openSUSE-SU-2015:0773

RHSA-2015:0854

http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html

74145

1032120

http://www-01.ibm.com/support/docview.wss?uid=swg21883640

GLSA-201603-11

The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 8 Update 45, 7 Update 79, 6 Update 95, or 5 Update 85. It is, therefore, affected by security vulnerabilities in the following components :

 - 2D
 - Beans
 - Deployment
 - Hotspot
 - JavaFX
 - JCE
 - JSSE
 - Tools

The remote host is affected by the vulnerability described in GLSA-201603-11 (Oracle JRE/JDK: Multiple vulnerabilities)

    Multiple vulnerabilities exist in both Oracle&rsquo;s JRE and JDK.  Please       review the referenced CVE&rsquo;s for additional information.
  Impact :

    Remote attackers could gain access to information, remotely execute       arbitrary code, and cause Denial of Service.
  Workaround :

    There is no known workaround at this time.

The version of Java SDK installed on the remote AIX host is affected by multiple vulnerabilities :

  - The Global Security Kit (GSKit) contains a flaw due to     improper restrictions of TLS state transitions. A     man-in-the-middle attacker can exploit this to downgrade     the security of a session to use EXPORT_RSA ciphers.
    This allows the attacker to more easily break the     encryption and monitor or tamper with the encrypted     stream. (CVE-2015-0138)

  - An unspecified flaw exists that allows an attacker to     execute code running under a security manager with     elevated privileges.(CVE-2015-0192)

  - A security feature bypass vulnerability, known as FREAK     (Factoring attack on RSA-EXPORT Keys), exists due to the     support of weak EXPORT_RSA cipher suites with keys less     than or equal to 512 bits. A man-in-the-middle attacker     may be able to downgrade the SSL/TLS connection to use     EXPORT_RSA cipher suites which can be factored in a     short amount of time, allowing the attacker to intercept     and decrypt the traffic. (CVE-2015-0204)

  - Multiple unspecified vulnerabilities exist in multiple     Java subcomponents including 2D, Beans, Deployment, JCE,     JSSE, and tools. (CVE-2015-0458, CVE-2015-0459,     CVE-2015-0469, CVE-2015-0477, CVE-2015-0478,     CVE-2015-0480, CVE-2015-0486, CVE-2015-0488,     CVE-2015-0491)

  - An unspecified flaw exists that allows a remote attacker     to bypass permission checks and gain access to sensitive     information. (CVE-2015-1914)

  - An unspecified flaw exists due to the Socket Extension     Provider's handling of TLS and SSL connections. A remote     attacker can exploit this to cause a denial of service.
    (CVE-2015-1916)

  - A security feature bypass vulnerability exists, known as     Bar Mitzvah, due to improper combination of state data     with key data by the RC4 cipher algorithm during the     initialization phase. A man-in-the-middle attacker can     exploit this, via a brute-force attack using LSB values,     to decrypt the traffic. (CVE-2015-2808)

OpenJDK was updated to jdk8u45-b14 to fix security issues and bugs.

The following vulnerabilities were fixed :

  - CVE-2015-0458: Deployment: unauthenticated remote     attackers could execute arbitrary code via multiple     protocols.

  - CVE-2015-0459: 2D: unauthenticated remote attackers     could execute arbitrary code via multiple protocols.

  - CVE-2015-0460: Hotspot: unauthenticated remote attackers     could execute arbitrary code via multiple protocols.

  - CVE-2015-0469: 2D: unauthenticated remote attackers     could execute arbitrary code via multiple protocols.

  - CVE-2015-0470: Hotspot: unauthenticated remote attackers     could update, insert or delete some JAVA accessible data     via multiple protocols

  - CVE-2015-0477: Beans: unauthenticated remote attackers     could update, insert or delete some JAVA accessible data     via multiple protocols

  - CVE-2015-0478: JCE: unauthenticated remote attackers     could read some JAVA accessible data via multiple     protocols

  - CVE-2015-0480: Tools: unauthenticated remote attackers     could update, insert or delete some JAVA accessible data     via multiple protocols and cause a partial denial of     service (partial DOS)

  - CVE-2015-0484: JavaFX: unauthenticated remote attackers     could read, update, insert or delete access some Java     accessible data via multiple protocols and cause a     partial denial of service (partial DOS).

