Oracle Java SE Multiple Vulnerabilities (July 2017 CPU)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote Windows host contains a programming platform that is
affected by multiple vulnerabilities.

Description :

The version of Oracle (formerly Sun) Java SE or Java for Business
installed on the remote host is prior to 8 Update 141, 7 Update 151,
or 6 Update 161. It is, therefore, affected by multiple
vulnerabilities :

- An unspecified flaw exists in the 2D component that
allows an unauthenticated, remote attacker to cause a
denial of service condition. (CVE-2017-10053)

- Multiple unspecified flaws exist in the Security
component that allow an unauthenticated, remote attacker
to execute arbitrary code. (CVE-2017-10067,
CVE-2017-10116)

- An unspecified flaw exists in the Hotspot component that
allows an unauthenticated, remote attacker to execute
arbitrary code. (CVE-2017-10074)

- An unspecified flaw exists in the Scripting component
that allows an authenticated, remote attacker to impact
confidentiality and integrity. (CVE-2017-10078)

- An unspecified flaw exists in the Hotspot component that
allows an unauthenticated, remote attacker to impact
integrity. (CVE-2017-10081)

- Multiple unspecified flaws exist in the JavaFX component
that allow an unauthenticated, remote attacker to
execute arbitrary code. (CVE-2017-10086, CVE-2017-10114)

- Multiple unspecified flaws exist in the Libraries
component that allow an unauthenticated, remote attacker
to execute arbitrary code. (CVE-2017-10087,
CVE-2017-10090, CVE-2017-10111)

- An unspecified flaw exists in the ImageIO component that
allows an unauthenticated, remote attacker to execute
arbitrary code. (CVE-2017-10089)

- Multiple unspecified flaws exist in the JAXP component
that allow an unauthenticated, remote attacker to
execute arbitrary code. (CVE-2017-10096, CVE-2017-10101)

- Multiple unspecified flaws exist in the RMI component
that allow an unauthenticated, remote attacker to
execute arbitrary code. (CVE-2017-10102, CVE-2017-10107)

- Multiple unspecified flaws exist in the Server component
of the Java Advanced Management Console that allow an
authenticated, remote attacker to impact
confidentiality, integrity, and availability.
(CVE-2017-10104, CVE-2017-10145)

- An unspecified flaw exists in the Deployment component
that allows an unauthenticated, remote attacker to
impact integrity. (CVE-2017-10105)

- Multiple unspecified flaws exist in the Serialization
component that allow an unauthenticated, remote attacker
to exhaust available memory, resulting in a denial of
service condition. (CVE-2017-10108, CVE-2017-10109)

- An unspecified flaw exists in the AWT component that
allows an unauthenticated, remote attacker to execute
arbitrary code. (CVE-2017-10110)

- Multiple unspecified flaws exist in the JCE component
that allow an unauthenticated, remote attacker to
disclose sensitive information. (CVE-2017-10115,
CVE-2017-10118, CVE-2017-10135)

- An unspecified flaw exists in the Server component of
the Java Advanced Management Console that allows an
unauthenticated, remote attacker to disclose sensitive
information. (CVE-2017-10117)

- An unspecified flaw exists in the Server component of
the Java Advanced Management Console that allows an
unauthenticated, remote attacker to impact
confidentiality and integrity. (CVE-2017-10121)

- An unspecified flaw exists in the Deployment component
that allows a local attacker to impact confidentiality,
integrity, and availability. (CVE-2017-10125)

- Multiple unspecified flaws exist in the Security
component that allow an unauthenticated, remote attacker
to disclose sensitive information. (CVE-2017-10176,
CVE-2017-10193, CVE-2017-10198)

- An unspecified flaw exists in the JAX-WS component that
allows an unauthenticated, remote attacker to impact
confidentiality and availability. (CVE-2017-10243)

See also :

http://www.nessus.org/u?76f5def7
http://www.nessus.org/u?755142b1
http://www.nessus.org/u?4f2226dc
http://www.nessus.org/u?726f7054

Solution :

Upgrade to Oracle JDK / JRE 8 Update 141 / 7 Update 151 / 6 Update
161 or later. If necessary, remove any affected versions.

Note that an Extended Support contract with Oracle is needed to obtain
JDK / JRE 6 Update 95 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.9
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false