openSUSE-SU-2015:0773

openSUSE-SU-2015:0774

SUSE-SU-2015:0833

RHSA-2015:0854

RHSA-2015:0857

http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html

74135

1032120

GLSA-201603-11

The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 8 Update 45, 7 Update 79, 6 Update 95, or 5 Update 85. It is, therefore, affected by security vulnerabilities in the following components :

 - 2D
 - Beans
 - Deployment
 - Hotspot
 - JavaFX
 - JCE
 - JSSE
 - Tools

The remote host is affected by the vulnerability described in GLSA-201603-11 (Oracle JRE/JDK: Multiple vulnerabilities)

    Multiple vulnerabilities exist in both Oracle&rsquo;s JRE and JDK.  Please       review the referenced CVE&rsquo;s for additional information.
  Impact :

    Remote attackers could gain access to information, remotely execute       arbitrary code, and cause Denial of Service.
  Workaround :

    There is no known workaround at this time.

OpenJDK was updated to version 2.5.5 - OpenJDK 7u79 to fix security issues and bugs.

The following vulnerabilities have been fixed :

  - Deployment: unauthenticated remote attackers could     execute arbitrary code via multiple protocols.
    (CVE-2015-0458)

  - 2D: unauthenticated remote attackers could execute     arbitrary code via multiple protocols. (CVE-2015-0459)

  - Hotspot: unauthenticated remote attackers could execute     arbitrary code via multiple protocols. (CVE-2015-0460)

  - 2D: unauthenticated remote attackers could execute     arbitrary code via multiple protocols. (CVE-2015-0469)

  - Beans: unauthenticated remote attackers could update,     insert or delete some JAVA accessible data via multiple     protocols. (CVE-2015-0477)

  - JCE: unauthenticated remote attackers could read some     JAVA accessible data via multiple protocols.
    (CVE-2015-0478)

  - Tools: unauthenticated remote attackers could update,     insert or delete some JAVA accessible data via multiple     protocols and cause a partial denial of service (partial     DOS). (CVE-2015-0480)

  - JavaFX: unauthenticated remote attackers could read,     update, insert or delete access some Java accessible     data via multiple protocols and cause a partial denial     of service (partial DOS). (CVE-2015-0484)

  - JSSE: unauthenticated remote attackers could cause a     partial denial of service (partial DOS). (CVE-2015-0488)

  - 2D: unauthenticated remote attackers could execute     arbitrary code via multiple protocols. (CVE-2015-0491)

  - JavaFX: unauthenticated remote attackers could execute     arbitrary code via multiple protocols. (CVE-2015-0492)

OpenJDK was updated to jdk8u45-b14 to fix security issues and bugs.

The following vulnerabilities were fixed :

  - CVE-2015-0458: Deployment: unauthenticated remote     attackers could execute arbitrary code via multiple     protocols.

  - CVE-2015-0459: 2D: unauthenticated remote attackers     could execute arbitrary code via multiple protocols.

  - CVE-2015-0460: Hotspot: unauthenticated remote attackers     could execute arbitrary code via multiple protocols.

  - CVE-2015-0469: 2D: unauthenticated remote attackers     could execute arbitrary code via multiple protocols.

  - CVE-2015-0470: Hotspot: unauthenticated remote attackers     could update, insert or delete some JAVA accessible data     via multiple protocols

  - CVE-2015-0477: Beans: unauthenticated remote attackers     could update, insert or delete some JAVA accessible data     via multiple protocols

  - CVE-2015-0478: JCE: unauthenticated remote attackers     could read some JAVA accessible data via multiple     protocols

  - CVE-2015-0480: Tools: unauthenticated remote attackers     could update, insert or delete some JAVA accessible data     via multiple protocols and cause a partial denial of     service (partial DOS)

  - CVE-2015-0484: JavaFX: unauthenticated remote attackers     could read, update, insert or delete access some Java     accessible data via multiple protocols and cause a     partial denial of service (partial DOS).

  - CVE-2015-0486: Deployment: unauthenticated remote     attackers could read some JAVA accessible data via     multiple protocols

  - CVE-2015-0488: JSSE: unauthenticated remote attackers     could cause a partial denial of service (partial DOS).

  - CVE-2015-0491: 2D: unauthenticated remote attackers     could execute arbitrary code via multiple protocols.

  - CVE-2015-0492: JavaFX: unauthenticated remote attackers     could execute arbitrary code via multiple protocols.

OpenJDK was updated to 2.5.5 - OpenJdk 7u79 to fix security issues and bugs :

The following vulnerabilities were fixed :

  - CVE-2015-0458: Deployment: unauthenticated remote     attackers could execute arbitrary code via multiple     protocols.

  - CVE-2015-0459: 2D: unauthenticated remote attackers     could execute arbitrary code via multiple protocols.

  - CVE-2015-0460: Hotspot: unauthenticated remote attackers     could execute arbitrary code via multiple protocols.

  - CVE-2015-0469: 2D: unauthenticated remote attackers     could execute arbitrary code via multiple protocols.

  - CVE-2015-0477: Beans: unauthenticated remote attackers     could update, insert or delete some JAVA accessible data     via multiple protocols

  - CVE-2015-0478: JCE: unauthenticated remote attackers     could read some JAVA accessible data via multiple     protocols

  - CVE-2015-0480: Tools: unauthenticated remote attackers     could update, insert or delete some JAVA accessible data     via multiple protocols and cause a partial denial of     service (partial DOS)

  - CVE-2015-0484: JavaFX: unauthenticated remote attackers     could read, update, insert or delete access some Java     accessible data via multiple protocols and cause a     partial denial of service (partial DOS).

