Bug 1122292 - (CVE-2019-2449) VUL-0: CVE-2019-2449: java-1_8_0-openjdk: Remote attackers may delete arbitrary files
(CVE-2019-2449)
VUL-0: CVE-2019-2449: java-1_8_0-openjdk: Remote attackers may delete arbitra...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Fridrich Strba
Security Team bot
https://smash.suse.de/issue/222879/
CVSSv3:UNK(Oracle):CVE-2019-2449:3.1:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-01-17 09:01 UTC by Alexandros Toptsoglou
Modified: 2019-09-12 19:48 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-01-17 09:01:15 UTC
This vulnerability allows remote attackers to delete arbitrary files on
vulnerable installations of Oracle Java. User interaction is required to exploit
this vulnerability in that the target must visit a malicious page or open a
malicious file.

The specific flaw exists within the handling of URIs with the jnlp: protocol.
The issue results from the lack of proper validation of a user-supplied path
prior to using it in file operations. An attacker can leverage this
vulnerability to delete files in the context of the current user.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-2449
http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html#CVE-2019-2449
https://www.zerodayinitiative.com/advisories/ZDI-19-033/
Comment 1 Swamp Workflow Management 2019-02-01 21:15:50 UTC
SUSE-SU-2019:0222-1: An update that solves 13 vulnerabilities and has 258 fixes is now available.

Category: security (important)
Bug References: 1024718,1046299,1050242,1050244,1051510,1055120,1055121,1055186,1058115,1060463,1065600,1065729,1068032,1068273,1074562,1074578,1074701,1075006,1075419,1075748,1078248,1079935,1080039,1082387,1082555,1082653,1083647,1085535,1086282,1086283,1086423,1087082,1087084,1087939,1087978,1088386,1089350,1090888,1091405,1094244,1097593,1097755,1102055,1102875,1102877,1102879,1102882,1102896,1103257,1104353,1104427,1104824,1104967,1105168,1106105,1106110,1106237,1106240,1106615,1106913,1107207,1107256,1107385,1107866,1108270,1108468,1109272,1109772,1109806,1110006,1110558,1110998,1111062,1111174,1111188,1111469,1111696,1111795,1111809,1112128,1112963,1113295,1113412,1113501,1113677,1113722,1113769,1114015,1114178,1114279,1114385,1114576,1114577,1114578,1114579,1114580,1114581,1114582,1114583,1114584,1114585,1114648,1114839,1114871,1115074,1115269,1115431,1115433,1115440,1115567,1115709,1115976,1116040,1116183,1116336,1116692,1116693,1116698,1116699,1116700,1116701,1116803,1116841,1116862,1116863,1116876,1116877,1116878,1116891,1116895,1116899,1116950,1117115,1117162,1117165,1117168,1117172,1117174,1117181,1117184,1117186,1117188,1117189,1117349,1117561,1117656,1117788,1117789,1117790,1117791,1117792,1117794,1117795,1117796,1117798,1117799,1117801,1117802,1117803,1117804,1117805,1117806,1117807,1117808,1117815,1117816,1117817,1117818,1117819,1117820,1117821,1117822,1117953,1118102,1118136,1118137,1118138,1118140,1118152,1118215,1118316,1118319,1118320,1118428,1118484,1118505,1118752,1118760,1118761,1118762,1118766,1118767,1118768,1118769,1118771,1118772,1118773,1118774,1118775,1118787,1118788,1118798,1118809,1118962,1119017,1119086,1119212,1119322,1119410,1119714,1119749,1119804,1119946,1119947,1119962,1119968,1119974,1120036,1120046,1120053,1120054,1120055,1120058,1120088,1120092,1120094,1120096,1120097,1120173,1120214,1120223,1120228,1120230,1120232,1120234,1120235,1120238,1120594,1120598,1120600,1120601,1120602,1120603,1120604,1120606,1120612,1120613,1120614,1120615,1120616,1120617,1120618,1120620,1120621,1120632,1120633,1120743,1120954,1121017,1121058,1121263,1121273,1121477,1121483,1121599,1121621,1121714,1121715,1121973,1122019,1122292
CVE References: CVE-2017-5753,CVE-2018-12232,CVE-2018-14625,CVE-2018-16862,CVE-2018-16884,CVE-2018-18281,CVE-2018-18397,CVE-2018-19407,CVE-2018-19824,CVE-2018-19854,CVE-2018-19985,CVE-2018-20169,CVE-2018-9568
Sources used:
SUSE Linux Enterprise Server 12-SP4 (src):    kernel-azure-4.12.14-6.6.2, kernel-source-azure-4.12.14-6.6.2, kernel-syms-azure-4.12.14-6.6.2
Comment 2 Alexandros Toptsoglou 2019-03-07 17:52:32 UTC
jnpl is is not part of openjdk 
closing as Invalid
Comment 3 Swamp Workflow Management 2019-03-12 20:13:58 UTC
SUSE-SU-2019:0585-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1122292,1122293,1122299,1128158
CVE References: CVE-2018-11212,CVE-2018-1890,CVE-2019-2422,CVE-2019-2449
Sources used:
SUSE Linux Enterprise Module for Legacy Software 15 (src):    java-1_8_0-ibm-1.8.0_sr5.30-3.16.2
Comment 4 Swamp Workflow Management 2019-03-15 17:12:05 UTC
SUSE-SU-2019:0617-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1122292,1122293,1122299,1128158
CVE References: CVE-2018-11212,CVE-2018-1890,CVE-2019-2422,CVE-2019-2449
Sources used:
SUSE OpenStack Cloud 7 (src):    java-1_8_0-ibm-1.8.0_sr5.30-30.46.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    java-1_8_0-ibm-1.8.0_sr5.30-30.46.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    java-1_8_0-ibm-1.8.0_sr5.30-30.46.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    java-1_8_0-ibm-1.8.0_sr5.30-30.46.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    java-1_8_0-ibm-1.8.0_sr5.30-30.46.1
SUSE Linux Enterprise Server 12-SP4 (src):    java-1_8_0-ibm-1.8.0_sr5.30-30.46.1
SUSE Linux Enterprise Server 12-SP3 (src):    java-1_8_0-ibm-1.8.0_sr5.30-30.46.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    java-1_8_0-ibm-1.8.0_sr5.30-30.46.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    java-1_8_0-ibm-1.8.0_sr5.30-30.46.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    java-1_8_0-ibm-1.8.0_sr5.30-30.46.1
SUSE Enterprise Storage 4 (src):    java-1_8_0-ibm-1.8.0_sr5.30-30.46.1
Comment 5 Swamp Workflow Management 2019-03-26 20:25:59 UTC
SUSE-SU-2019:0765-1: An update that solves 13 vulnerabilities and has 215 fixes is now available.

Category: security (important)
Bug References: 1046305,1046306,1050252,1050549,1051510,1054610,1055121,1056658,1056662,1056787,1060463,1063638,1065600,1068032,1070995,1071995,1074562,1074578,1074701,1075006,1075419,1075748,1078355,1080039,1082943,1083548,1083647,1084216,1086095,1086282,1086301,1086313,1086314,1086323,1087082,1087084,1087092,1087939,1088133,1094555,1098382,1098425,1098995,1102055,1103429,1104353,1106105,1106434,1106811,1107078,1107665,1108101,1108870,1109695,1110096,1110705,1111666,1113042,1113712,1113722,1113769,1113939,1114279,1114585,1114893,1117108,1117155,1117645,1117947,1118338,1119019,1119086,1119766,1119843,1120008,1120318,1120601,1120758,1120854,1120902,1120909,1120955,1121317,1121726,1121789,1121805,1122019,1122159,1122192,1122292,1122324,1122554,1122662,1122764,1122779,1122822,1122885,1122927,1122944,1122971,1122982,1123060,1123061,1123161,1123317,1123348,1123357,1123456,1123538,1123697,1123882,1123933,1124055,1124204,1124235,1124579,1124589,1124728,1124732,1124735,1124969,1124974,1124975,1124976,1124978,1124979,1124980,1124981,1124982,1124984,1124985,1125109,1125125,1125252,1125315,1125614,1125728,1125780,1125797,1125799,1125800,1125907,1125947,1126