BLSA-2017:0049 – [中等] java-1.7.0-openjdk 安全警告及修复方法



  • BLSA-2017:0049 – [中等] java-1.7.0-openjdk 安全警告及修复方法

    问题描述

    最近java-1.7.0-openjdk暴露出一系列安全漏洞,这些漏洞可以被恶意攻击者利用,从而对系统造成危害等等。为了增加系统安全强度,建议所有使用受影响产品的用户都安装BCLinux提供的的更新补丁。

    jdk简介
    JDK是 Java 语言的软件开发工具包,主要用于移动设备、嵌入式设备上的java应用程序。JDK是整个java开发的核心,它包含了JAVA的运行环境,JAVA工具和JAVA基础的类库。
    openjdk简介
    OpenJDK是一款只能运行在i386 和AMD-64机器上的软件。OpenJDK做为GPL许可(GPL-licensed)的Java平台的开源化实现,Sun正式发布它已经六年有余。从发布起,Java社区的大众们就又开始努力学习,以适应这个新的开源代码基础(code-base)。
    jdk和openjdk区别
    1.授权协议的不同:
             openjdk采用GPL V2协议放出,而JDK则采用JRL放出。两者协议虽然都是开放源代码的,但是在使用上的不同在于GPL V2允许在商业上使用,而JRL只允许个人研究使用。
    2.OpenJDK不包含Deployment(部署)功能:
             部署的功能包括:Browser Plugin、Java Web Start、以及Java控制面板,这些功能在Openjdk中是找不到的。
    3.OpenJDK源代码不完整:
             在采用GPL协议的Openjdk中,sun jdk的一部分源代码因为产权的问题无法开放openjdk使用,其中最主要的部份就是JMX中的可选元件SNMP部份的代码。因此这些不能开放的源代码 将它作成plug,以供OpenJDK编译时使用,你也可以选择不要使用plug。而Icedtea则为这些不完整的部分开发了相同功能的源代码 (OpenJDK6),促使OpenJDK更加完整。
    4.部分源代码用开源代码替换:
             由于产权的问题,很多产权不是SUN的源代码被替换成一些功能相同的开源代码,比如说字体栅格化引擎,使用Free Type代替。
    5.openjdk只包含最精简的JDK:
             OpenJDK不包含其他的软件包,比如Rhino Java DB等,并且可以分离的软件包也都是尽量的分离,但是这大多数都是自由软件,你可以自己下载加入。

    影响版本

    • BigCloud Enterprise Linux 7
    • BigCloud Enterprise Linux 6
    • Red Hat Enterprise Linux 7
    • Red Hat Enterprise Linux 6
    • CentOS Linux 7
    • CentOS Linux 6

    详细描述

    • CVE-2017-3511 [中等]
      OpenJDK的JCE组件中暴露出一个不可信赖的库搜索路径漏洞,本地攻击者可以利用这个漏洞,致使使用JCE组件的Java应用程序加载攻击者控制的库,从而提升权限。

    • CVE-2017-3526 [中等]
      在解析XML文档时,OpenJDK的JAXP组件无法正确地解析树大小限制,恶意攻击者可以利用这个漏洞,通过特制XML文档,能够使Java应用程序解析该XML文档时消耗大量的CPU和内存资源。

    • CVE-2017-3509 [中等]
      OpenJDK的网络组件HTTP客户端实现中被发现可以在不同的安全上下文中缓存和重新使用NTLM身份验证连接,远程攻击者可以利用这个漏洞,使Java应用程序在执行HTTP请求,通过不同用户的凭据进行身份验证。

    • CVE-2017-3539 [中等]
      OpenJDK的Security组件不允许用户限制允许Jar完整性验证的算法集,恶意攻击者利用这个漏洞可以修改使用弱签名密钥或哈希算法的Jar文件内容。

    • CVE-2017-3533 [轻微]CVE-2017-3544 [轻微]
      OpenJDK网络组件中的FTP和SMTP客户端实现中被暴露存在换行注入漏洞,恶意远程攻击者可以利用这个漏洞控制由Java应用程序创建的FTP或SMTP连接。

    解决方案

    目前,BCLinux的官方源已经可以提供更新的 java-1.7.0-openjdk 软件包。
    BCLinux 7 用户需要升级到1.7.0.141-2.6.10.1.el7_3版本;
    BCLinux 6 用户需要升级到1.7.0.141-2.6.10.1.el6版本。

