Bug 1128158 (CVE-2018-1890) - VUL-0: CVE-2018-1890: java-1_8_0-ibm,java-1_7_0-ibm: local privilege escalation via insecure RPATHs
Summary: VUL-0: CVE-2018-1890: java-1_8_0-ibm,java-1_7_0-ibm: local privilege escalati...
Status: RESOLVED FIXED
Alias: CVE-2018-1890
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: All SLES 12
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/225672/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-03-06 13:29 UTC by Robert Frohl
Modified: 2020-04-23 15:36 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2019-03-06 13:29:07 UTC
rh#1685725

IBM JDK 8 SR5 FP20 (8.0.5.30) fixes a flaw described by upstream as:

IBM SDK, Java Technology Edition Version 8 on the AIX platform uses absolute RPATHs which may facilitate code injection and privilege elevation by local users.

References:

https://www-01.ibm.com/support/docview.wss?uid=ibm10873332
https://developer.ibm.com/javasdk/support/security-vulnerabilities/#IBM_Security_Update_March_2019

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1685725
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1890
Comment 1 Robert Frohl 2019-03-06 13:31:10 UTC
for java-1_7_0-ibm should be affected:
- SUSE:SLE-11-SP2:Update

for java-1_8_0-ibm should be affected:
- SUSE:SLE-12-SP1:Update
- SUSE:SLE-15:Update
Comment 2 Pedro Monreal Gonzalez 2019-03-06 14:34:16 UTC
Also affected java-1_7_1-ibm:
- SUSE_SLE-11-SP4_Update
- SUSE_SLE-12_Update
Comment 3 Robert Frohl 2019-03-06 14:55:55 UTC
Thanks Pedro, I missed that version.
Comment 4 Pedro Monreal Gonzalez 2019-03-06 17:01:54 UTC
Packages submitted:

java-1_8_0-ibm.SUSE_SLE-15_Update       sr#186372
java-1_8_0-ibm.SUSE_SLE-12-SP1_Update   sr#186370

java-1_7_1-ibm.SUSE_SLE-12_Update       sr#186375
java-1_7_1-ibm.SUSE_SLE-11-SP4_Update   sr#186379

java-1_7_0-ibm.SUSE_SLE-11-SP2_Update   sr#186383
Comment 8 Swamp Workflow Management 2019-03-12 20:14:20 UTC
SUSE-SU-2019:0585-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1122292,1122293,1122299,1128158
CVE References: CVE-2018-11212,CVE-2018-1890,CVE-2019-2422,CVE-2019-2449
Sources used:
SUSE Linux Enterprise Module for Legacy Software 15 (src):    java-1_8_0-ibm-1.8.0_sr5.30-3.16.2
Comment 9 Swamp Workflow Management 2019-03-15 17:12:27 UTC
SUSE-SU-2019:0617-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1122292,1122293,1122299,1128158
CVE References: CVE-2018-11212,CVE-2018-1890,CVE-2019-2422,CVE-2019-2449
Sources used:
SUSE OpenStack Cloud 7 (src):    java-1_8_0-ibm-1.8.0_sr5.30-30.46.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    java-1_8_0-ibm-1.8.0_sr5.30-30.46.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    java-1_8_0-ibm-1.8.0_sr5.30-30.46.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    java-1_8_0-ibm-1.8.0_sr5.30-30.46.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    java-1_8_0-ibm-1.8.0_sr5.30-30.46.1
SUSE Linux Enterprise Server 12-SP4 (src):    java-1_8_0-ibm-1.8.0_sr5.30-30.46.1
SUSE Linux Enterprise Server 12-SP3 (src):    java-1_8_0-ibm-1.8.0_sr5.30-30.46.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    java-1_8_0-ibm-1.8.0_sr5.30-30.46.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    java-1_8_0-ibm-1.8.0_sr5.30-30.46.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    java-1_8_0-ibm-1.8.0_sr5.30-30.46.1
SUSE Enterprise Storage 4 (src):    java-1_8_0-ibm-1.8.0_sr5.30-30.46.1
Comment 10 Alexandros Toptsoglou 2020-04-23 15:36:01 UTC
Done