AIX Java Advisory : java_july2017_advisory.asc (July 2017 CPU)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The version of Java SDK installed on the remote AIX host is affected
by multiple vulnerabilities.

Description :

The version of Java SDK installed on the remote AIX host is affected
by multiple vulnerabilities in the following subcomponents :

- A flaw exists in the J9 VM class verifier component that
allows an unauthenticated, remote attacker to cause an
escalation of privileges. (CVE-2017-1376)

- A flaw exists in the installp and updatep packages that
prevents security updates from being correctly applied.
(CVE-2017-1541)

- An unspecified flaw exists in the 2D component that
allows an unauthenticated, remote attacker to cause a
denial of service condition. (CVE-2017-10053)

- Multiple unspecified flaws exist in the Security
component that allow an unauthenticated, remote attacker
to execute arbitrary code. (CVE-2017-10067,
CVE-2017-10116)

- An unspecified flaw exists in the Scripting component
that allows an authenticated, remote attacker to impact
confidentiality and integrity. (CVE-2017-10078)

- Multiple unspecified flaws exist in the Libraries
component that allow an unauthenticated, remote attacker
to execute arbitrary code. (CVE-2017-10087,
CVE-2017-10090)

- An unspecified flaw exists in the ImageIO component that
allows an unauthenticated, remote attacker to execute
arbitrary code. (CVE-2017-10089)

- Multiple unspecified flaws exist in the JAXP component
that allow an unauthenticated, remote attacker to
execute arbitrary code. (CVE-2017-10096, CVE-2017-10101)

- Multiple unspecified flaws exist in the RMI component
that allow an unauthenticated, remote attacker to
execute arbitrary code. (CVE-2017-10102, CVE-2017-10107)

- An unspecified flaw exists in the Deployment component
that allows an unauthenticated, remote attacker to
impact integrity. (CVE-2017-10105)

- Multiple unspecified flaws exist in the Serialization
component that allow an unauthenticated, remote attacker
to exhaust available memory, resulting in a denial of
service condition. (CVE-2017-10108, CVE-2017-10109)

- An unspecified flaw exists in the AWT component that
allows an unauthenticated, remote attacker to execute
arbitrary code. (CVE-2017-10110)

- Multiple unspecified flaws exist in the JCE component
that allow an unauthenticated, remote attacker to
disclose sensitive information. (CVE-2017-10115)

- An unspecified flaw exists in the Deployment component
that allows a local attacker to impact confidentiality,
integrity, and availability. (CVE-2017-10125)

- An unspecified flaw exists in the JAX-WS component that
allows an unauthenticated, remote attacker to impact
confidentiality and availability. (CVE-2017-10243)

See also :

http://www.nessus.org/u?1f03c72d
http://www.nessus.org/u?ce533d8f
http://www.nessus.org/u?17d05c61
http://www.nessus.org/u?d4595696
http://www.nessus.org/u?9abd5252
http://www.nessus.org/u?4ee03dc1
http://www.nessus.org/u?8f7a066c
http://www.nessus.org/u?52d4ddf3
http://www.nessus.org/u?343fa903
http://www.nessus.org/u?76f5def7

Solution :

Fixes are available by version and can be downloaded from the IBM AIX
website.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.4
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false