CVE-2016-5542
Public on 2016-10-25
Modified on 2017-06-06
Description
It was discovered that the Libraries component of OpenJDK did not restrict the set of algorithms used for JAR integrity verification. This flaw could allow an attacker to modify content of the JAR file that used weak signing key or hash algorithm.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 1 | java-1.6.0-openjdk | 2017-02-06 | ALAS-2017-795 | Fixed |
| Amazon Linux 1 | java-1.7.0-openjdk | 2016-11-18 | ALAS-2016-771 | Fixed |
| Amazon Linux 1 | java-1.7.0-openjdk | 2017-06-06 | ALAS-2017-835 | Fixed |
| Amazon Linux 1 | java-1.8.0-openjdk | 2016-10-27 | ALAS-2016-759 | Fixed |
| Amazon Linux 1 | java-1.8.0-openjdk | 2017-05-09 | ALAS-2017-827 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv2 | 2.6 | AV:N/AC:H/Au:N/C:N/I:P/A:N |
| Amazon Linux | CVSSv3 | 3.1 | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N |
| NVD | CVSSv2 | 4.3 | AV:N/AC:M/Au:N/C:N/I:P/A:N |
| NVD | CVSSv3 | 3.1 | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N |