    BCLinux 7 用户安装更新步骤如下

    1.检查YUM源设置,确保使用的是BCLinux官方YUM源

    [root@BCLinux ~]# ls -l /etc/yum.repos.d/
    total 16
    -rw-r--r--. 1 root root 1127 Jan  7  2016 BCLinux-Base.repo
    -rw-r--r--. 1 root root  794 Jan  7  2016 BCLinux-Kernel.repo
    -rw-r--r--. 1 root root 1153 Jan  7  2016 BCLinux-Source.repo
    -rw-r--r--. 1 root root  801 Jan  7  2016 BigCloud.repo
    

    2.安装更新

    [root@BCLinux ~]# yum update java-1.7.0-openjdk
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
    Resolving Dependencies
    --> Running transaction check
    ---> Package java-1.7.0-openjdk.x86_64 1:1.7.0.111-2.6.7.8.el7 will be updated
    ---> Package java-1.7.0-openjdk.x86_64 1:1.7.0.141-2.6.10.1.el7_3 will be an update
    --> Processing Dependency: java-1.7.0-openjdk-headless = 1:1.7.0.141-2.6.10.1.el7_3 for package: 1:java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el7_3.x86_64
    --> Running transaction check
    ---> Package java-1.7.0-openjdk-headless.x86_64 1:1.7.0.111-2.6.7.8.el7 will be updated
    ---> Package java-1.7.0-openjdk-headless.x86_64 1:1.7.0.141-2.6.10.1.el7_3 will be an update
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ===============================================================================================================================================
     Package                                     Arch                   Version                                      Repository               Size
    ===============================================================================================================================================
    Updating:
     java-1.7.0-openjdk                          x86_64                 1:1.7.0.141-2.6.10.1.el7_3                   updates                 231 k
    Updating for dependencies:
     java-1.7.0-openjdk-headless                 x86_64                 1:1.7.0.141-2.6.10.1.el7_3                   updates                  25 M
    
    Transaction Summary
    ===============================================================================================================================================
    Upgrade  1 Package (+1 Dependent package)
    
    Total download size: 26 M
    Is this ok [y/d/N]: y
    

    3.复查

    [root@BCLinux ~]# rpm -q java-1.7.0-openjdk
    java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el7_3.x86_64
    

    4.重启应用

    安装升级包以后,重启应用,更新生效。

    BCLinux 6 用户安装更新步骤如下

    1.检查YUM源设置,确保使用的是BCLinux官方YUM源

    [root@BCLinux ~]#  ls -l /etc/yum.repos.d/
    total 12
    -rw-r--r--. 1 root root  969 Nov 16  2015 BCLinux-Base.repo
    -rw-r--r--. 1 root root 1053 Nov 16  2015 BCLinux-Source.repo
    -rw-r--r--. 1 root root 1184 Nov 16  2015 BigCloud.repo
    

