HTTP proxy authentication. An attacker could use this to expose HTTPS server authentication credentials. (CVE-2016-5597)
{
"affected": [
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2016-5542",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2016-5554",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2016-5573",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2016-5582",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2016-5597",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:14.04:LTS"
}
},
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "icedtea-7-jre-jamvm",
"binary_version": "7u121-2.6.8-1ubuntu0.14.04.1"
},
{
"binary_name": "openjdk-7-demo",
"binary_version": "7u121-2.6.8-1ubuntu0.14.04.1"
},
{
"binary_name": "openjdk-7-jdk",
"binary_version": "7u121-2.6.8-1ubuntu0.14.04.1"
},
{
"binary_name": "openjdk-7-jre",
"binary_version": "7u121-2.6.8-1ubuntu0.14.04.1"
},
{
"binary_name": "openjdk-7-jre-headless",
"binary_version": "7u121-2.6.8-1ubuntu0.14.04.1"
},
{
"binary_name": "openjdk-7-jre-lib",
"binary_version": "7u121-2.6.8-1ubuntu0.14.04.1"
},
{
"binary_name": "openjdk-7-jre-zero",
"binary_version": "7u121-2.6.8-1ubuntu0.14.04.1"
},
{
"binary_name": "openjdk-7-source",
"binary_version": "7u121-2.6.8-1ubuntu0.14.04.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:14.04:LTS",
"name": "openjdk-7",
"purl": "pkg:deb/ubuntu/openjdk-7@7u121-2.6.8-1ubuntu0.14.04.1?arch=source\u0026distro=trusty"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7u121-2.6.8-1ubuntu0.14.04.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"7u25-2.3.12-4ubuntu3",
"7u25-2.3.12-4ubuntu5",
"7u45-2.4.3-3ubuntu1",
"7u45-2.4.3-3ubuntu2",
"7u45-2.4.3-4ubuntu1",
"7u45-2.4.3-4ubuntu2",
"7u51-2.4.4-1ubuntu1",
"7u51-2.4.5-1ubuntu1",
"7u51-2.4.6~pre1-1ubuntu2",
"7u51-2.4.6-1ubuntu3",
"7u51-2.4.6-1ubuntu4",
"7u55-2.4.7-1ubuntu1",
"7u65-2.5.1-4ubuntu1~0.14.04.1",
"7u65-2.5.1-4ubuntu1~0.14.04.2",
"7u65-2.5.2-3~14.04",
"7u71-2.5.3-0ubuntu0.14.04.1",
"7u75-2.5.4-1~trusty1",
"7u79-2.5.5-0ubuntu0.14.04.2",
"7u79-2.5.6-0ubuntu1.14.04.1",
"7u85-2.6.1-5ubuntu0.14.04.1",
"7u91-2.6.3-0ubuntu0.14.04.1",
"7u95-2.6.4-0ubuntu0.14.04.1",
"7u95-2.6.4-0ubuntu0.14.04.2",
"7u101-2.6.6-0ubuntu0.14.04.1",
"7u111-2.6.7-0ubuntu0.14.04.3"
]
}
],
"aliases": [],
"details": "It was discovered that OpenJDK did not restrict the set of algorithms used\nfor Jar integrity verification. An attacker could use this to modify\nwithout detection the content of a JAR file, affecting system integrity.\n(CVE-2016-5542)\n\nIt was discovered that the JMX component of OpenJDK did not sufficiently\nperform classloader consistency checks. An attacker could use this to\nbypass Java sandbox restrictions. (CVE-2016-5554)\n\nIt was discovered that the Hotspot component of OpenJDK did not properly\ncheck received Java Debug Wire Protocol (JDWP) packets. An attacker could\nuse this to send debugging commands to a Java application with debugging\nenabled. (CVE-2016-5573)\n\nIt was discovered that the Hotspot component of OpenJDK did not properly\ncheck arguments of the System.arraycopy() function in certain cases. An\nattacker could use this to bypass Java sandbox restrictions.\n(CVE-2016-5582)\n\nIt was discovered that OpenJDK did not properly handle HTTP proxy\nauthentication. An attacker could use this to expose HTTPS server\nauthentication credentials. (CVE-2016-5597)\n",
"id": "USN-3130-1",
"modified": "2026-02-10T04:41:03Z",
"published": "2016-11-17T22:29:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-3130-1"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2016-5542"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2016-5554"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2016-5573"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2016-5582"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2016-5597"
}
],
"related": [],
"schema_version": "1.7.0",
"summary": "openjdk-7 vulnerabilities",
"upstream": [
"UBUNTU-CVE-2016-5542",
"UBUNTU-CVE-2016-5554",
"UBUNTU-CVE-2016-5573",
"UBUNTU-CVE-2016-5582",
"UBUNTU-CVE-2016-5597"
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.