Oracle Java SE 7 < Update 201 / 8 < Update 192 / 11 < 11.01 Multiple Vulnerabilities

Medium Nessus Network Monitor Plugin ID 700393

Synopsis

The remote host is missing a critical Oracle Java SE patch update.

Description

The version of Oracle Java SE installed on the remote host is prior to 7 Update 201, 8 Update 192, or 11.01, and is therefore affected by multiple vulnerabilities :

- An issue exists in 'libjpeg 9a'. The 'alloc_sarray' function in 'jmemmgr.c' allows remote attackers to cause a denial of service via a crafted file. (CVE-2018-11212)
- An issue exists that allows an unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. (CVE-2019-2422, CVE-2019-2449)
- An issue exists that allows an unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. (CVE-2019-2426)

Solution

Upgrade to Java 11.01 or later. If version 11.x cannot be obtained, versions 1.7.0_201 and 1.8.0_192 have also been patched for this vulnerability.

See Also

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

https://www.tenable.com/blog/oracle-s-january-critical-patch-update-addresses-nearly-300-fixes

Plugin Details

Severity: Medium

ID: 700393

Family: Web Clients

Published: 2019/01/17

Updated: 2019/03/06

Dependencies: 8892, 8895

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 6.8

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSS v3.0

Base Score: 6.5

Temporal Score: 6.2

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:oracle:java_se

Patch Publication Date: 2019/01/15

Vulnerability Publication Date: 2019/01/15

Reference Information

CVE: CVE-2018-11212, CVE-2019-2422, CVE-2019-2426, CVE-2019-2449

BID: 106583, 106590, 106596, 106597