    2.安装更新

    [root@BCLinux ~]# yum update java-1.7.0-openjdk
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
    Setting up Update Process
    Resolving Dependencies
    --> Running transaction check
    ---> Package java-1.7.0-openjdk.x86_64 1:1.7.0.45-2.4.3.3.el6 will be updated
    ---> Package java-1.7.0-openjdk.x86_64 1:1.7.0.141-2.6.10.1.el6 will be an update
    --> Processing Dependency: nss(x86-64) >= 3.28.4 for package: 1:java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el6.x86_64
    --> Processing Dependency: libsctp.so.1(VERS_1)(64bit) for package: 1:java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el6.x86_64
    --> Processing Dependency: libsctp.so.1()(64bit) for package: 1:java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el6.x86_64
    --> Processing Dependency: libpcsclite.so.1()(64bit) for package: 1:java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el6.x86_64
    --> Processing Dependency: libpangoft2-1.0.so.0()(64bit) for package: 1:java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el6.x86_64
    --> Processing Dependency: libpangocairo-1.0.so.0()(64bit) for package: 1:java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el6.x86_64
    --> Processing Dependency: libpango-1.0.so.0()(64bit) for package: 1:java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el6.x86_64
    --> Processing Dependency: libgtk-x11-2.0.so.0()(64bit) for package: 1:java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el6.x86_64
    --> Processing Dependency: libgdk_pixbuf-2.0.so.0()(64bit) for package: 1:java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el6.x86_64
    --> Processing Dependency: libgdk-x11-2.0.so.0()(64bit) for package: 1:java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el6.x86_64
    --> Processing Dependency: libgconf-2.so.4()(64bit) for package: 1:java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el6.x86_64
    --> Processing Dependency: libcups.so.2()(64bit) for package: 1:java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el6.x86_64
    --> Processing Dependency: libcairo.so.2()(64bit) for package: 1:java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el6.x86_64
    --> Processing Dependency: libatk-1.0.so.0()(64bit) for package: 1:java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el6.x86_64
    --> Processing Dependency: libXcomposite.so.1()(64bit) for package: 1:java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el6.x86_64
    --> Running transaction check
    ---> Package GConf2.x86_64 0:2.28.0-6.el6 will be installed
    --> Processing Dependency: dbus for package: GConf2-2.28.0-6.el6.x86_64
    --> Processing Dependency: sgml-common for package: GConf2-2.28.0-6.el6.x86_64
    --> Processing Dependency: libORBit-2.so.0()(64bit) for package: GConf2-2.28.0-6.el6.x86_64
    --> Processing Dependency: libpolkit-gobject-1.so.0()(64bit) for package: GConf2-2.28.0-6.el6.x86_64
    ---> Package atk.x86_64 0:1.30.0-1.el6 will be installed
    ---> Package cairo.x86_64 0:1.8.8-3.1.el6 will be installed
    --> Processing Dependency: libpixman-1.so.0()(64bit) for package: cairo-1.8.8-3.1.el6.x86_64
    ---> Package cups-libs.x86_64 1:1.4.2-52.el6_5.2 will be installed
    --> Processing Dependency: libgnutls.so.26(GNUTLS_1_4)(64bit) for package: 1:cups-libs-1.4.2-52.el6_5.2.x86_64
    --> Processing Dependency: libtiff.so.3()(64bit) for package: 1:cups-libs-1.4.2-52.el6_5.2.x86_64
    --> Processing Dependency: libgnutls.so.26()(64bit) for package: 1:cups-libs-1.4.2-52.el6_5.2.x86_64
    --> Processing Dependency: libavahi-common.so.3()(64bit) for package: 1:cups-libs-1.4.2-52.el6_5.2.x86_64
    --> Processing Dependency: libavahi-client.so.3()(64bit) for package: 1:cups-libs-1.4.2-52.el6_5.2.x86_64
    ---> Package gtk2.x86_64 0:2.20.1-4.el6 will be installed
    --> Processing Dependency: libXrandr >= 1.2.99.4-2 for package: gtk2-2.20.1-4.el6.x86_64
    --> Processing Dependency: hicolor-icon-theme for package: gtk2-2.20.1-4.el6.x86_64
    --> Processing Dependency: libXfixes.so.3()(64bit) for package: gtk2-2.20.1-4.el6.x86_64
    --> Processing Dependency: libXrandr.so.2()(64bit) for package: gtk2-2.20.1-4.el6.x86_64
    --> Processing Dependency: libjasper.so.1()(64bit) for package: gtk2-2.20.1-4.el6.x86_64
    --> Processing Dependency: libXinerama.so.1()(64bit) for package: gtk2-2.20.1-4.el6.x86_64
    --> Processing Dependency: libXdamage.so.1()(64bit) for package: gtk2-2.20.1-4.el6.x86_64
    --> Processing Dependency: libXcursor.so.1()(64bit) for package: gtk2-2.20.1-4.el6.x86_64
    ---> Package libXcomposite.x86_64 0:0.4.3-4.el6 will be installed
    ---> Package lksctp-tools.x86_64 0:1.0.10-7.el6 will be installed
    ---> Package nss.x86_64 0:3.15.1-15.el6 will be updated
    --> Processing Dependency: nss = 3.15.1-15.el6 for package: nss-sysinit-3.15.1-15.el6.x86_64
    --> Processing Dependency: nss(x86-64) = 3.15.1-15.el6 for package: nss-tools-3.15.1-15.el6.x86_64
    ---> Package nss.x86_64 0:3.28.4-1.el6 will be an update
    --> Processing Dependency: nss-util >= 3.28.3 for package: nss-3.28.4-1.el6.x86_64
    --> Processing Dependency: nss-softokn(x86-64) >= 3.14.3-22 for package: nss-3.28.4-1.el6.x86_64
