SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Oracle Java SE Vendors:   Oracle, Sun
(CentOS Issues Fix) Oracle Java SE Multiple Flaws Let Local and Remote Users Gain Elevated Privileges and Remote Users Access and Modify Data and Deny Service
SecurityTracker Alert ID:  1033928
SecurityTracker URL:  http://securitytracker.com/id/1033928
CVE Reference:   CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4868, CVE-2015-4872, CVE-2015-4881, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4903, CVE-2015-4911   (Links to External Site)
Date:  Oct 22 2015
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6u101, 7u85, 8u60; Embedded 8u51
Description:   Multiple vulnerabilities were reported in Oracle Java SE. A remote user can gain elevated privileges. A remote user can access and modify data on the target system. A remote user can cause denial of service conditions on the target system. A local user can obtain elevated privileges on the target system.

A remote user can exploit a flaw in the Embedded CORBA component to gain elevated privileges [CVE-2015-4835, CVE-2015-4881].

A remote user can exploit a flaw in the Java SE Embedded Libraries component to gain elevated privileges [CVE-2015-4843, CVE-2015-4868].

A remote user can exploit a flaw in the Embedded RMI component to gain elevated privileges [CVE-2015-4860, CVE-2015-4883].

A remote user can exploit a flaw in the Embedded Serialization component to gain elevated privileges [CVE-2015-4805].

A remote user can exploit a flaw in the Embedded 2D component to gain elevated privileges [CVE-2015-4844].

A remote user can exploit a flaw in the JavaFX component to gain elevated privileges [CVE-2015-4901].

A local user can exploit a flaw in the Java SE Deployment component to gain elevated privileges [CVE-2015-4810].

A remote user can exploit a flaw in the Java SE Embedded Libraries component to partially access and partially modify data [CVE-2015-4806].

A remote user can exploit a flaw in the Java SE Libraries component to partially access and partially modify data [CVE-2015-4871].

A remote user can exploit a flaw in the Java SE Deployment component to partially modify data [CVE-2015-4902].

A remote user can exploit a flaw in the Embedded 2D component to partially access data [CVE-2015-4840].

A remote user can exploit a flaw in the Embedded CORBA component to cause partial denial of service conditions [CVE-2015-4882].

A remote user can exploit a flaw in the Embedded JAXP component to partially access data [CVE-2015-4842].

A remote user can exploit a flaw in the Embedded JGSS component to partially access data [CVE-2015-4734].

A remote user can exploit a flaw in the Embedded RMI component to partially access data [CVE-2015-4903].

A remote user can exploit a flaw in the JRockit JAXP component to cause partial denial of service conditions [CVE-2015-4803, CVE-2015-4893, CVE-2015-4911].

A remote user can exploit a flaw in the JRockit Security component to partially modify data [CVE-2015-4872].

A remote user can exploit a flaw in the JavaFX component to partially access data [CVE-2015-4906, CVE-2015-4908, CVE-2015-4916].

The following researchers reported these and other Oracle product vulnerabilities:

Aaron Portnoy of Exodus Intelligence; Adam Gowdiak of Security Explorations; Adam Willard of Foreground Security; Advanced Threat Research Team, Intel Security; Aleksandr Dubinsky of SyncWords; Alexey Tyurin of ERPScan; Andrea Palazzo of Truel IT; Behzad Najjarpour Jabbari of Secunia Research; Borked of the Google Security Team; Brooks Li of Trend Micro; Cihan Oncu of Biznet Bilisim A.S.;Colm O hEigeartaigh; Dan Peled; David Byrne of Trustwave SpiderLabs; David Litchfield of Google; Egor Karbutov of ERPScan; Erlend Oftedal; FortiGuard Labs of Fortinet, Inc.; Francis Provencher from COSIG; Francois Goichon of Context Information Security; G. Geshev from MWR Labs; Gregory Golds; Guido Vranken; Ivan Chalykin of ERPScan; Jacob Smith; Jakub Palaczynski from ING Services Polska;Jeff Kayser of Jibe Consulting; Kana Toko; Khai Tran of Netspi; Leopold von Niebelschuetz-Godlewski of Trustwave; Marcin Gebarowski; Nikita Kelesis of ERPScan; Osanda Malith Jayathissa; Oscar Andersson; Red Hat Product Security; Sergey Gorbaty of Salesforce.com; Travis Emmert of Salesforce.com; and Ugur Cihan Koc of Avea Iletisim Hizmetleri A.S.

Impact:   A remote user can obtain data on the target system.

A remote user can modify data on the target system.

A remote user can cause denial of service conditions.

A local user can obtain elevated privileges on the target system.

A remote user can gain elevated privileges on the target system.

