openSUSE-SU-2015:1288

openSUSE-SU-2015:1289

SUSE-SU-2015:1319

SUSE-SU-2015:1320

http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

75856

1032910

The Oracle Java SE installed on the remote host is version 7 prior to Update 85, or 8 prior to Update 51 and is therefore affected by an unspecified flaw related to the Install component.  This may allow a local attacker to gain elevated privileges.  No further details have been provided by the vendor.

OpenJDK was updated to 2.6.1 - OpenJDK 7u85 to fix security issues and bugs.

The following vulnerabilities were fixed :

  - CVE-2015-2590: Easily exploitable vulnerability in the     Libraries component allowed successful unauthenticated     network attacks via multiple protocols. Successful     attack of this vulnerability could have resulted in     unauthorized Operating System takeover including     arbitrary code execution.

  - CVE-2015-2596: Difficult to exploit vulnerability in the     Hotspot component allowed successful unauthenticated     network attacks via multiple protocols. Successful     attack of this vulnerability could have resulted in     unauthorized update, insert or delete access to some     Java accessible data.

  - CVE-2015-2597: Easily exploitable vulnerability in the     Install component requiring logon to Operating System.
    Successful attack of this vulnerability could have     resulted in unauthorized Operating System takeover     including arbitrary code execution.

  - CVE-2015-2601: Easily exploitable vulnerability in the     JCE component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     read access to a subset of Java accessible data.

  - CVE-2015-2613: Easily exploitable vulnerability in the     JCE component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     read access to a subset of Java SE, Java SE Embedded     accessible data.

  - CVE-2015-2619: Easily exploitable vulnerability in the     2D component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     read access to a subset of Java accessible data.

  - CVE-2015-2621: Easily exploitable vulnerability in the     JMX component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     read access to a subset of Java accessible data.

  - CVE-2015-2625: Very difficult to exploit vulnerability     in the JSSE component allowed successful unauthenticated     network attacks via SSL/TLS. Successful attack of this     vulnerability could have resulted in unauthorized read     access to a subset of Java accessible data.

  - CVE-2015-2627: Very difficult to exploit vulnerability     in the Install component allowed successful     unauthenticated network attacks via multiple protocols.
    Successful attack of this vulnerability could have     resulted in unauthorized read access to a subset of Java     accessible data.

  - CVE-2015-2628: Easily exploitable vulnerability in the     CORBA component allowed successful unauthenticated     network attacks via multiple protocols. Successful     attack of this vulnerability could have resulted in     unauthorized Operating System takeover including     arbitrary code execution.

  - CVE-2015-2632: Easily exploitable vulnerability in the     2D component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     read access to a subset of Java accessible data.

  - CVE-2015-2637: Easily exploitable vulnerability in the     2D component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     read access to a subset of Java accessible data.

  - CVE-2015-2638: Easily exploitable vulnerability in the     2D component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     Operating System takeover including arbitrary code     execution.

  - CVE-2015-2664: Difficult to exploit vulnerability in the     Deployment component requiring logon to Operating     System. Successful attack of this vulnerability could     have resulted in unauthorized Operating System takeover     including arbitrary code execution.

  - CVE-2015-2808: Very difficult to exploit vulnerability     in the JSSE component allowed successful unauthenticated     network attacks via SSL/TLS. Successful attack of this     vulnerability could have resulted in unauthorized     update, insert or delete access to some Java accessible     data as well as read access to a subset of Java     accessible data.

  - CVE-2015-4000: Very difficult to exploit vulnerability     in the JSSE component allowed successful unauthenticated     network attacks via SSL/TLS. Successful attack of this     vulnerability could have resulted in unauthorized     update, insert or delete access to some Java accessible     data as well as read access to a subset of Java Embedded     accessible data.

  - CVE-2015-4729: Very difficult to exploit vulnerability     in the Deployment component allowed successful     unauthenticated network attacks via multiple protocols.
    Successful attack of this vulnerability could have     resulted in unauthorized update, insert or delete access     to some Java SE accessible data as well as read access     to a subset of Java SE accessible data.

  - CVE-2015-4731: Easily exploitable vulnerability in the     JMX component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     Operating System takeover including arbitrary code     execution.