    --> Processing Dependency: nspr >= 4.13.0 for package: nss-3.28.4-1.el6.x86_64
    --> Processing Dependency: libnssutil3.so(NSSUTIL_3.24)(64bit) for package: nss-3.28.4-1.el6.x86_64
    --> Processing Dependency: libnssutil3.so(NSSUTIL_3.21)(64bit) for package: nss-3.28.4-1.el6.x86_64
    --> Processing Dependency: libnssutil3.so(NSSUTIL_3.17.1)(64bit) for package: nss-3.28.4-1.el6.x86_64
    ---> Package pango.x86_64 0:1.28.1-7.el6_3 will be installed
    --> Processing Dependency: libthai >= 0.1.9 for package: pango-1.28.1-7.el6_3.x86_64
    --> Processing Dependency: libthai.so.0(LIBTHAI_0.1)(64bit) for package: pango-1.28.1-7.el6_3.x86_64
    --> Processing Dependency: libthai.so.0()(64bit) for package: pango-1.28.1-7.el6_3.x86_64
    --> Processing Dependency: libXft.so.2()(64bit) for package: pango-1.28.1-7.el6_3.x86_64
    ---> Package pcsc-lite-libs.x86_64 0:1.5.2-13.el6_4 will be installed
    --> Running transaction check
    ---> Package ORBit2.x86_64 0:2.14.17-3.2.el6_3 will be installed
    --> Processing Dependency: libIDL-2.so.0()(64bit) for package: ORBit2-2.14.17-3.2.el6_3.x86_64
    ---> Package avahi-libs.x86_64 0:0.6.25-12.el6_5.3 will be installed
    ---> Package dbus.x86_64 1:1.2.24-7.el6_3 will be installed
    ---> Package gnutls.x86_64 0:2.12.23-21.el6 will be installed
    ---> Package hicolor-icon-theme.noarch 0:0.11-1.1.el6 will be installed
    ---> Package jasper-libs.x86_64 0:1.900.1-15.el6_1.1 will be installed
    ---> Package libXcursor.x86_64 0:1.1.13-6.20130524git8f677eaea.el6 will be installed
    ---> Package libXdamage.x86_64 0:1.1.3-4.el6 will be installed
    ---> Package libXfixes.x86_64 0:5.0-3.el6 will be installed
    ---> Package libXft.x86_64 0:2.3.1-2.el6 will be installed
    ---> Package libXinerama.x86_64 0:1.1.2-2.el6 will be installed
    ---> Package libXrandr.x86_64 0:1.4.0-1.el6 will be installed
    ---> Package libthai.x86_64 0:0.1.12-3.el6 will be installed
    ---> Package libtiff.x86_64 0:3.9.4-21.el6 will be installed
    ---> Package nspr.x86_64 0:4.10.0-1.el6 will be updated
    ---> Package nspr.x86_64 0:4.13.1-1.el6 will be an update
    ---> Package nss-softokn.x86_64 0:3.14.3-9.el6 will be updated
    ---> Package nss-softokn.x86_64 0:3.14.3-23.3.el6_8 will be an update
    --> Processing Dependency: nss-softokn-freebl(x86-64) >= 3.14.3-23.3.el6_8 for package: nss-softokn-3.14.3-23.3.el6_8.x86_64
    ---> Package nss-sysinit.x86_64 0:3.15.1-15.el6 will be updated
    ---> Package nss-sysinit.x86_64 0:3.28.4-1.el6 will be an update
    ---> Package nss-tools.x86_64 0:3.15.1-15.el6 will be updated
    ---> Package nss-tools.x86_64 0:3.28.4-1.el6 will be an update
    ---> Package nss-util.x86_64 0:3.15.1-3.el6 will be updated
    ---> Package nss-util.x86_64 0:3.28.4-1.el6 will be an update
    ---> Package pixman.x86_64 0:0.32.8-1.el6 will be installed
    ---> Package polkit.x86_64 0:0.96-5.el6_4 will be installed
    --> Processing Dependency: ConsoleKit for package: polkit-0.96-5.el6_4.x86_64
    --> Processing Dependency: libeggdbus-1.so.0()(64bit) for package: polkit-0.96-5.el6_4.x86_64
    ---> Package sgml-common.noarch 0:0.6.3-32.el6 will be installed
    --> Running transaction check
    ---> Package ConsoleKit.x86_64 0:0.4.1-3.el6 will be installed
    --> Processing Dependency: libck-connector.so.0()(64bit) for package: ConsoleKit-0.4.1-3.el6.x86_64
    ---> Package eggdbus.x86_64 0:0.6-3.el6 will be installed
    ---> Package libIDL.x86_64 0:0.8.13-2.1.el6 will be installed
    ---> Package nss-softokn-freebl.x86_64 0:3.14.3-9.el6 will be updated
    ---> Package nss-softokn-freebl.x86_64 0:3.14.3-23.3.el6_8 will be an update
    --> Running transaction check
    ---> Package ConsoleKit-libs.x86_64 0:0.4.1-3.el6 will be installed
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ===============================================================================================================================================
     Package                             Arch                    Version                                            Repository                Size
    ===============================================================================================================================================
    Updating:
     java-1.7.0-openjdk                  x86_64                  1:1.7.0.141-2.6.10.1.el6                           updates                   26 M
    Installing for dependencies:
     ConsoleKit                          x86_64                  0.4.1-3.el6                                        base                      82 k
     ConsoleKit-libs                     x86_64                  0.4.1-3.el6                                        base                      17 k
     GConf2                              x86_64                  2.28.0-6.el6                                       base                     964 k
     ORBit2                              x86_64                  2.14.17-3.2.el6_3                                  base                     168 k
     atk                                 x86_64                  1.30.0-1.el6                                       base                     195 k
