http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

102584

1040203

RHSA-2018:0099

RHSA-2018:1463

https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0

https://security.netapp.com/advisory/ntap-20180117-0001/

The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 9 Update 4, 8 Update 161, 7 Update 171, or 6 Update 181. It is, therefore, affected by multiple vulnerabilities related to the following components :

 - AWT
 - Deployment
 - Hotspot
 - I18n
 - Installer
 - JCE
 - JGSS
 - JMX
 - JNDI
 - JavaFX
 - LDAP
 - Libraries
 - Serialization

An update of the openjdk8 package has been released.

An update of {'libtiff', 'openjdk8', 'ruby'} packages of Photon OS has been released.

An update for java-1.8.0-ibm is now available for Red Hat Satellite 5.8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

This update upgrades IBM Java SE 8 to version 8 SR5-FP10.

Security Fix(es) :

* IBM JDK: J9 JVM allows untrusted code running under a security manager to elevate its privileges (CVE-2018-1417)

* Oracle JDK: unspecified vulnerability fixed in 8u161 and 9.0.4 (Deployment) (CVE-2018-2638)

* Oracle JDK: unspecified vulnerability fixed in 8u161 and 9.0.4 (Deployment) (CVE-2018-2639)

* OpenJDK: insufficient validation of the invokeinterface instruction (Hotspot, 8174962) (CVE-2018-2582)

* Oracle JDK: unspecified vulnerability fixed in 8u161 and 9.0.4 (Installer) (CVE-2018-2627)

* OpenJDK: LDAPCertStore insecure handling of LDAP referrals (JNDI, 8186606) (CVE-2018-2633)

* OpenJDK: use of global credentials for HTTP/SPNEGO (JGSS, 8186600) (CVE-2018-2634)

* OpenJDK: SingleEntryRegistry incorrect setup of deserialization filter (JMX, 8186998) (CVE-2018-2637)

* OpenJDK: GTK library loading use-after-free (AWT, 8185325) (CVE-2018-2641)

* Oracle JDK: unspecified vulnerability fixed in 7u171, 8u161, and 9.0.4 (JavaFX) (CVE-2018-2581)

* OpenJDK: LdapLoginModule insufficient username encoding in LDAP query (LDAP, 8178449) (CVE-2018-2588)

* OpenJDK: DnsClient missing source port randomization (JNDI, 8182125) (CVE-2018-2599)

* OpenJDK: loading of classes from untrusted locations (I18n, 8182601) (CVE-2018-2602)

* OpenJDK: DerValue unbounded memory allocation (Libraries, 8182387) (CVE-2018-2603)

* OpenJDK: insufficient strength of key agreement (JCE, 8185292) (CVE-2018-2618)

* OpenJDK: GSS context use-after-free (JGSS, 8186212) (CVE-2018-2629)

* Oracle JDK: unspecified vulnerability fixed in 6u181 and 7u171 (Serialization) (CVE-2018-2657)

* OpenJDK: ArrayBlockingQueue deserialization to an inconsistent state (Libraries, 8189284) (CVE-2018-2663)

* OpenJDK: unbounded memory allocation during deserialization (AWT, 8190289) (CVE-2018-2677)

* OpenJDK: unbounded memory allocation in BasicAttributes deserialization (JNDI, 8191142) (CVE-2018-2678)

* OpenJDK: unsynchronized access to encryption key data (Libraries, 8172525) (CVE-2018-2579)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

The remote host is affected by the vulnerability described in GLSA-201803-06 (Oracle JDK/JRE: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Oracle&rsquo;s Java SE.
      Please review the referenced CVE identifiers for details.
  Impact :

    A remote attacker could possibly execute arbitrary code with the       privileges of the process, gain access to information, or cause a Denial       of Service condition.
  Workaround :

    There is no known workaround at this time.

The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 9 Update 4, 8 Update 161, 7 Update 171, or 6 Update 1888888881. It is, therefore, affected by multiple vulnerabilities related to the following components :

  - AWT
  - Deployment
  - Hotspot
  - I18n
  - Installer
  - JCE
  - JGSS
  - JMX
  - JNDI
  - JavaFX
  - LDAP
  - Libraries
  - Serialization

The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 9 Update 4, 8 Update 161, 7 Update 171, or 6 Update 181. It is, therefore, affected by multiple vulnerabilities related to the following components :

  - AWT
  - Deployment
  - Hotspot
  - I18n
  - Installer
  - JCE
  - JGSS
  - JMX
  - JNDI
  - JavaFX
  - LDAP
  - Libraries
  - Serialization

An update for java-1.8.0-oracle is now available for Oracle Java for Red Hat Enterprise Linux 6 and Oracle Java for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Oracle Java SE version 8 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.

This update upgrades Oracle Java SE 8 to version 8 Update 161.

Security Fix(es) :

* This update fixes multiple vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.
Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page listed in the References section. (CVE-2018-2579, CVE-2018-2581, CVE-2018-2582, CVE-2018-2588, CVE-2018-2599, CVE-2018-2602, CVE-2018-2603, CVE-2018-2618, CVE-2018-2627, CVE-2018-2629, CVE-2018-2633, CVE-2018-2634, CVE-2018-2637, CVE-2018-2638, CVE-2018-2639, CVE-2018-2641, CVE-2018-2663, CVE-2018-2677, CVE-2018-2678)

ID	Name	Product	Family	Severity
700656	Oracle Java SE 6 < Update 181 / 7 < Update 171 / 8 < Update 161 / 9 < Update 4 Multiple Vulnerabilities (January 2018 CPU)	Nessus Network Monitor	Web Clients	high
121911	Photon OS 2.0: Openjdk8 PHSA-2018-2.0-0013	Nessus	PhotonOS Local Security Checks	critical
111283	Photon OS 2.0 : libtiff / openjdk8 / ruby (PhotonOS-PHSA-2018-2.0-0013) (deprecated)	Nessus	PhotonOS Local Security Checks	critical
109908	RHEL 6 : java-1.8.0-ibm (RHSA-2018:1463)	Nessus	Red Hat Local Security Checks	high
108432	GLSA-201803-06 : Oracle JDK/JRE: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
106191	Oracle Java SE Multiple Vulnerabilities (January 2018 CPU) (Unix)	Nessus	Misc.	high
106190	Oracle Java SE Multiple Vulnerabilities (January 2018 CPU)	Nessus	Windows	high
106182	RHEL 6 / 7 : java-1.8.0-oracle (RHSA-2018:0099)	Nessus	Red Hat Local Security Checks	high

CVE-2018-2627

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

critical

critical

high

high

high

high

high