Oracle Java SE 6 < Update 131 / 7 < Update 121 / 8 < Update 112 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 9712

Synopsis

The remote host is missing a critical Oracle Java SE patch update.

Description

The version of Oracle Java SE installed on the remote host is prior to 6 Update 131, 7 Update 121, or 8 Update 112 and is affected by multiple vulnerabilities :

- An unspecified flaw exists related to the Libraries subcomponent. This may allow a context-dependent attacker to have an impact on integrity. No further details have been provided by the vendor. (CVE-2016-5542)
- A flaw exists in 'share/classes/com/sun/jmx/remote/util/ClassLoaderWithRepository.java' related to improper classloader consistency checks. This may allow a context-dependent attacker to bypass certain Java sandbox restrictions. (CVE-2016-5554)
- An unspecified flaw exists related to the 2D subcomponent. This may allow a context-dependent attacker to execute arbitrary code. No further details have been provided by the vendor. (CVE-2016-5556)
- A flaw exists related to the AWT subcomponent. This may allow a context-dependent attacker to execute arbitrary code. No further details have been provided by the vendor. (CVE-2016-5568)
- An unspecified flaw exists related to the hotspot subcomponent. This may allow a context-dependent attacker to execute arbitrary code. No further details have been provided by the vendor. (CVE-2016-5573)
- A flaw exists in 'cpu/sparc/vm/c1_LIRAssembler_sparc.cpp' and 'cpu/x86/vm/c1_LIRAssembler_x86.cpp'. The issue is triggered when handling calls to the 'System.arraycopy()' method due to missing type checks. This may allow a context-dependent attacker to bypass Java sandbox restrictions. (CVE-2016-5582)
- An unspecified flaw exists related to the Networking subcomponent. This may allow a context-dependent attacker to gain access to potentially sensitive information. No further details have been provided by the vendor. (CVE-2016-5597)

Solution

Upgrade to Java 1.8.0_112 or later. If version 1.8.x cannot be obtained, versions 1.7.0_121 and 1.6.0_131 are also patched for these vulnerabilities.

See Also

http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixJAVA

Plugin Details

Severity: High

ID: 9712

File Name: 9712.prm

Family: Web Clients

Published: 2016/11/04

Modified: 2016/11/23

Dependencies: 8892, 8893, 8895

Nessus ID: 94138, 94139

Risk Information

Risk Factor: High

CVSSv2

Base Score: 9.3

Temporal Score: 8.1

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSSv3

Base Score: 8.1

Temporal Score: 7.7

Vector: CVSS3#AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS3#E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:oracle:java_se

Patch Publication Date: 2016/10/18

Vulnerability Publication Date: 2016/10/18

Reference Information

CVE: CVE-2016-5542, CVE-2016-5554, CVE-2016-5556, CVE-2016-5568, CVE-2016-5573, CVE-2016-5582, CVE-2016-5597

BID: 93618, 93621, 93623, 93628, 93636, 93637, 93643