Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Oracle Java SE 6 < Update 121 / 7 < Update 111 / 8 < Update 102 Multiple Vulnerabilities

High

Synopsis

The remote host is missing a critical Oracle Java SE patch update.

Description

The version of Oracle Java SE installed on the remote host is prior to 6 Update 121, 7 Update 111, or 8 Update 102 and is affected by multiple vulnerabilities :

- An unspecified flaw exists in the 'CORBA' subcomponent that allows an unauthenticated, remote attacker to impact integrity. (CVE-2016-3458) - An unspecified flaw exists in the 'Networking' subcomponent that allows a local attacker to impact integrity. (CVE-2016-3485) - An unspecified flaw exists in the 'JavaFX' subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2016-3498) - An unspecified flaw exists in the 'JAXP' subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2016-3500, CVE-2016-3508) - An unspecified flaw exists in the 'Install' subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-3503, CVE-2016-3552) - An unspecified flaw exists in the 'Deployment' subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-3511) - An unspecified flaw exists in the 'Hotspot' subcomponent that allows an unauthenticated, remote attacker to disclose potentially sensitive information. (CVE-2016-3550) - A flaw exists in the 'Hotspot' subcomponent due to improper access to the 'MethodHandle::invokeBasic()' function. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-3587) - A flaw exists in the 'Libraries' subcomponent within the 'MethodHandles::dropArguments()' function that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2016-3598) - A flaw exists in the 'Hotspot' subcomponent within the 'ClassVerifier::ends_in_athrow()' function when handling bytecode verification. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-3606) - An unspecified flaw exists in the 'Libraries' subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2016-3610)

Solution

Upgrade to Java 1.8.0_102 or later. If version 1.8.x cannot be obtained, versions 1.7.0_111 and 1.6.0_121 are also patched for these vulnerabilities.