Oracle Java SE 1.7.0_231 / 1.8.0_221 / 1.11.0_4 / 1.12.0_2 Multiple Vulnerabilities (Jul 2019 CPU) (Unix)

medium Nessus Plugin ID 126820
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote Unix host contains a programming platform that is affected by multiple vulnerabilities.

Description

The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 7 Update 231, 8 Update 221, 11 Update 4, or 12 Update 2. It is, therefore, affected by multiple vulnerabilities:

- Unspecified vulnerabilities in the utilities and JCE subcomponents of Oracle Java SE, which could allow an unauthenticated remote attacker to cause a partial denial of service. (CVE-2019-2762, CVE-2019-2769, CVE-2019-2842)

- An unspecified vulnerability in the security subcomponent of Oracle Java SE, which could allow an unauthenticated local attacker to gain unauthorized access to critical Java SE data. (CVE-2019-2745)

- Unspecified vulnerabilities in the networking and security subcomponents of Oracle Java SE, which could allow an unauthenticated remote attacker to gain unauthorized access to Java SE data. Exploitation of this vulnerability requires user interaction. (CVE-2019-2766, CVE-2019-2786, CVE-2019-2818)

- An unspecified vulnerability in the networking subcomponent of Oracle Java SE, which could allow an unauthenticated remote attacker unauthorized read, update, insert or delete access to Java SE data. (CVE-2019-2816)

- An unspecified vulnerability in the JSSE subcomponent of Oracle Java SE, which could allow an unauthenticated, remote attacker to gain unauthorized access to critical Java SE data. Exploitation of this vulnerability requires user interaction. (CVE-2019-2821)

- A use after free vulnerability exists in the libpng subcomponent of Oracle Java SE. An unauthenticated, remote attacker can exploit this to cause a complete denial of service condition in Java SE. Exploitation of this vulnerability requires user interaction.
(CVE-2019-7317)

Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Oracle JDK / JRE 12 Update 2 , 11 Update 4, 8 Update 221 / 7 Update 231 or later. If necessary, remove any affected versions.

See Also

http://www.nessus.org/u?9aa2b901

Plugin Details

Severity: Medium

ID: 126820

File Name: oracle_java_cpu_jul_2019_unix.nasl

Version: 1.3

Type: local

Agent: unix

Family: Misc.

Published: 7/19/2019

Updated: 10/21/2019

Dependencies: sun_java_jre_installed_unix.nasl

Risk Information

CVSS Score Source: CVE-2019-2816

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.3

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

Temporal Vector: E:U/RL:OF/RC:C

CVSS v3

Risk Factor: Medium

Base Score: 4.8

Temporal Score: 4.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:oracle:jre, cpe:/a:oracle:jdk

Required KB Items: Host/Java/JRE/Installed

Exploit Ease: No known exploits are available

Patch Publication Date: 7/16/2019

Vulnerability Publication Date: 7/16/2019

Reference Information

CVE: CVE-2019-2745, CVE-2019-2762, CVE-2019-2766, CVE-2019-2769, CVE-2019-2786, CVE-2019-2816, CVE-2019-2818, CVE-2019-2821, CVE-2019-2842, CVE-2019-6129, CVE-2019-7317

BID: 108098, 109184, 109185, 109186, 109187, 109188, 109189, 109201, 109206, 109210, 109212

IAVA: 2019-A-0255