  - CVE-2015-4732: Easily exploitable vulnerability in the     Libraries component allowed successful unauthenticated     network attacks via multiple protocols. Successful     attack of this vulnerability could have resulted in     unauthorized Operating System takeover including     arbitrary code execution.

  - CVE-2015-4733: Easily exploitable vulnerability in the     RMI component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     Operating System takeover including arbitrary code     execution.

  - CVE-2015-4736: Difficult to exploit vulnerability in the     Deployment component allowed successful unauthenticated     network attacks via multiple protocols. Successful     attack of this vulnerability could have resulted in     unauthorized Operating System takeover including     arbitrary code execution.

  - CVE-2015-4748: Very difficult to exploit vulnerability     in the Security component allowed successful     unauthenticated network attacks via OCSP. Successful     attack of this vulnerability could have resulted in     unauthorized Operating System takeover including     arbitrary code execution.

  - CVE-2015-4749: Difficult to exploit vulnerability in the     JNDI component allowed successful unauthenticated     network attacks via multiple protocols. Successful     attack of this vulnerability could have resulted in     unauthorized ability to cause a partial denial of     service (partial DOS).

  - CVE-2015-4760: Easily exploitable vulnerability in the     2D component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     Operating System takeover including arbitrary code     execution.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

OpenJDK was updated to 2.6.1 - OpenJDK 8u51 to fix security issues and bugs.

The following vulnerabilities were fixed :

  - CVE-2015-2590: Easily exploitable vulnerability in the     Libraries component allowed successful unauthenticated     network attacks via multiple protocols. Successful     attack of this vulnerability could have resulted in     unauthorized Operating System takeover including     arbitrary code execution.

  - CVE-2015-2597: Easily exploitable vulnerability in the     Install component requiring logon to Operating System.
    Successful attack of this vulnerability could have     resulted in unauthorized Operating System takeover     including arbitrary code execution.

  - CVE-2015-2601: Easily exploitable vulnerability in the     JCE component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     read access to a subset of Java accessible data.

  - CVE-2015-2613: Easily exploitable vulnerability in the     JCE component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     read access to a subset of Java SE, Java SE Embedded     accessible data.

  - CVE-2015-2619: Easily exploitable vulnerability in the     2D component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     read access to a subset of Java accessible data.

  - CVE-2015-2621: Easily exploitable vulnerability in the     JMX component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     read access to a subset of Java accessible data.

  - CVE-2015-2625: Very difficult to exploit vulnerability     in the JSSE component allowed successful unauthenticated     network attacks via SSL/TLS. Successful attack of this     vulnerability could have resulted in unauthorized read     access to a subset of Java accessible data.

  - CVE-2015-2627: Very difficult to exploit vulnerability     in the Install component allowed successful     unauthenticated network attacks via multiple protocols.
    Successful attack of this vulnerability could have     resulted in unauthorized read access to a subset of Java     accessible data.

  - CVE-2015-2628: Easily exploitable vulnerability in the     CORBA component allowed successful unauthenticated     network attacks via multiple protocols. Successful     attack of this vulnerability could have resulted in     unauthorized Operating System takeover including     arbitrary code execution.

  - CVE-2015-2632: Easily exploitable vulnerability in the     2D component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     read access to a subset of Java accessible data.

  - CVE-2015-2637: Easily exploitable vulnerability in the     2D component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     read access to a subset of Java accessible data.

  - CVE-2015-2638: Easily exploitable vulnerability in the     2D component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     Operating System takeover including arbitrary code     execution.

  - CVE-2015-2659: Easily exploitable vulnerability in the     Security component allowed successful unauthenticated     network attacks via multiple protocols. Successful     attack of this vulnerability could have resulted in     unauthorized ability to cause a partial denial of     service (partial DOS).

  - CVE-2015-2664: Difficult to exploit vulnerability in the     Deployment component requiring logon to Operating     System. Successful attack of this vulnerability could     have resulted in unauthorized Operating System takeover     including arbitrary code execution.

