openSUSE-SU-2015:1288

openSUSE-SU-2015:1289

SUSE-SU-2015:1319

SUSE-SU-2015:1320

RHSA-2015:1241

RHSA-2015:1242

RHSA-2015:1243

http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

75893

1032910

GLSA-201603-11

The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 8 Update 51, 7 Update 85, or 6 Update 101. It is, therefore, affected by security vulnerabilities in the following components :

 - 2D
 - CORBA
 - Deployment
 - Hotspot
 - Install
 - JCE
 - JMX
 - JNDI
 - JSSE
 - Libraries
 - RMI
 - Security

The remote host is affected by the vulnerability described in GLSA-201603-11 (Oracle JRE/JDK: Multiple vulnerabilities)

    Multiple vulnerabilities exist in both Oracle&rsquo;s JRE and JDK.  Please       review the referenced CVE&rsquo;s for additional information.
  Impact :

    Remote attackers could gain access to information, remotely execute       arbitrary code, and cause Denial of Service.
  Workaround :

    There is no known workaround at this time.

The Oracle Java SE installed on the remote host is version 6 prior to Update 101, 7 prior to Update 85, or 8 prior to Update 51 and is affected by multiple vulnerabilities: 

 - A flaw in the 'ObjectInputStream::readSerialData()' function in 'share/classes/java/io/ObjectInputStream.java' that is triggered when handling OIS data allowing a context-dependent attacker to execute arbitrary code. (CVE-2015-2590) 
 - An unspecified flaw related to the Hotspot component may allow a context-dependent attacker to have an impact on integrity. (CVE-2015-2596) 
 - A flaw in the JCE component as various cryptographic operations use non-constant time comparisons allowing a remote attacker to conduct timing attacks in order to possibly glean sensitive information. (CVE-2015-2601)  
 - A flaw in the 'ECDH_Derive()' function in 'share/native/sun/security/ec/impl/ec.c' related to missing EC parameter validation when performing ECDH key derivation allowing a remote attacker to disclose potentially sensitive information. (CVE-2015-2613) 
 - An unspecified flaw related to the 2D component may allow a context-dependent attacker to gain access to sensitive information. (CVE-2015-2619) 
 - A flaw in the 'RMIConnectionImpl' constructor in 'share/classes/javax/management/remote/rmi/RMIConnectionImpl.java'. The issue is triggered due to improper permission checks when creating repository class loaders allowing a context-dependent attacker to bypass sandbox restrictions and disclose sensitive information.  (CVE-2015-2621) 
 - A flaw in the JSSE component that is triggered when performing X.509 certificate identity checks allowing a remote attacker to have a certificate for another domain being accepted as valid. (CVE-2015-2625) 
 - An unspecified flaw related to the Install component allowing a remote attacker to gain access to sensitive information. (CVE-2015-2627) 
 - A typecasting flaw in 'share/classes/com/sun/corba/se/impl/io/IIOPInputStream.java' that is triggered when handling IIOP operations allowing a context-dependent attacker to potentially execute arbitrary code. (CVE-2015-2628) 
 - International Components for Unicode for C/C++ (ICU4C) contains an integer overflow condition in the 'LETableReference::verifyLength()' function in 'layout/LETableReference.h'. With a specially crafted font, a context-dependent attacker can crash an application linked against the library or potentially disclose memory contents. (CVE-2015-2632) 
 - An unspecified flaw related to the 2D component allowing a context-dependent attacker to gain access to sensitive information. (CVE-2015-2637) 
 - An unspecified flaw related to the 2D component allowing a context-dependent attacker to execute arbitrary code. (CVE-2015-2638) 
 - A NULL pointer dereference flaw in 'share/classes/com/sun/crypto/provider/GCTR.java' related to the GCM (Galois Counter Mode) implementation. The issue is triggered when performing encryption using a block cipher in GCM mode and may allow a remote attacker to cause a crash. (CVE-2015-2659) 
 - An unspecified flaw in the Deployment component allowing a local attacker to gain elevated privileges. (CVE-2015-2664) 
 - An unspecified flaw related to the Deployment component may allow a remote attacker to have an impact on confidentiality and integrity. (CVE-2015-4729) 
 - A flaw in 'share/classes/javax/management/MBeanServerInvocationHandler.java' is triggered when handling MBean connection proxy classes allowing a context-dependent attacker to bypass sandbox restrictions and potentially execute arbitrary code. (CVE-2015-4731) 
 - A flaw in 'share/classes/java/io/ObjectInputStream.java' and 'share/classes/java/io/SerialCallbackContext.java' related to insufficient context checks allowing a context-dependent attacker to potentially execute arbitrary code. (CVE-2015-4732) 
 - A flaw in the 'RemoteObjectInvocationHandler::invoke()' function in 'share/classes/java/rmi/server/RemoteObjectInvocationHandler.java'. The issue is triggered as calls to the finalize() method are permitted allowing a context-dependent attacker to bypass sandbox protections and potentially execute arbitrary code. (CVE-2015-4733) 
 - An unspecified flaw related to the Deployment component may allow a context-dependent attacker to execute arbitrary code. (CVE-2015-4736) 
  -  A flaw that is triggered when handling Online Certificate Status Protocol (OCSP) responses with no 'nextUpdate' date specified allowing a remote attacker to cause an application to accept a revoked X.509 certificate. (CVE-2015-4748) 
 - A flaw in the 'DnsClient::query()' function in 'share/classes/com/sun/jndi/dns/DnsClient.java'. The issue is triggered as JNDI DnsClient's exception handling fails to release request information allowing a remote attacker to exhaust memory resources and cause a denial of service. (CVE-2015-4749) 
 -International Components for Unicode for C/C++ (ICU4C) contains overflow conditions in the layout engine. With a specially crafted font, a context-dependent attacker can cause a buffer overflow, crashing an application linked against the library or potentially allowing execution of arbitrary code. (CVE-2015-4760) 

OpenJDK was updated to 2.6.1 - OpenJDK 7u85 to fix security issues and bugs.

The following vulnerabilities were fixed :

  - CVE-2015-2590: Easily exploitable vulnerability in the     Libraries component allowed successful unauthenticated     network attacks via multiple protocols. Successful     attack of this vulnerability could have resulted in     unauthorized Operating System takeover including     arbitrary code execution.

  - CVE-2015-2596: Difficult to exploit vulnerability in the     Hotspot component allowed successful unauthenticated     network attacks via multiple protocols. Successful     attack of this vulnerability could have resulted in     unauthorized update, insert or delete access to some     Java accessible data.

  - CVE-2015-2597: Easily exploitable vulnerability in the     Install component requiring logon to Operating System.
    Successful attack of this vulnerability could have     resulted in unauthorized Operating System takeover     including arbitrary code execution.

  - CVE-2015-2601: Easily exploitable vulnerability in the     JCE component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     read access to a subset of Java accessible data.

  - CVE-2015-2613: Easily exploitable vulnerability in the     JCE component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     read access to a subset of Java SE, Java SE Embedded     accessible data.

  - CVE-2015-2619: Easily exploitable vulnerability in the     2D component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     read access to a subset of Java accessible data.

  - CVE-2015-2621: Easily exploitable vulnerability in the     JMX component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     read access to a subset of Java accessible data.

  - CVE-2015-2625: Very difficult to exploit vulnerability     in the JSSE component allowed successful unauthenticated     network attacks via SSL/TLS. Successful attack of this     vulnerability could have resulted in unauthorized read     access to a subset of Java accessible data.

  - CVE-2015-2627: Very difficult to exploit vulnerability     in the Install component allowed successful     unauthenticated network attacks via multiple protocols.
    Successful attack of this vulnerability could have     resulted in unauthorized read access to a subset of Java     accessible data.

  - CVE-2015-2628: Easily exploitable vulnerability in the     CORBA component allowed successful unauthenticated     network attacks via multiple protocols. Successful     attack of this vulnerability could have resulted in     unauthorized Operating System takeover including     arbitrary code execution.

  - CVE-2015-2632: Easily exploitable vulnerability in the     2D component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     read access to a subset of Java accessible data.

  - CVE-2015-2637: Easily exploitable vulnerability in the     2D component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     read access to a subset of Java accessible data.

  - CVE-2015-2638: Easily exploitable vulnerability in the     2D component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     Operating System takeover including arbitrary code     execution.

  - CVE-2015-2664: Difficult to exploit vulnerability in the     Deployment component requiring logon to Operating     System. Successful attack of this vulnerability could     have resulted in unauthorized Operating System takeover     including arbitrary code execution.

  - CVE-2015-2808: Very difficult to exploit vulnerability     in the JSSE component allowed successful unauthenticated     network attacks via SSL/TLS. Successful attack of this     vulnerability could have resulted in unauthorized     update, insert or delete access to some Java accessible     data as well as read access to a subset of Java     accessible data.

  - CVE-2015-4000: Very difficult to exploit vulnerability     in the JSSE component allowed successful unauthenticated     network attacks via SSL/TLS. Successful attack of this     vulnerability could have resulted in unauthorized     update, insert or delete access to some Java accessible     data as well as read access to a subset of Java Embedded     accessible data.

  - CVE-2015-4729: Very difficult to exploit vulnerability     in the Deployment component allowed successful     unauthenticated network attacks via multiple protocols.
    Successful attack of this vulnerability could have     resulted in unauthorized update, insert or delete access     to some Java SE accessible data as well as read access     to a subset of Java SE accessible data.

  - CVE-2015-4731: Easily exploitable vulnerability in the     JMX component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     Operating System takeover including arbitrary code     execution.

  - CVE-2015-4732: Easily exploitable vulnerability in the     Libraries component allowed successful unauthenticated     network attacks via multiple protocols. Successful     attack of this vulnerability could have resulted in     unauthorized Operating System takeover including     arbitrary code execution.

  - CVE-2015-4733: Easily exploitable vulnerability in the     RMI component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     Operating System takeover including arbitrary code     execution.

  - CVE-2015-4736: Difficult to exploit vulnerability in the     Deployment component allowed successful unauthenticated     network attacks via multiple protocols. Successful     attack of this vulnerability could have resulted in     unauthorized Operating System takeover including     arbitrary code execution.

  - CVE-2015-4748: Very difficult to exploit vulnerability     in the Security component allowed successful     unauthenticated network attacks via OCSP. Successful     attack of this vulnerability could have resulted in     unauthorized Operating System takeover including     arbitrary code execution.

  - CVE-2015-4749: Difficult to exploit vulnerability in the     JNDI component allowed successful unauthenticated     network attacks via multiple protocols. Successful     attack of this vulnerability could have resulted in     unauthorized ability to cause a partial denial of     service (partial DOS).

  - CVE-2015-4760: Easily exploitable vulnerability in the     2D component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     Operating System takeover including arbitrary code     execution.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

OpenJDK was updated to 2.6.1 - OpenJDK 8u51 to fix security issues and bugs.

The following vulnerabilities were fixed :

  - CVE-2015-2590: Easily exploitable vulnerability in the     Libraries component allowed successful unauthenticated     network attacks via multiple protocols. Successful     attack of this vulnerability could have resulted in     unauthorized Operating System takeover including     arbitrary code execution.

  - CVE-2015-2597: Easily exploitable vulnerability in the     Install component requiring logon to Operating System.
    Successful attack of this vulnerability could have     resulted in unauthorized Operating System takeover     including arbitrary code execution.

  - CVE-2015-2601: Easily exploitable vulnerability in the     JCE component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     read access to a subset of Java accessible data.

  - CVE-2015-2613: Easily exploitable vulnerability in the     JCE component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     read access to a subset of Java SE, Java SE Embedded     accessible data.

  - CVE-2015-2619: Easily exploitable vulnerability in the     2D component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     read access to a subset of Java accessible data.

  - CVE-2015-2621: Easily exploitable vulnerability in the     JMX component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     read access to a subset of Java accessible data.

  - CVE-2015-2625: Very difficult to exploit vulnerability     in the JSSE component allowed successful unauthenticated     network attacks via SSL/TLS. Successful attack of this     vulnerability could have resulted in unauthorized read     access to a subset of Java accessible data.

  - CVE-2015-2627: Very difficult to exploit vulnerability     in the Install component allowed successful     unauthenticated network attacks via multiple protocols.
    Successful attack of this vulnerability could have     resulted in unauthorized read access to a subset of Java     accessible data.

  - CVE-2015-2628: Easily exploitable vulnerability in the     CORBA component allowed successful unauthenticated     network attacks via multiple protocols. Successful     attack of this vulnerability could have resulted in     unauthorized Operating System takeover including     arbitrary code execution.

  - CVE-2015-2632: Easily exploitable vulnerability in the     2D component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     read access to a subset of Java accessible data.

  - CVE-2015-2637: Easily exploitable vulnerability in the     2D component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     read access to a subset of Java accessible data.

  - CVE-2015-2638: Easily exploitable vulnerability in the     2D component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     Operating System takeover including arbitrary code     execution.

  - CVE-2015-2659: Easily exploitable vulnerability in the     Security component allowed successful unauthenticated     network attacks via multiple protocols. Successful     attack of this vulnerability could have resulted in     unauthorized ability to cause a partial denial of     service (partial DOS).

  - CVE-2015-2664: Difficult to exploit vulnerability in the     Deployment component requiring logon to Operating     System. Successful attack of this vulnerability could     have resulted in unauthorized Operating System takeover     including arbitrary code execution.

  - CVE-2015-2808: Very difficult to exploit vulnerability     in the JSSE component allowed successful unauthenticated     network attacks via SSL/TLS. Successful attack of this     vulnerability could have resulted in unauthorized     update, insert or delete access to some Java accessible     data as well as read access to a subset of Java     accessible data.

  - CVE-2015-4000: Very difficult to exploit vulnerability     in the JSSE component allowed successful unauthenticated     network attacks via SSL/TLS. Successful attack of this     vulnerability could have resulted in unauthorized     update, insert or delete access to some Java accessible     data as well as read access to a subset of Java Embedded     accessible data. 

  - CVE-2015-4729: Very difficult to exploit vulnerability     in the Deployment component allowed successful     unauthenticated network attacks via multiple protocols.
    Successful attack of this vulnerability could have     resulted in unauthorized update, insert or delete access     to some Java SE accessible data as well as read access     to a subset of Java SE accessible data.

  - CVE-2015-4731: Easily exploitable vulnerability in the     JMX component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     Operating System takeover including arbitrary code     execution.

  - CVE-2015-4732: Easily exploitable vulnerability in the     Libraries component allowed successful unauthenticated     network attacks via multiple protocols. Successful     attack of this vulnerability could have resulted in     unauthorized Operating System takeover including     arbitrary code execution.

  - CVE-2015-4733: Easily exploitable vulnerability in the     RMI component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     Operating System takeover including arbitrary code     execution.

  - CVE-2015-4736: Difficult to exploit vulnerability in the     Deployment component allowed successful unauthenticated     network attacks via multiple protocols. Successful     attack of this vulnerability could have resulted in     unauthorized Operating System takeover including     arbitrary code execution.

  - CVE-2015-4748: Very difficult to exploit vulnerability     in the Security component allowed successful     unauthenticated network attacks via OCSP. Successful     attack of this vulnerability could have resulted in     unauthorized Operating System takeover including     arbitrary code execution.

  - CVE-2015-4749: Difficult to exploit vulnerability in the     JNDI component allowed successful unauthenticated     network attacks via multiple protocols. Successful     attack of this vulnerability could have resulted in     unauthorized ability to cause a partial denial of     service (partial DOS).

  - CVE-2015-4760: Easily exploitable vulnerability in the     2D component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     Operating System takeover including arbitrary code     execution.

OpenJDK was updated to 2.6.1 - OpenJDK 7u85 to fix security issues and bugs.

The following vulnerabilities were fixed :

  - CVE-2015-2590: Easily exploitable vulnerability in the     Libraries component allowed successful unauthenticated     network attacks via multiple protocols. Successful     attack of this vulnerability could have resulted in     unauthorized Operating System takeover including     arbitrary code execution.

  - CVE-2015-2596: Difficult to exploit vulnerability in the     Hotspot component allowed successful unauthenticated     network attacks via multiple protocols. Successful     attack of this vulnerability could have resulted in     unauthorized update, insert or delete access to some     Java accessible data.

  - CVE-2015-2597: Easily exploitable vulnerability in the     Install component requiring logon to Operating System.
    Successful attack of this vulnerability could have     resulted in unauthorized Operating System takeover     including arbitrary code execution.

  - CVE-2015-2601: Easily exploitable vulnerability in the     JCE component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     read access to a subset of Java accessible data.

  - CVE-2015-2613: Easily exploitable vulnerability in the     JCE component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     read access to a subset of Java SE, Java SE Embedded     accessible data.

  - CVE-2015-2619: Easily exploitable vulnerability in the     2D component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     read access to a subset of Java accessible data.

  - CVE-2015-2621: Easily exploitable vulnerability in the     JMX component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     read access to a subset of Java accessible data.

  - CVE-2015-2625: Very difficult to exploit vulnerability     in the JSSE component allowed successful unauthenticated     network attacks via SSL/TLS. Successful attack of this     vulnerability could have resulted in unauthorized read     access to a subset of Java accessible data.

  - CVE-2015-2627: Very difficult to exploit vulnerability     in the Install component allowed successful     unauthenticated network attacks via multiple protocols.
    Successful attack of this vulnerability could have     resulted in unauthorized read access to a subset of Java     accessible data.

  - CVE-2015-2628: Easily exploitable vulnerability in the     CORBA component allowed successful unauthenticated     network attacks via multiple protocols. Successful     attack of this vulnerability could have resulted in     unauthorized Operating System takeover including     arbitrary code execution.

  - CVE-2015-2632: Easily exploitable vulnerability in the     2D component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     read access to a subset of Java accessible data.

  - CVE-2015-2637: Easily exploitable vulnerability in the     2D component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     read access to a subset of Java accessible data.

  - CVE-2015-2638: Easily exploitable vulnerability in the     2D component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     Operating System takeover including arbitrary code     execution.

  - CVE-2015-2664: Difficult to exploit vulnerability in the     Deployment component requiring logon to Operating     System. Successful attack of this vulnerability could     have resulted in unauthorized Operating System takeover     including arbitrary code execution.

  - CVE-2015-2808: Very difficult to exploit vulnerability     in the JSSE component allowed successful unauthenticated     network attacks via SSL/TLS. Successful attack of this     vulnerability could have resulted in unauthorized     update, insert or delete access to some Java accessible     data as well as read access to a subset of Java     accessible data.

  - CVE-2015-4000: Very difficult to exploit vulnerability     in the JSSE component allowed successful unauthenticated     network attacks via SSL/TLS. Successful attack of this     vulnerability could have resulted in unauthorized     update, insert or delete access to some Java accessible     data as well as read access to a subset of Java Embedded     accessible data. 

  - CVE-2015-4729: Very difficult to exploit vulnerability     in the Deployment component allowed successful     unauthenticated network attacks via multiple protocols.
    Successful attack of this vulnerability could have     resulted in unauthorized update, insert or delete access     to some Java SE accessible data as well as read access     to a subset of Java SE accessible data.

  - CVE-2015-4731: Easily exploitable vulnerability in the     JMX component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     Operating System takeover including arbitrary code     execution.

  - CVE-2015-4732: Easily exploitable vulnerability in the     Libraries component allowed successful unauthenticated     network attacks via multiple protocols. Successful     attack of this vulnerability could have resulted in     unauthorized Operating System takeover including     arbitrary code execution.

  - CVE-2015-4733: Easily exploitable vulnerability in the     RMI component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     Operating System takeover including arbitrary code     execution.

  - CVE-2015-4736: Difficult to exploit vulnerability in the     Deployment component allowed successful unauthenticated     network attacks via multiple protocols. Successful     attack of this vulnerability could have resulted in     unauthorized Operating System takeover including     arbitrary code execution.

  - CVE-2015-4748: Very difficult to exploit vulnerability     in the Security component allowed successful     unauthenticated network attacks via OCSP. Successful     attack of this vulnerability could have resulted in     unauthorized Operating System takeover including     arbitrary code execution.

  - CVE-2015-4749: Difficult to exploit vulnerability in the     JNDI component allowed successful unauthenticated     network attacks via multiple protocols. Successful     attack of this vulnerability could have resulted in     unauthorized ability to cause a partial denial of     service (partial DOS).

  - CVE-2015-4760: Easily exploitable vulnerability in the     2D component allowed successful unauthenticated network     attacks via multiple protocols. Successful attack of     this vulnerability could have resulted in unauthorized     Operating System takeover including arbitrary code     execution.

Updated java-1.6.0-sun packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Oracle Java SE version 6 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.

This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section.
(CVE-2015-2590, CVE-2015-2601, CVE-2015-2621, CVE-2015-2625, CVE-2015-2627, CVE-2015-2628, CVE-2015-2632, CVE-2015-2637, CVE-2015-2638, CVE-2015-2664, CVE-2015-2808, CVE-2015-4000, CVE-2015-4731, CVE-2015-4732, CVE-2015-4733, CVE-2015-4748, CVE-2015-4749, CVE-2015-4760)

Note: With this update, Oracle JDK now disables RC4 TLS/SSL cipher suites by default to address the CVE-2015-2808 issue. Refer to Red Hat Bugzilla bug 1207101, linked to in the References section, for additional details about this change.

Note: This update forces the TLS/SSL client implementation in Oracle JDK to reject DH key sizes below 768 bits to address the CVE-2015-4000 issue. Refer to Red Hat Bugzilla bug 1223211, linked to in the References section, for additional details about this change.

All users of java-1.6.0-sun are advised to upgrade to these updated packages, which provide Oracle Java 6 Update 101 and resolve these issues. All running instances of Oracle Java must be restarted for the update to take effect.

Updated java-1.7.0-oracle packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Oracle Java SE version 7 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.

This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section.
(CVE-2015-2590, CVE-2015-2596, CVE-2015-2601, CVE-2015-2613, CVE-2015-2619, CVE-2015-2621, CVE-2015-2625, CVE-2015-2627, CVE-2015-2628, CVE-2015-2632, CVE-2015-2637, CVE-2015-2638, CVE-2015-2664, CVE-2015-2808, CVE-2015-4000, CVE-2015-4729, CVE-2015-4731, CVE-2015-4732, CVE-2015-4733, CVE-2015-4736, CVE-2015-4748, CVE-2015-4749, CVE-2015-4760)

Note: With this update, Oracle JDK now disables RC4 TLS/SSL cipher suites by default to address the CVE-2015-2808 issue. Refer to Red Hat Bugzilla bug 1207101, linked to in the References section, for additional details about this change.

Note: This update forces the TLS/SSL client implementation in Oracle JDK to reject DH key sizes below 768 bits to address the CVE-2015-4000 issue. Refer to Red Hat Bugzilla bug 1223211, linked to in the References section, for additional details about this change.

All users of java-1.7.0-oracle are advised to upgrade to these updated packages, which provide Oracle Java 7 Update 85 and resolve these issues. All running instances of Oracle Java must be restarted for the update to take effect.

Updated java-1.8.0-oracle packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 6 and 7.

Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Oracle Java SE version 8 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.

This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section.
(CVE-2015-2590, CVE-2015-2601, CVE-2015-2613, CVE-2015-2619, CVE-2015-2621, CVE-2015-2625, CVE-2015-2627, CVE-2015-2628, CVE-2015-2632, CVE-2015-2637, CVE-2015-2638, CVE-2015-2659, CVE-2015-2664, CVE-2015-2808, CVE-2015-4000, CVE-2015-4729, CVE-2015-4731, CVE-2015-4732, CVE-2015-4733, CVE-2015-4736, CVE-2015-4748, CVE-2015-4749, CVE-2015-4760)

Note: With this update, Oracle JDK now disables RC4 TLS/SSL cipher suites by default to address the CVE-2015-2808 issue. Refer to Red Hat Bugzilla bug 1207101, linked to in the References section, for additional details about this change.

Note: This update forces the TLS/SSL client implementation in Oracle JDK to reject DH key sizes below 768 bits to address the CVE-2015-4000 issue. Refer to Red Hat Bugzilla bug 1223211, linked to in the References section, for additional details about this change.

All users of java-1.8.0-oracle are advised to upgrade to these updated packages, which provide Oracle Java 8 Update 51 and resolve these issues. All running instances of Oracle Java must be restarted for the update to take effect.

The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 8 Update 51, 7 Update 85, or 6 Update 101. It is, therefore, affected by security vulnerabilities in the following components :

  - 2D
  - CORBA
  - Deployment
  - Hotspot
  - Install
  - JCE
  - JMX
  - JNDI
  - JSSE
  - Libraries
  - RMI
  - Security

ID	Name	Product	Family	Severity
700651	Oracle Java SE Multiple 6 < Update 101 / 7 < Update 85 / 8 < Update 51 Multiple Vulnerabilities (July 2015 CPU) (Bar Mitzvah)	Nessus Network Monitor	Web Clients	critical
89904	GLSA-201603-11 : Oracle JRE/JDK: Multiple vulnerabilities (Logjam)	Nessus	Gentoo Local Security Checks	low
8918	Oracle Java SE 6 < Update 101 / 7 < Update 85 / 8 < Update 51 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	critical
85153	SUSE SLED11 Security Update : java-1_7_0-openjdk (SUSE-SU-2015:1320-1) (Bar Mitzvah) (Logjam)	Nessus	SuSE Local Security Checks	low
85152	SUSE SLED12 / SLES12 Security Update : java-1_7_0-openjdk (SUSE-SU-2015:1319-1) (Bar Mitzvah) (Logjam)	Nessus	SuSE Local Security Checks	low
85002	openSUSE Security Update : java-1_8_0-openjdk (openSUSE-2015-512) (Bar Mitzvah) (Logjam)	Nessus	SuSE Local Security Checks	low
85001	openSUSE Security Update : java-1_7_0-openjdk (openSUSE-2015-511) (Bar Mitzvah) (Logjam)	Nessus	SuSE Local Security Checks	low
84873	RHEL 5 / 6 / 7 : java-1.6.0-sun (RHSA-2015:1243) (Bar Mitzvah) (Logjam)	Nessus	Red Hat Local Security Checks	low
84872	RHEL 5 / 6 / 7 : java-1.7.0-oracle (RHSA-2015:1242) (Bar Mitzvah) (Logjam)	Nessus	Red Hat Local Security Checks	low
84871	RHEL 6 / 7 : java-1.8.0-oracle (RHSA-2015:1241) (Bar Mitzvah) (Logjam)	Nessus	Red Hat Local Security Checks	low
84825	Oracle Java SE Multiple Vulnerabilities (July 2015 CPU) (Unix) (Bar Mitzvah)	Nessus	Misc.	critical
84824	Oracle Java SE Multiple Vulnerabilities (July 2015 CPU) (Bar Mitzvah)	Nessus	Windows	critical

CVE-2015-2627

LOW

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Tenable Plugins

critical

low

critical

low

low

low

low

low

low

low

critical

critical