RHSA-2017:0175

http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html

95581

1037637

GLSA-201701-65

https://security.netapp.com/advisory/ntap-20170119-0001/

An update of the openjre package has been released.

An update of the openjdk package has been released.

An update of [gnutls,openjdk,openjre] packages for PhotonOS has been released.

The version of Oracle Java SE installed on the remote host is prior to 6 Update 141, 7 Update 131, or 8 Update 121 and is affected by multiple vulnerabilities :

 - A flaw exists in the 'ECDSASignature' class of the Libraries subcomponent. The issue is triggered when handling signatures from DER input. This may allow a remote attacker to cause a signature in an incorrect format to be accepted. (CVE-2016-5546)
 - An unspecified flaw exists related to the Libraries subcomponent. This may allow a remote attacker to cause a denial of service. No further details have been provided by the vendor. (CVE-2016-5547)
 - An unspecified flaw exists related to the Libraries subcomponent. This may allow a context-dependent attacker to gain access to sensitive information. No further details have been provided by the vendor. (CVE-2016-5548, CVE-2016-5549)
 - An unspecified flaw exists related to the Networking subcomponent. This may allow a remote attacker to have an impact on integrity. No further details have been provided by the vendor. (CVE-2016-5552)
 - A flaw exists in the Install New Software and Update features in the Mission Control subcomponent that may allow a man-in-the-middle attacker to intercept and manipulate JAR files, potentially resulting in the installation of malicious content. (CVE-2016-8328)
 - An unspecified flaw exists related to the Networking subcomponent. This may allow a context-dependent attacker to gain access to sensitive information. No further details have been provided by the vendor. (CVE-2017-3231)
 - A flaw exists in the RMI registry and DCG (Distributed Garbage Collector) implementation that is triggered as certain input is not properly sanitized before being deserialized. This may allow a remote attacker to potentially execute arbitrary code outside of intended sandbox restrictions. (CVE-2017-3241)
 - An unspecified flaw exists related to the JAAS subcomponent. This may allow a context-dependent attacker to have an impact on integrity. No further details have been provided by the vendor. (CVE-2017-3252)
 - A flaw exists in the 'PNGImageReader::readMetadata()' function in 'imageio/plugins/png/PNGImageReader.java' that is triggered when handling 'zTXt' and 'iTXt' image chunks. With a specially crafted PNG image, a remote attacker can exhaust available memory resources. (CVE-2017-3253)
 - An unspecified flaw exists related to the Deployment subcomponent. This may allow a remote attacker to gain access to sensitive information. No further details have been provided by the vendor. (CVE-2017-3259)
 - An unspecified flaw exists related to the Networking subcomponent. This may allow a context-dependent attacker to gain access to sensitive information. No further details have been provided by the vendor. (CVE-2017-3261)
 - An unspecified flaw exists related to the Java Mission Control subcomponent. This may allow a remote attacker to gain access to sensitive information. No further details have been provided by the vendor. (CVE-2017-3262)
 - A flaw exists related to improper restrictions on protected field members for the atomic field updaters in the 'java.util.concurrent.atomic' package. This may allow a context-dependent attacker to potentially execute arbitrary code outside of intended sandbox restrictions. (CVE-2017-3272)
 - A flaw exists in the Hotspot subcomponent related to insecure class construction when handling exception stack frames. This may allow a context-dependent attacker to potentially execute arbitrary code outside of intended sandbox restrictions. (CVE-2017-3289)

The remote host is affected by the vulnerability described in GLSA-201701-65 (Oracle JRE/JDK: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in in Oracle&rsquo;s JRE and       JDK. Please review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could possibly execute arbitrary code with the       privileges of the process, gain access to information, or cause a Denial       of Service condition.
  Workaround :

    There is no known workaround at this time.

An update for java-1.8.0-oracle is now available for Oracle Java for Red Hat Enterprise Linux 6 and Oracle Java for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Oracle Java SE version 8 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.

This update upgrades Oracle Java SE 8 to version 8 Update 121.

Security Fix(es) :

* This update fixes multiple vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.
Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section. (CVE-2016-2183, CVE-2016-5546, CVE-2016-5547, CVE-2016-5548, CVE-2016-5549, CVE-2016-5552, CVE-2016-8328, CVE-2017-3231, CVE-2017-3241, CVE-2017-3252, CVE-2017-3253, CVE-2017-3259, CVE-2017-3261, CVE-2017-3262, CVE-2017-3272, CVE-2017-3289)

This update mitigates the CVE-2016-2183 issue by adding 3DES cipher suites to the list of legacy algorithms (defined using the jdk.tls.legacyAlgorithms security property) so they are only used if connecting TLS/SSL client and server do not share any other non-legacy cipher suite.

The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 8 Update 121, 7 Update 131, or 6 Update 141. It is, therefore, affected by multiple vulnerabilities :

  - A vulnerability exists in the Libraries subcomponent,     known as SWEET32, in the 3DES and Blowfish algorithms     due to the use of weak 64-bit block ciphers by default.
    A man-in-the-middle attacker who has sufficient     resources can exploit this vulnerability, via a     'birthday' attack, to detect a collision that leaks the     XOR between the fixed secret and a known plaintext,     allowing the disclosure of the secret text, such as     secure HTTPS cookies, and possibly resulting in the     hijacking of an authenticated session. (CVE-2016-2183)

  - An unspecified flaw exists in the Libraries subcomponent     that allows an unauthenticated, remote attacker to     impact integrity. (CVE-2016-5546)

  - An unspecified flaw exists in the Libraries subcomponent     that allows an unauthenticated, remote attacker to cause     a denial of service condition. (CVE-2016-5547)

  - Multiple unspecified flaws exist in the Libraries     subcomponent that allow an unauthenticated, remote     attacker to disclose sensitive information.
    (CVE-2016-5548, CVE-2016-5549)

  - An unspecified flaw exists in the Networking     subcomponent that allows an unauthenticated, remote     attacker to impact integrity. (CVE-2016-5552)

  - An unspecified flaw exists in the Mission Control     subcomponent that allows an unauthenticated, remote     attacker to impact integrity. (CVE-2016-8328)

  - Multiple unspecified flaws exist in the Networking     subcomponent that allow an unauthenticated, remote     attacker to disclose sensitive information.
    (CVE-2017-3231, CVE-2017-3261)

  - An unspecified flaw exists in the RMI subcomponent that     allows an unauthenticated, remote attacker to execute     arbitrary code. (CVE-2017-3241)

  - An unspecified flaw exists in the JAAS subcomponent that     allows an unauthenticated, remote attacker to impact     integrity. (CVE-2017-3252)

  - An unspecified flaw exists in the 2D subcomponent that     allows an unauthenticated, remote attacker to cause a     denial of service condition. (CVE-2017-3253)

  - An unspecified flaw exists in the Deployment     subcomponent that allows an unauthenticated, remote     attacker to disclose sensitive information.
    (CVE-2017-3259)

  - An unspecified flaw exists in the AWT subcomponent that     allows an unauthenticated, remote attacker to execute     arbitrary code. (CVE-2017-3260)

  - An unspecified flaw exists in the Java Mission Control     subcomponent that allows an unauthenticated, remote     attacker to disclose sensitive information.
    (CVE-2017-3262)

  - An unspecified flaw exists in the Libraries subcomponent     that allows an unauthenticated, remote attacker to     execute arbitrary code. (CVE-2017-3272)

  - An unspecified flaw exists in the Hotspot subcomponent     that allows an unauthenticated, remote attacker to     execute arbitrary code. (CVE-2017-3289)

Note that CVE-2017-3241 can only be exploited by supplying data to APIs in the specified component without using untrusted Java Web Start applications or untrusted Java applets, such as through a web service.
Note that CVE-2016-2183, CVE-2016-5546, CVE-2016-5547, CVE-2016-5552, CVE-2017-3252, and CVE-2017-3253 can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. They can also be exploited by supplying data to APIs in the specified component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.

ID	Name	Product	Family	Severity
121694	Photon OS 1.0: Openjre PHSA-2017-0016	Nessus	PhotonOS Local Security Checks	high
121693	Photon OS 1.0: Openjdk PHSA-2017-0016	Nessus	PhotonOS Local Security Checks	high
111865	Photon OS 1.0: Gnutls / Linux / Openjdk / Openjre PHSA-2017-0016 (deprecated)	Nessus	PhotonOS Local Security Checks	high
9917	Oracle Java SE 6 < Update 141 / 7 < Update 131 / 8 < Update 121 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	critical
96787	GLSA-201701-65 : Oracle JRE/JDK: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
96650	RHEL 6 / 7 : java-1.8.0-oracle (RHSA-2017:0175)	Nessus	Red Hat Local Security Checks	critical
96629	Oracle Java SE Multiple Vulnerabilities (January 2017 CPU) (Unix) (SWEET32)	Nessus	Misc.	critical
96628	Oracle Java SE Multiple Vulnerabilities (January 2017 CPU) (SWEET32)	Nessus	Windows	critical

CVE-2016-8328

low

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

critical

critical

critical

critical

critical