AIX Java Advisory : java_july2017_advisory.asc (July 2017 CPU)

Critical Nessus Plugin ID 103191

Synopsis

The version of Java SDK installed on the remote AIX host is affected by multiple vulnerabilities.

Description

The version of Java SDK installed on the remote AIX host is affected by multiple vulnerabilities in the following subcomponents :

- A flaw exists in the J9 VM class verifier component that allows an unauthenticated, remote attacker to cause an escalation of privileges. (CVE-2017-1376)

- A flaw exists in the installp and updatep packages that prevents security updates from being correctly applied.
(CVE-2017-1541)

- An unspecified flaw exists in the 2D component that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2017-10053)

- Multiple unspecified flaws exist in the Security component that allow an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-10067, CVE-2017-10116)

- An unspecified flaw exists in the Scripting component that allows an authenticated, remote attacker to impact confidentiality and integrity. (CVE-2017-10078)

- Multiple unspecified flaws exist in the Libraries component that allow an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-10087, CVE-2017-10090)

- An unspecified flaw exists in the ImageIO component that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-10089)

- Multiple unspecified flaws exist in the JAXP component that allow an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-10096, CVE-2017-10101)

- Multiple unspecified flaws exist in the RMI component that allow an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-10102, CVE-2017-10107)

- An unspecified flaw exists in the Deployment component that allows an unauthenticated, remote attacker to impact integrity. (CVE-2017-10105)

- Multiple unspecified flaws exist in the Serialization component that allow an unauthenticated, remote attacker to exhaust available memory, resulting in a denial of service condition. (CVE-2017-10108, CVE-2017-10109)

- An unspecified flaw exists in the AWT component that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-10110)

- Multiple unspecified flaws exist in the JCE component that allow an unauthenticated, remote attacker to disclose sensitive information. (CVE-2017-10115)

- An unspecified flaw exists in the Deployment component that allows a local attacker to impact confidentiality, integrity, and availability. (CVE-2017-10125)

- An unspecified flaw exists in the JAX-WS component that allows an unauthenticated, remote attacker to impact confidentiality and availability. (CVE-2017-10243)

Solution

Fixes are available by version and can be downloaded from the IBM AIX website.

See Also

http://www.nessus.org/u?1f03c72d

http://www.nessus.org/u?ce533d8f

http://www.nessus.org/u?17d05c61

http://www.nessus.org/u?d4595696

http://www.nessus.org/u?9abd5252

http://www.nessus.org/u?4ee03dc1

http://www.nessus.org/u?8f7a066c

http://www.nessus.org/u?52d4ddf3

http://www.nessus.org/u?343fa903

http://www.nessus.org/u?76f5def7

Plugin Details

Severity: Critical

ID: 103191

File Name: aix_java_july2017_advisory.nasl

Version: 1.9

Type: local

Published: 2017/09/13

Modified: 2018/07/17

Dependencies: 12634

Risk Information

Risk Factor: Critical

CVSSv2

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSSv3

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:ibm:aix, cpe:/a:oracle:jre, cpe:/a:oracle:jdk

Required KB Items: Host/AIX/lslpp, Host/local_checks_enabled, Host/AIX/version, Host/AIX/oslevelsp

Patch Publication Date: 2017/09/01

Vulnerability Publication Date: 2017/02/06

Reference Information

CVE: CVE-2017-1376, CVE-2017-1541, CVE-2017-10053, CVE-2017-10067, CVE-2017-10078, CVE-2017-10087, CVE-2017-10089, CVE-2017-10090, CVE-2017-10096, CVE-2017-10101, CVE-2017-10102, CVE-2017-10105, CVE-2017-10107, CVE-2017-10108, CVE-2017-10109, CVE-2017-10110, CVE-2017-10115, CVE-2017-10116, CVE-2017-10125, CVE-2017-10243

BID: 99643, 99659, 99670, 99674, 99703, 99706, 99712, 99719, 99734, 99752, 99756, 99774, 99809, 99827, 99842, 99846, 99847, 99851, 100460