131,1126209,1126389,1126393,1126476,1126480,1126481,1126488,1126495,1126555,1126579,1126789,1126790,1126802,1126803,1126804,1126805,1126806,1126807,1127042,1127062,1127082,1127154,1127285,1127286,1127307,1127363,1127493,1127494,1127495,1127496,1127497,1127498,1127534,1127561,1127567,1127595,1127603,1127682,1127731,1127750,1127836,1127961,1128094,1128166,1128351,1128451,1128895,1129046,1129080,1129163,1129179,1129181,1129182,1129183,1129184,1129205,1129281,1129284,1129285,1129291,1129292,1129293,1129294,1129295,1129296,1129326,1129327,1129330,1129363,1129366,1129497,1129519,1129543,1129547,1129551,1129581,1129625,1129664,1129739,1129923,807502,824948,828192,925178
CVE References: CVE-2017-5753,CVE-2018-20669,CVE-2019-2024,CVE-2019-3459,CVE-2019-3460,CVE-2019-3819,CVE-2019-6974,CVE-2019-7221,CVE-2019-7222,CVE-2019-7308,CVE-2019-8912,CVE-2019-8980,CVE-2019-9213
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    kernel-default-4.12.14-95.13.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    kernel-docs-4.12.14-95.13.1, kernel-obs-build-4.12.14-95.13.1
SUSE Linux Enterprise Server 12-SP4 (src):    kernel-default-4.12.14-95.13.1, kernel-source-4.12.14-95.13.1, kernel-syms-4.12.14-95.13.1
SUSE Linux Enterprise High Availability 12-SP4 (src):    kernel-default-4.12.14-95.13.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    kernel-default-4.12.14-95.13.1, kernel-source-4.12.14-95.13.1, kernel-syms-4.12.14-95.13.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2019-03-27 09:36:42 UTC
SUSE-SU-2019:0765-1: An update that solves 13 vulnerabilities and has 215 fixes is now available.

Category: security (important)
Bug References: 1046305,1046306,1050252,1050549,1051510,1054610,1055121,1056658,1056662,1056787,1060463,1063638,1065600,1068032,1070995,1071995,1074562,1074578,1074701,1075006,1075419,1075748,1078355,1080039,1082943,1083548,1083647,1084216,1086095,1086282,1086301,1086313,1086314,1086323,1087082,1087084,1087092,1087939,1088133,1094555,1098382,1098425,1098995,1102055,1103429,1104353,1106105,1106434,1106811,1107078,1107665,1108101,1108870,1109695,1110096,1110705,1111666,1113042,1113712,1113722,1113769,1113939,1114279,1114585,1114893,1117108,1117155,1117645,1117947,1118338,1119019,1119086,1119766,1119843,1120008,1120318,1120601,1120758,1120854,1120902,1120909,1120955,1121317,1121726,1121789,1121805,1122019,1122159,1122192,1122292,1122324,1122554,1122662,1122764,1122779,1122822,1122885,1122927,1122944,1122971,1122982,1123060,1123061,1123161,1123317,1123348,1123357,1123456,1123538,1123697,1123882,1123933,1124055,1124204,1124235,1124579,1124589,1124728,1124732,1124735,1124969,1124974,1124975,1124976,1124978,1124979,1124980,1124981,1124982,1124984,1124985,1125109,1125125,1125252,1125315,1125614,1125728,1125780,1125797,1125799,1125800,1125907,1125947,1126131,1126209,1126389,1126393,1126476,1126480,1126481,1126488,1126495,1126555,1126579,1126789,1126790,1126802,1126803,1126804,1126805,1126806,1126807,1127042,1127062,1127082,1127154,1127285,1127286,1127307,1127363,1127493,1127494,1127495,1127496,1127497,1127498,1127534,1127561,1127567,1127595,1127603,1127682,1127731,1127750,1127836,1127961,1128094,1128166,1128351,1128451,1128895,1129046,1129080,1129163,1129179,1129181,1129182,1129183,1129184,1129205,1129281,1129284,1129285,1129291,1129292,1129293,1129294,1129295,1129296,1129326,1129327,1129330,1129363,1129366,1129497,1129519,1129543,1129547,1129551,1129581,1129625,1129664,1129739,1129923,807502,824948,828192,925178
