Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Oracle Java SE 6 < Update 141 / 7 < Update 131 / 8 < Update 121 Multiple Vulnerabilities

Critical

Synopsis

The remote host is missing a critical Oracle Java SE patch update.

Description

The version of Oracle Java SE installed on the remote host is prior to 6 Update 141, 7 Update 131, or 8 Update 121 and is affected by multiple vulnerabilities :

- A flaw exists in the 'ECDSASignature' class of the Libraries subcomponent. The issue is triggered when handling signatures from DER input. This may allow a remote attacker to cause a signature in an incorrect format to be accepted. (CVE-2016-5546) - An unspecified flaw exists related to the Libraries subcomponent. This may allow a remote attacker to cause a denial of service. No further details have been provided by the vendor. (CVE-2016-5547) - An unspecified flaw exists related to the Libraries subcomponent. This may allow a context-dependent attacker to gain access to sensitive information. No further details have been provided by the vendor. (CVE-2016-5548, CVE-2016-5549) - An unspecified flaw exists related to the Networking subcomponent. This may allow a remote attacker to have an impact on integrity. No further details have been provided by the vendor. (CVE-2016-5552) - A flaw exists in the Install New Software and Update features in the Mission Control subcomponent that may allow a man-in-the-middle attacker to intercept and manipulate JAR files, potentially resulting in the installation of malicious content. (CVE-2016-8328) - An unspecified flaw exists related to the Networking subcomponent. This may allow a context-dependent attacker to gain access to sensitive information. No further details have been provided by the vendor. (CVE-2017-3231) - A flaw exists in the RMI registry and DCG (Distributed Garbage Collector) implementation that is triggered as certain input is not properly sanitized before being deserialized. This may allow a remote attacker to potentially execute arbitrary code outside of intended sandbox restrictions. (CVE-2017-3241) - An unspecified flaw exists related to the JAAS subcomponent. This may allow a context-dependent attacker to have an impact on integrity. No further details have been provided by the vendor. (CVE-2017-3252) - A flaw exists in the 'PNGImageReader::readMetadata()' function in 'imageio/plugins/png/PNGImageReader.java' that is triggered when handling 'zTXt' and 'iTXt' image chunks. With a specially crafted PNG image, a remote attacker can exhaust available memory resources. (CVE-2017-3253) - An unspecified flaw exists related to the Deployment subcomponent. This may allow a remote attacker to gain access to sensitive information. No further details have been provided by the vendor. (CVE-2017-3259) - An unspecified flaw exists related to the Networking subcomponent. This may allow a context-dependent attacker to gain access to sensitive information. No further details have been provided by the vendor. (CVE-2017-3261) - An unspecified flaw exists related to the Java Mission Control subcomponent. This may allow a remote attacker to gain access to sensitive information. No further details have been provided by the vendor. (CVE-2017-3262) - A flaw exists related to improper restrictions on protected field members for the atomic field updaters in the 'java.util.concurrent.atomic' package. This may allow a context-dependent attacker to potentially execute arbitrary code outside of intended sandbox restrictions. (CVE-2017-3272) - A flaw exists in the Hotspot subcomponent related to insecure class construction when handling exception stack frames. This may allow a context-dependent attacker to potentially execute arbitrary code outside of intended sandbox restrictions. (CVE-2017-3289)

Solution

Upgrade to Java 1.8.0_121 or later. If version 1.8.x cannot be obtained, versions 1.7.0_131 and 1.6.0_141 are also patched for these vulnerabilities.