     avahi-libs                          x86_64                  0.6.25-12.el6_5.3                                  updates                   55 k
     cairo                               x86_64                  1.8.8-3.1.el6                                      base                     309 k
     cups-libs                           x86_64                  1:1.4.2-52.el6_5.2                                 updates                  316 k
     dbus                                x86_64                  1:1.2.24-7.el6_3                                   base                     207 k
     eggdbus                             x86_64                  0.6-3.el6                                          base                      91 k
     gnutls                              x86_64                  2.12.23-21.el6                                     updates                  388 k
     gtk2                                x86_64                  2.20.1-4.el6                                       base                     3.3 M
     hicolor-icon-theme                  noarch                  0.11-1.1.el6                                       base                      40 k
     jasper-libs                         x86_64                  1.900.1-15.el6_1.1                                 base                     136 k
     libIDL                              x86_64                  0.8.13-2.1.el6                                     base                      83 k
     libXcomposite                       x86_64                  0.4.3-4.el6                                        base                      20 k
     libXcursor                          x86_64                  1.1.13-6.20130524git8f677eaea.el6                  base                      28 k
     libXdamage                          x86_64                  1.1.3-4.el6                                        base                      18 k
     libXfixes                           x86_64                  5.0-3.el6                                          base                      23 k
     libXft                              x86_64                  2.3.1-2.el6                                        base                      55 k
     libXinerama                         x86_64                  1.1.2-2.el6                                        base                      20 k
     libXrandr                           x86_64                  1.4.0-1.el6                                        base                      36 k
     libthai                             x86_64                  0.1.12-3.el6                                       base                     183 k
     libtiff                             x86_64                  3.9.4-21.el6                                       updates                  345 k
     lksctp-tools                        x86_64                  1.0.10-7.el6                                       base                      79 k
     pango                               x86_64                  1.28.1-7.el6_3                                     base                     350 k
     pcsc-lite-libs                      x86_64                  1.5.2-13.el6_4                                     base                      28 k
     pixman                              x86_64                  0.32.8-1.el6                                       updates                  242 k
     polkit                              x86_64                  0.96-5.el6_4                                       base                     158 k
     sgml-common                         noarch                  0.6.3-32.el6                                       base                      43 k
    Updating for dependencies:
     nspr                                x86_64                  4.13.1-1.el6                                       updates                  113 k
     nss                                 x86_64                  3.28.4-1.el6                                       updates                  879 k
     nss-softokn                         x86_64                  3.14.3-23.3.el6_8                                  updates                  261 k
     nss-softokn-freebl                  x86_64                  3.14.3-23.3.el6_8                                  updates                  167 k
     nss-sysinit                         x86_64                  3.28.4-1.el6                                       updates                   50 k
     nss-tools                           x86_64                  3.28.4-1.el6                                       updates                  445 k
     nss-util                            x86_64                  3.28.4-1.el6                                       updates                   67 k
    
    Transaction Summary
    ===============================================================================================================================================
    Install      30 Package(s)
    Upgrade       8 Package(s)
    
    Total download size: 36 M
    Is this ok [y/N]: y
    

    3.复查

    [root@BCLinux ~]# rpm -q java-1.7.0-openjdk
    java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el6.x86_64
    

    4.重启应用

    安装升级包以后,重启应用,更新生效。

    外部链接

    1.BCLinux安全更新