  - CVE-2015-2808: Very difficult to exploit vulnerability     in the JSSE component allowed successful unauthenticated     network attacks via SSL/TLS. Successful attack of this     vulnerability could have resulted in unauthorized     update, insert or delete access to some Java accessible     data as well as read access to a subset of Java     accessible data.

  - CVE-2015-4000: Very difficult to exploit vulnerability     in the JSSE component allowed successful unauthenticated     network attacks via SSL/TLS. Successful attack of this     vulnerability could have resulted in unauthorized     update, insert or delete access to some Java accessible     data as well as read access to a subset of Java Embedded     accessible data. 

  - CVE-2015-4729: Very difficult to exploit vulnerability     in the Deployment component allowed successful     unauthenticated network attacks via multiple protocols.
    Successful attack of this vulnerability could have     resulted in unauthorized update, insert or delete access     to some Java SE accessible data as well as read access     to a subset of Java SE accessible data.

  - CVE-2015-4731: Easily exploitable vulnerability in the     JMX component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     Operating System takeover including arbitrary code     execution.

  - CVE-2015-4732: Easily exploitable vulnerability in the     Libraries component allowed successful unauthenticated     network attacks via multiple protocols. Successful     attack of this vulnerability could have resulted in     unauthorized Operating System takeover including     arbitrary code execution.

  - CVE-2015-4733: Easily exploitable vulnerability in the     RMI component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     Operating System takeover including arbitrary code     execution.

  - CVE-2015-4736: Difficult to exploit vulnerability in the     Deployment component allowed successful unauthenticated     network attacks via multiple protocols. Successful     attack of this vulnerability could have resulted in     unauthorized Operating System takeover including     arbitrary code execution.

  - CVE-2015-4748: Very difficult to exploit vulnerability     in the Security component allowed successful     unauthenticated network attacks via OCSP. Successful     attack of this vulnerability could have resulted in     unauthorized Operating System takeover including     arbitrary code execution.

  - CVE-2015-4749: Difficult to exploit vulnerability in the     JNDI component allowed successful unauthenticated     network attacks via multiple protocols. Successful     attack of this vulnerability could have resulted in     unauthorized ability to cause a partial denial of     service (partial DOS).

  - CVE-2015-4760: Easily exploitable vulnerability in the     2D component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     Operating System takeover including arbitrary code     execution.

OpenJDK was updated to 2.6.1 - OpenJDK 7u85 to fix security issues and bugs.

The following vulnerabilities were fixed :

  - CVE-2015-2590: Easily exploitable vulnerability in the     Libraries component allowed successful unauthenticated     network attacks via multiple protocols. Successful     attack of this vulnerability could have resulted in     unauthorized Operating System takeover including     arbitrary code execution.

  - CVE-2015-2596: Difficult to exploit vulnerability in the     Hotspot component allowed successful unauthenticated     network attacks via multiple protocols. Successful     attack of this vulnerability could have resulted in     unauthorized update, insert or delete access to some     Java accessible data.

  - CVE-2015-2597: Easily exploitable vulnerability in the     Install component requiring logon to Operating System.
    Successful attack of this vulnerability could have     resulted in unauthorized Operating System takeover     including arbitrary code execution.

  - CVE-2015-2601: Easily exploitable vulnerability in the     JCE component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     read access to a subset of Java accessible data.

  - CVE-2015-2613: Easily exploitable vulnerability in the     JCE component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     read access to a subset of Java SE, Java SE Embedded     accessible data.

  - CVE-2015-2619: Easily exploitable vulnerability in the     2D component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     read access to a subset of Java accessible data.

  - CVE-2015-2621: Easily exploitable vulnerability in the     JMX component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     read access to a subset of Java accessible data.

  - CVE-2015-2625: Very difficult to exploit vulnerability     in the JSSE component allowed successful unauthenticated     network attacks via SSL/TLS. Successful attack of this     vulnerability could have resulted in unauthorized read     access to a subset of Java accessible data.

  - CVE-2015-2627: Very difficult to exploit vulnerability     in the Install component allowed successful     unauthenticated network attacks via multiple protocols.
    Successful attack of this vulnerability could have     resulted in unauthorized read access to a subset of Java     accessible data.