  - CVE-2015-0488: JSSE: unauthenticated remote attackers     could cause a partial denial of service (partial DOS).

  - CVE-2015-0491: 2D: unauthenticated remote attackers     could execute arbitrary code via multiple protocols.

  - CVE-2015-0492: JavaFX: unauthenticated remote attackers     could execute arbitrary code via multiple protocols.

Updated java-1.7.0-oracle packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Oracle Java SE version 7 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.

This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section.
(CVE-2005-1080, CVE-2015-0458, CVE-2015-0459, CVE-2015-0460, CVE-2015-0469, CVE-2015-0477, CVE-2015-0478, CVE-2015-0480, CVE-2015-0484, CVE-2015-0488, CVE-2015-0491, CVE-2015-0492)

The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat Product Security.

All users of java-1.7.0-oracle are advised to upgrade to these updated packages, which provide Oracle Java 7 Update 79 and resolve these issues. All running instances of Oracle Java must be restarted for the update to take effect.

Updated java-1.8.0-oracle packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 6 and 7.

Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Oracle Java SE version 8 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.

This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section.
(CVE-2005-1080, CVE-2015-0458, CVE-2015-0459, CVE-2015-0460, CVE-2015-0469, CVE-2015-0470, CVE-2015-0477, CVE-2015-0478, CVE-2015-0480, CVE-2015-0484, CVE-2015-0486, CVE-2015-0488, CVE-2015-0491, CVE-2015-0492)

The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat Product Security.

All users of java-1.8.0-oracle are advised to upgrade to these updated packages, which provide Oracle Java 8 Update 45 and resolve these issues. All running instances of Oracle Java must be restarted for the update to take effect.

The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 8 Update 45, 7 Update 79, 6 Update 95, or 5 Update 85. It is, therefore, affected by security vulnerabilities in the following components :

  - 2D
  - Beans
  - Deployment
  - Hotspot
  - JavaFX
  - JCE
  - JSSE
  - Tools

The Oracle Java SE installed on the remote host is version 7 prior to Update 77; therefore, it is affected by multiple vulnerabilities.  While the details of these vulnerabilities are not currently known, the vendor has acknowledged that confidentiality, integrity, and availability can be impacted remotely.  The components affected by these vulnerabilities are:

 - 2D running on client deployments of Oracle Java (CVE-2015-0491, CVE-2015-0459, CVE-2015-0469)
 - Beans running on both client and server deployments of Java Secure Socket Extension (CVE-2015-0477)
 - Deployment running on client deployments of Oracle Java (CVE-2015-0458)
 - Hotspot running on client deployments of Oracle Java (CVE-2015-0460)
 - JSSE running on client or server deployments of Oracle Java (CVE-2015-0488)
 - Tools running on client deployments of Oracle Java (CVE-2015-0480)
 - JCE running on client or server deployments of Oracle Java (CVE-2015-0478)
 - Several undisclosed attack vectors which affect client and server deployments of Oracle Java (CVE-2015-0492, CVE-2015-0484)

The Oracle Java SE installed on the remote host is version 8 prior to Update 41; therefore, it is affected by multiple vulnerabilities.  While the details of these vulnerabilities are not currently known, the vendor has acknowledged that confidentiality, integrity, and availability can be impacted remotely.  The components affected by these vulnerabilities are:

 - 2D running on client deployments of Oracle Java (CVE-2015-0491, CVE-2015-0459, CVE-2015-0469)
 - Beans running on both client and server deployments of Java Secure Socket Extension (CVE-2015-0477)
 - Deployment running on client deployments of Oracle Java (CVE-2015-0458, CVE-2015-0486)
 - Hotspot running on client deployments of Oracle Java (CVE-2015-0460, CVE-2015-0470)
 - JSSE running on client or server deployments of Oracle Java (CVE-2015-0488)
 - Tools running on client deployments of Oracle Java (CVE-2015-0480)
 - JCE running on client or server deployments of Oracle Java (CVE-2015-0478)
 - Several undisclosed attack vectors which affect client and server deployments of Oracle Java (CVE-2015-0492, CVE-2015-0484)

ID	Name	Product	Family	Severity
700650	Oracle Java SE 5 < Update 85 / 6 < Update 95 / 7 < Update 79 / 8 < Update 45 Multiple Vulnerabilities (April 2015 CPU) (FREAK)	Nessus Network Monitor	Web Clients	critical
89904	GLSA-201603-11 : Oracle JRE/JDK: Multiple vulnerabilities (Logjam)	Nessus	Gentoo Local Security Checks	critical
83287	SuSE 11.3 Security Update : java-1_7_0-openjdk (SAT Patch Number 10621)	Nessus	SuSE Local Security Checks	critical
83107	openSUSE Security Update : java-1_8_0-openjdk (openSUSE-2015-332)	Nessus	SuSE Local Security Checks	critical
83106	openSUSE Security Update : java-1_7_0-openjdk (openSUSE-2015-331)	Nessus	SuSE Local Security Checks	critical
82909	RHEL 5 / 6 / 7 : java-1.7.0-oracle (RHSA-2015:0857)	Nessus	Red Hat Local Security Checks	critical
82897	RHEL 6 / 7 : java-1.8.0-oracle (RHSA-2015:0854)	Nessus	Red Hat Local Security Checks	critical
82821	Oracle Java SE Multiple Vulnerabilities (April 2015 CPU) (Unix) (FREAK)	Nessus	Misc.	critical
82820	Oracle Java SE Multiple Vulnerabilities (April 2015 CPU) (FREAK)	Nessus	Windows	critical
8749	Oracle Java SE 7 < Update 77 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	critical
8748	Oracle Java SE 8 < Update 41 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	critical

CVE-2015-0484

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins