IBM Java 6.0 < 6.0.16.25 / 6.1 < 6.1.8.25 / 7.0 < 7.0.9.40 / 7.1 < 7.1.3.40 / 8.0 < 8.0.3.0 Multiple Vulnerabilities (Apr 19, 2016)

critical Nessus Plugin ID 160348

Synopsis

IBM Java is affected by multiple vulnerabilities.

Description

The version of IBM Java installed on the remote host is prior to 6.0 < 6.0.16.25 / 6.1 < 6.1.8.25 / 7.0 < 7.0.9.40 / 7.1 < 7.1.3.40 / 8.0 < 8.0.3.0. It is, therefore, affected by multiple vulnerabilities as referenced in the Oracle April 19 2016 CPU advisory.

- Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 and Java SE Embedded 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Serialization.
(CVE-2016-0686)

- Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 and Java SE Embedded 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to the Hotspot sub- component. (CVE-2016-0687)

- Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 allows remote attackers to affect availability via vectors related to 2D. (CVE-2016-3422)

- Unspecified vulnerability in Oracle Java SE 8u77 and Java SE Embedded 8u77 allows remote attackers to affect confidentiality via vectors related to JCE. (CVE-2016-3426)

- Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX. (CVE-2016-3427)

- Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to 2D. NOTE: the previous information is from the April 2016 CPU. Oracle has not commented on third-party claims that this issue allows remote attackers to obtain sensitive information via crafted font data, which triggers an out-of-bounds read.
(CVE-2016-3443)

- Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Deployment. (CVE-2016-3449)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Apply the appropriate patch according to the Oracle April 19 2016 CPU advisory.

See Also

http://www-01.ibm.com/support/docview.wss?uid=swg1IV83999

http://www-01.ibm.com/support/docview.wss?uid=swg1IV84000

http://www-01.ibm.com/support/docview.wss?uid=swg1IV84026

http://www-01.ibm.com/support/docview.wss?uid=swg1IV84027

http://www-01.ibm.com/support/docview.wss?uid=swg1IV84028

http://www-01.ibm.com/support/docview.wss?uid=swg1IV84029

http://www-01.ibm.com/support/docview.wss?uid=swg1IV84030

http://www.nessus.org/u?dd15ddc5

Plugin Details

Severity: Critical

ID: 160348

File Name: ibm_java_2016_04_19.nasl

Version: 1.5

Type: local

Agent: windows, macosx, unix

Family: Misc.

Published: 4/29/2022

Updated: 6/28/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2016-3443

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

CVSS Score Source: CVE-2016-3427

Vulnerability Information

CPE: cpe:/a:ibm:java

Required KB Items: installed_sw/Java

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/19/2016

Vulnerability Publication Date: 4/19/2016

CISA Known Exploited Vulnerability Due Dates: 6/2/2023

Reference Information

CVE: CVE-2016-0686, CVE-2016-0687, CVE-2016-3422, CVE-2016-3426, CVE-2016-3427, CVE-2016-3443, CVE-2016-3449

IAVA: 2016-A-0100-S