Oracle Java SE 7 < Update 201 / 8 < Update 192 / 11 < 11.01 Multiple Vulnerabilities

medium Nessus Network Monitor Plugin ID 700393
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote host is missing a critical Oracle Java SE patch update.

Description

The version of Oracle Java SE installed on the remote host is prior to 7 Update 201, 8 Update 192, or 11.01, and is therefore affected by multiple vulnerabilities :

- An issue exists in 'libjpeg 9a'. The 'alloc_sarray' function in 'jmemmgr.c' allows remote attackers to cause a denial of service via a crafted file. (CVE-2018-11212)
- An issue exists that allows an unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. (CVE-2019-2422, CVE-2019-2449)
- An issue exists that allows an unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. (CVE-2019-2426)

Solution

Upgrade to Java 11.01 or later. If version 11.x cannot be obtained, versions 1.7.0_201 and 1.8.0_192 have also been patched for this vulnerability.

See Also

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

https://www.tenable.com/blog/oracle-s-january-critical-patch-update-addresses-nearly-300-fixes

Plugin Details

Severity: Medium

ID: 700393

Family: Web Clients

Published: 1/17/2019

Updated: 3/6/2019

Dependencies: 8892, 8895

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 6.2

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:*

Patch Publication Date: 1/15/2019

Vulnerability Publication Date: 1/15/2019

Reference Information

CVE: CVE-2019-2426, CVE-2018-11212, CVE-2019-2449, CVE-2019-2422

BID: 106583, 106597, 106590, 106596