CVE References: CVE-2017-5753,CVE-2018-20669,CVE-2019-2024,CVE-2019-3459,CVE-2019-3460,CVE-2019-3819,CVE-2019-6974,CVE-2019-7221,CVE-2019-7222,CVE-2019-7308,CVE-2019-8912,CVE-2019-8980,CVE-2019-9213
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    kernel-default-4.12.14-95.13.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    kernel-docs-4.12.14-95.13.1, kernel-obs-build-4.12.14-95.13.1
SUSE Linux Enterprise Server 12-SP4 (src):    kernel-default-4.12.14-95.13.1, kernel-source-4.12.14-95.13.1, kernel-syms-4.12.14-95.13.1
SUSE Linux Enterprise Live Patching 12-SP4 (src):    kgraft-patch-SLE12-SP4_Update_3-1-6.7.1
SUSE Linux Enterprise High Availability 12-SP4 (src):    kernel-default-4.12.14-95.13.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    kernel-default-4.12.14-95.13.1, kernel-source-4.12.14-95.13.1, kernel-syms-4.12.14-95.13.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2019-09-04 19:13:33 UTC
SUSE-SU-2019:2291-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1122292,1122299,1141780,1141782,1141783,1141785,1141787,1141789,1147021
CVE References: CVE-2018-11212,CVE-2019-11771,CVE-2019-11772,CVE-2019-11775,CVE-2019-2449,CVE-2019-2762,CVE-2019-2766,CVE-2019-2769,CVE-2019-2786,CVE-2019-2816,CVE-2019-4473,CVE-2019-7317
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    java-1_8_0-ibm-1.8.0_sr5.40-3.24.1
SUSE Linux Enterprise Module for Legacy Software 15-SP1 (src):    java-1_8_0-ibm-1.8.0_sr5.40-3.24.1
SUSE Linux Enterprise Module for Legacy Software 15 (src):    java-1_8_0-ibm-1.8.0_sr5.40-3.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2019-09-12 19:48:14 UTC
SUSE-SU-2019:2371-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1122292,1122299,1141780,1141782,1141783,1141785,1141787,1141789,1147021
CVE References: CVE-2018-11212,CVE-2019-11771,CVE-2019-11772,CVE-2019-11775,CVE-2019-2449,CVE-2019-2762,CVE-2019-2766,CVE-2019-2769,CVE-2019-2786,CVE-2019-2816,CVE-2019-4473,CVE-2019-7317
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    java-1_8_0-ibm-1.8.0_sr5.40-30.54.1
SUSE OpenStack Cloud 8 (src):    java-1_8_0-ibm-1.8.0_sr5.40-30.54.1
SUSE OpenStack Cloud 7 (src):    java-1_8_0-ibm-1.8.0_sr5.40-30.54.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    java-1_8_0-ibm-1.8.0_sr5.40-30.54.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    java-1_8_0-ibm-1.8.0_sr5.40-30.54.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    java-1_8_0-ibm-1.8.0_sr5.40-30.54.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    java-1_8_0-ibm-1.8.0_sr5.40-30.54.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    java-1_8_0-ibm-1.8.0_sr5.40-30.54.1
SUSE Linux Enterprise Server 12-SP5 (src):    java-1_8_0-ibm-1.8.0_sr5.40-30.54.1
SUSE Linux Enterprise Server 12-SP4 (src):    java-1_8_0-ibm-1.8.0_sr5.40-30.54.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    java-1_8_0-ibm-1.8.0_sr5.40-30.54.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    java-1_8_0-ibm-1.8.0_sr5.40-30.54.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    java-1_8_0-ibm-1.8.0_sr5.40-30.54.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    java-1_8_0-ibm-1.8.0_sr5.40-30.54.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    java-1_8_0-ibm-1.8.0_sr5.40-30.54.1
SUSE Enterprise Storage 5 (src):    java-1_8_0-ibm-1.8.0_sr5.40-30.54.1
SUSE Enterprise Storage 4 (src):    java-1_8_0-ibm-1.8.0_sr5.40-30.54.1
HPE Helion Openstack 8 (src):    java-1_8_0-ibm-1.8.0_sr5.40-30.54.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.