  - CVE-2015-0486: Deployment: unauthenticated remote     attackers could read some JAVA accessible data via     multiple protocols

  - CVE-2015-0488: JSSE: unauthenticated remote attackers     could cause a partial denial of service (partial DOS).

  - CVE-2015-0491: 2D: unauthenticated remote attackers     could execute arbitrary code via multiple protocols.

  - CVE-2015-0492: JavaFX: unauthenticated remote attackers     could execute arbitrary code via multiple protocols.

Updated java-1.8.0-oracle packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 6 and 7.

Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Oracle Java SE version 8 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.

This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section.
(CVE-2005-1080, CVE-2015-0458, CVE-2015-0459, CVE-2015-0460, CVE-2015-0469, CVE-2015-0470, CVE-2015-0477, CVE-2015-0478, CVE-2015-0480, CVE-2015-0484, CVE-2015-0486, CVE-2015-0488, CVE-2015-0491, CVE-2015-0492)

The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat Product Security.

All users of java-1.8.0-oracle are advised to upgrade to these updated packages, which provide Oracle Java 8 Update 45 and resolve these issues. All running instances of Oracle Java must be restarted for the update to take effect.

The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 8 Update 45, 7 Update 79, 6 Update 95, or 5 Update 85. It is, therefore, affected by security vulnerabilities in the following components :

  - 2D
  - Beans
  - Deployment
  - Hotspot
  - JavaFX
  - JCE
  - JSSE
  - Tools

The Oracle Java SE installed on the remote host is version 8 prior to Update 41; therefore, it is affected by multiple vulnerabilities.  While the details of these vulnerabilities are not currently known, the vendor has acknowledged that confidentiality, integrity, and availability can be impacted remotely.  The components affected by these vulnerabilities are:

 - 2D running on client deployments of Oracle Java (CVE-2015-0491, CVE-2015-0459, CVE-2015-0469)
 - Beans running on both client and server deployments of Java Secure Socket Extension (CVE-2015-0477)
 - Deployment running on client deployments of Oracle Java (CVE-2015-0458, CVE-2015-0486)
 - Hotspot running on client deployments of Oracle Java (CVE-2015-0460, CVE-2015-0470)
 - JSSE running on client or server deployments of Oracle Java (CVE-2015-0488)
 - Tools running on client deployments of Oracle Java (CVE-2015-0480)
 - JCE running on client or server deployments of Oracle Java (CVE-2015-0478)
 - Several undisclosed attack vectors which affect client and server deployments of Oracle Java (CVE-2015-0492, CVE-2015-0484)

ID	Name	Product	Family	Severity
700650	Oracle Java SE 5 < Update 85 / 6 < Update 95 / 7 < Update 79 / 8 < Update 45 Multiple Vulnerabilities (April 2015 CPU) (FREAK)	Nessus Network Monitor	Web Clients	critical
89904	GLSA-201603-11 : Oracle JRE/JDK: Multiple vulnerabilities (Logjam)	Nessus	Gentoo Local Security Checks	critical
84087	AIX Java Advisory : java_april2015_advisory.asc (Bar Mitzvah) (FREAK)	Nessus	AIX Local Security Checks	critical
83107	openSUSE Security Update : java-1_8_0-openjdk (openSUSE-2015-332)	Nessus	SuSE Local Security Checks	critical
82897	RHEL 6 / 7 : java-1.8.0-oracle (RHSA-2015:0854)	Nessus	Red Hat Local Security Checks	critical
82821	Oracle Java SE Multiple Vulnerabilities (April 2015 CPU) (Unix) (FREAK)	Nessus	Misc.	critical
82820	Oracle Java SE Multiple Vulnerabilities (April 2015 CPU) (FREAK)	Nessus	Windows	critical
8748	Oracle Java SE 8 < Update 41 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	critical

CVE-2015-0486

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins