http://www.ibm.com/support/docview.wss?uid=swg22007305&myns=swgtiv&mynp=OCSSJQQ3&mync=E&cm_sp=swgtiv-_-OCSSJQQ3-_-E

RHSA-2017:2469

RHSA-2017:2481

https://exchange.xforce.ibmcloud.com/vulnerabilities/126873

The version of Java SDK installed on the remote AIX host is affected by multiple vulnerabilities in the following subcomponents :

  - A flaw exists in the J9 VM class verifier component that     allows an unauthenticated, remote attacker to cause an     escalation of privileges. (CVE-2017-1376)

  - A flaw exists in the installp and updatep packages that     prevents security updates from being correctly applied.
    (CVE-2017-1541)

  - An unspecified flaw exists in the 2D component that     allows an unauthenticated, remote attacker to cause a     denial of service condition. (CVE-2017-10053)

  - Multiple unspecified flaws exist in the Security     component that allow an unauthenticated, remote attacker     to execute arbitrary code. (CVE-2017-10067,     CVE-2017-10116)

  - An unspecified flaw exists in the Scripting component     that allows an authenticated, remote attacker to impact     confidentiality and integrity. (CVE-2017-10078)

  - Multiple unspecified flaws exist in the Libraries     component that allow an unauthenticated, remote attacker     to execute arbitrary code. (CVE-2017-10087,     CVE-2017-10090)

  - An unspecified flaw exists in the ImageIO component that     allows an unauthenticated, remote attacker to execute     arbitrary code. (CVE-2017-10089)

  - Multiple unspecified flaws exist in the JAXP component     that allow an unauthenticated, remote attacker to     execute arbitrary code. (CVE-2017-10096, CVE-2017-10101)

  - Multiple unspecified flaws exist in the RMI component     that allow an unauthenticated, remote attacker to     execute arbitrary code. (CVE-2017-10102, CVE-2017-10107)

  - An unspecified flaw exists in the Deployment component     that allows an unauthenticated, remote attacker to     impact integrity. (CVE-2017-10105)

  - Multiple unspecified flaws exist in the Serialization     component that allow an unauthenticated, remote attacker     to exhaust available memory, resulting in a denial of     service condition. (CVE-2017-10108, CVE-2017-10109)

  - An unspecified flaw exists in the AWT component that     allows an unauthenticated, remote attacker to execute     arbitrary code. (CVE-2017-10110)

  - Multiple unspecified flaws exist in the JCE component     that allow an unauthenticated, remote attacker to     disclose sensitive information. (CVE-2017-10115)

  - An unspecified flaw exists in the Deployment component     that allows a local attacker to impact confidentiality,     integrity, and availability. (CVE-2017-10125)

  - An unspecified flaw exists in the JAX-WS component that     allows an unauthenticated, remote attacker to impact     confidentiality and availability. (CVE-2017-10243)

An update for java-1.7.1-ibm is now available for Red Hat Enterprise Linux 6 Supplementary and Red Hat Enterprise Linux 7 Supplementary.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

This update upgrades IBM Java SE 7 to version 7R1 SR4-FP10.

Security Fix(es) :

* This update fixes multiple vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security Vulnerabilities page listed in the References section.
(CVE-2017-10053, CVE-2017-10067, CVE-2017-10087, CVE-2017-10089, CVE-2017-10090, CVE-2017-10096, CVE-2017-10101, CVE-2017-10102, CVE-2017-10105, CVE-2017-10107, CVE-2017-10108, CVE-2017-10109, CVE-2017-10110, CVE-2017-10115, CVE-2017-10116, CVE-2017-10243)

An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 6 Supplementary and Red Hat Enterprise Linux 7 Supplementary.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

This update upgrades IBM Java SE 8 to version 8 SR4-FP10.

Security Fix(es) :

* This update fixes multiple vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security Vulnerabilities page listed in the References section.
(CVE-2017-10053, CVE-2017-10067, CVE-2017-10078, CVE-2017-10087, CVE-2017-10089, CVE-2017-10090, CVE-2017-10096, CVE-2017-10101, CVE-2017-10102, CVE-2017-10105, CVE-2017-10107, CVE-2017-10108, CVE-2017-10109, CVE-2017-10110, CVE-2017-10115, CVE-2017-10116, CVE-2017-10243)

ID	Name	Product	Family	Severity
103191	AIX Java Advisory : java_july2017_advisory.asc (July 2017 CPU)	Nessus	AIX Local Security Checks	critical
102536	RHEL 6 / 7 : java-1.7.1-ibm (RHSA-2017:2481)	Nessus	Red Hat Local Security Checks	critical
102492	RHEL 6 / 7 : java-1.8.0-ibm (RHSA-2017:2469)	Nessus	Red Hat Local Security Checks	critical

CVE-2017-1376

critical

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

critical

critical

critical