  - CVE-2015-2628: Easily exploitable vulnerability in the     CORBA component allowed successful unauthenticated     network attacks via multiple protocols. Successful     attack of this vulnerability could have resulted in     unauthorized Operating System takeover including     arbitrary code execution.

  - CVE-2015-2632: Easily exploitable vulnerability in the     2D component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     read access to a subset of Java accessible data.

  - CVE-2015-2637: Easily exploitable vulnerability in the     2D component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     read access to a subset of Java accessible data.

  - CVE-2015-2638: Easily exploitable vulnerability in the     2D component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     Operating System takeover including arbitrary code     execution.

  - CVE-2015-2664: Difficult to exploit vulnerability in the     Deployment component requiring logon to Operating     System. Successful attack of this vulnerability could     have resulted in unauthorized Operating System takeover     including arbitrary code execution.

  - CVE-2015-2808: Very difficult to exploit vulnerability     in the JSSE component allowed successful unauthenticated     network attacks via SSL/TLS. Successful attack of this     vulnerability could have resulted in unauthorized     update, insert or delete access to some Java accessible     data as well as read access to a subset of Java     accessible data.

  - CVE-2015-4000: Very difficult to exploit vulnerability     in the JSSE component allowed successful unauthenticated     network attacks via SSL/TLS. Successful attack of this     vulnerability could have resulted in unauthorized     update, insert or delete access to some Java accessible     data as well as read access to a subset of Java Embedded     accessible data. 

  - CVE-2015-4729: Very difficult to exploit vulnerability     in the Deployment component allowed successful     unauthenticated network attacks via multiple protocols.
    Successful attack of this vulnerability could have     resulted in unauthorized update, insert or delete access     to some Java SE accessible data as well as read access     to a subset of Java SE accessible data.

  - CVE-2015-4731: Easily exploitable vulnerability in the     JMX component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     Operating System takeover including arbitrary code     execution.

  - CVE-2015-4732: Easily exploitable vulnerability in the     Libraries component allowed successful unauthenticated     network attacks via multiple protocols. Successful     attack of this vulnerability could have resulted in     unauthorized Operating System takeover including     arbitrary code execution.

  - CVE-2015-4733: Easily exploitable vulnerability in the     RMI component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     Operating System takeover including arbitrary code     execution.

  - CVE-2015-4736: Difficult to exploit vulnerability in the     Deployment component allowed successful unauthenticated     network attacks via multiple protocols. Successful     attack of this vulnerability could have resulted in     unauthorized Operating System takeover including     arbitrary code execution.

  - CVE-2015-4748: Very difficult to exploit vulnerability     in the Security component allowed successful     unauthenticated network attacks via OCSP. Successful     attack of this vulnerability could have resulted in     unauthorized Operating System takeover including     arbitrary code execution.

  - CVE-2015-4749: Difficult to exploit vulnerability in the     JNDI component allowed successful unauthenticated     network attacks via multiple protocols. Successful     attack of this vulnerability could have resulted in     unauthorized ability to cause a partial denial of     service (partial DOS).

  - CVE-2015-4760: Easily exploitable vulnerability in the     2D component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     Operating System takeover including arbitrary code     execution.

ID	Name	Product	Family	Severity
9351	Oracle Java SE 7 < Update 85 / 8 < Update 51 Local Privilege Escalation	Nessus Network Monitor	Web Clients	critical
85153	SUSE SLED11 Security Update : java-1_7_0-openjdk (SUSE-SU-2015:1320-1) (Bar Mitzvah) (Logjam)	Nessus	SuSE Local Security Checks	critical
85152	SUSE SLED12 / SLES12 Security Update : java-1_7_0-openjdk (SUSE-SU-2015:1319-1) (Bar Mitzvah) (Logjam)	Nessus	SuSE Local Security Checks	critical
85002	openSUSE Security Update : java-1_8_0-openjdk (openSUSE-2015-512) (Bar Mitzvah) (Logjam)	Nessus	SuSE Local Security Checks	critical
85001	openSUSE Security Update : java-1_7_0-openjdk (openSUSE-2015-511) (Bar Mitzvah) (Logjam)	Nessus	SuSE Local Security Checks	critical

CVE-2015-2597

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins