Oracle Java SE Multiple Vulnerabilities (October 2017 CPU)

critical Nessus Plugin ID 103963

Language:

New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote Windows host contains a programming platform that is affected by multiple vulnerabilities.

Description

The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 9 Update 1, 8 Update 151, 7 Update 161, or 6 Update 171. It is, therefore, affected by multiple vulnerabilities related to the following components :

 - 2D (Little CMS 2)
 - Deployment
 - Hotspot
 - JAX-WS
 - JAXP
 - Javadoc
 - Libraries
 - Networking
 - RMI
 - Security
 - Serialization
 - Smart Card IO
 - Util (zlib)

Solution

Upgrade to Oracle JDK / JRE 9 Update 1, 8 Update 151 / 7 Update 161 / 6 Update 171 or later. If necessary, remove any affected versions.

Note that an Extended Support contract with Oracle is needed to obtain JDK / JRE 6 Update 95 or later.

See Also

http://www.nessus.org/u?ffb85cfa

http://www.nessus.org/u?dfeae1af

http://www.nessus.org/u?bbe7f5cf

http://www.nessus.org/u?2fbcacca

http://www.nessus.org/u?726f7054

Plugin Details

Severity: Critical

ID: 103963

File Name: oracle_java_cpu_oct_2017.nasl

Version: 1.7

Type: local

Agent: windows

Family: Windows

Published: 10/19/2017

Updated: 11/12/2019

Dependencies: sun_java_jre_installed.nasl

Risk Information

CVSS Score Source: CVE-2016-9841

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:POC/RL:OF/RC:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:oracle:jre, cpe:/a:oracle:jdk

Required KB Items: SMB/Java/JRE/Installed

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/17/2017

Vulnerability Publication Date: 10/17/2017

Reference Information

CVE: CVE-2016-9841, CVE-2016-10165, CVE-2017-10274, CVE-2017-10281, CVE-2017-10285, CVE-2017-10293, CVE-2017-10295, CVE-2017-10309, CVE-2017-10345, CVE-2017-10346, CVE-2017-10347, CVE-2017-10348, CVE-2017-10349, CVE-2017-10350, CVE-2017-10355, CVE-2017-10356, CVE-2017-10357, CVE-2017-10388

BID: 101315, 101319, 101321, 101328, 101333, 101338, 101341, 101348, 101354, 101355, 101369, 101378, 101382, 101384, 101396, 101413