Solution:   CentOS has issued a fix for CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4868, CVE-2015-4872, CVE-2015-4881, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4903, and CVE-2015-4911 for java-1.8.0-openjdk.

i386:
b99302119be56a5d3aa457794d7aaa38b9ee29fe8fae77fec9640faeca7cf6e2 java-1.8.0-openjdk-1.8.0.65-0.b17.el6_7.i686.rpm
4632744468cfc4cd0a0c762d60904d26dd2cd04f50ba8fce1b7e7113d0afc5d4 java-1.8.0-openjdk-debug-1.8.0.65-0.b17.el6_7.i686.rpm
d077161d31630c046f85c8262241fd83fe4c03e9ccbaf9e39840d2febd9aaae5 java-1.8.0-openjdk-demo-1.8.0.65-0.b17.el6_7.i686.rpm
18847ba867de45bfa567bfea751e55f18bb27ab17ae5ee377174930445bf01a6 java-1.8.0-openjdk-demo-debug-1.8.0.65-0.b17.el6_7.i686.rpm
ffe9a334a661c10164ae31d16f4924d25f37cca1ea6e9a36a6bf999911f781cd java-1.8.0-openjdk-devel-1.8.0.65-0.b17.el6_7.i686.rpm
3c8cc1f2f314349289461f24afb36cfe2e9052f9ca86d0076d53ea7873e55aae java-1.8.0-openjdk-devel-debug-1.8.0.65-0.b17.el6_7.i686.rpm
06a8dc8bed67ed2c80ae641a890ed7ccc6677fbcd63515bc4132dd167a654069 java-1.8.0-openjdk-headless-1.8.0.65-0.b17.el6_7.i686.rpm
b37f50f9c57c7ebfc9c85c898c4b802f6340f9cb28c4c8a26641243cea9325e2 java-1.8.0-openjdk-headless-debug-1.8.0.65-0.b17.el6_7.i686.rpm
70197b219a776a905d1aadfb92bbe29d1fe6ea6cd789ffeb19514db449019723 java-1.8.0-openjdk-javadoc-1.8.0.65-0.b17.el6_7.noarch.rpm
f629d6d4b062d017209a0e6755c0ff6ae25728e3ab49c5e3579af4dc00af8033 java-1.8.0-openjdk-javadoc-debug-1.8.0.65-0.b17.el6_7.noarch.rpm
ee5220348f0eb86674f3d5af721c1cb51ecccb700ac433259565c6bc81871526 java-1.8.0-openjdk-src-1.8.0.65-0.b17.el6_7.i686.rpm
590bd566ac88439d3553e5b41728b4319754b72367f528e0baf047c09779e0ce java-1.8.0-openjdk-src-debug-1.8.0.65-0.b17.el6_7.i686.rpm

x86_64:
95dd49c3f59834ec1041b57e2dd691764e01b9880a8dc9c6178975448ba90a82 java-1.8.0-openjdk-1.8.0.65-0.b17.el6_7.x86_64.rpm
d254057ee70868b9ba7fe29a4c8f4d757bced91db171ed24cc0f6ff558a0ae7c java-1.8.0-openjdk-debug-1.8.0.65-0.b17.el6_7.x86_64.rpm
86d2b9d7ff06663f56d750026ce7b15561c5cbf5545a48b03595343e91c4c3c5 java-1.8.0-openjdk-demo-1.8.0.65-0.b17.el6_7.x86_64.rpm
3ada20716364d358f0a8d5f783dda6c827aa9e7350f1aba591b794e19ae904ab java-1.8.0-openjdk-demo-debug-1.8.0.65-0.b17.el6_7.x86_64.rpm
882aa56d3e3123862a323839790f9bbb9990891ba899cb5bed966073056d8736 java-1.8.0-openjdk-devel-1.8.0.65-0.b17.el6_7.x86_64.rpm
45249f813d5b6fc8b976180f23de852ff5407c6fb67a141af17e4a97cac0dd71 java-1.8.0-openjdk-devel-debug-1.8.0.65-0.b17.el6_7.x86_64.rpm
b72bc85f3cd9d7687e5f20f8f06d96c462d81e7535f5c790ac0b4a942461b838 java-1.8.0-openjdk-headless-1.8.0.65-0.b17.el6_7.x86_64.rpm
78338011170fc1dd3fad535da45b4b6adc4b5d5f18e2cf1081174bdc0fe31433 java-1.8.0-openjdk-headless-debug-1.8.0.65-0.b17.el6_7.x86_64.rpm
70197b219a776a905d1aadfb92bbe29d1fe6ea6cd789ffeb19514db449019723 java-1.8.0-openjdk-javadoc-1.8.0.65-0.b17.el6_7.noarch.rpm
f629d6d4b062d017209a0e6755c0ff6ae25728e3ab49c5e3579af4dc00af8033 java-1.8.0-openjdk-javadoc-debug-1.8.0.65-0.b17.el6_7.noarch.rpm
39caf4bfd7f16327aebb3710462a388bf9eec72db80f4a6a3dadd265f4d4de63 java-1.8.0-openjdk-src-1.8.0.65-0.b17.el6_7.x86_64.rpm
f8b2b97268ab5153a597febee053485a32b6759f5da467d9a41efc2690995df0 java-1.8.0-openjdk-src-debug-1.8.0.65-0.b17.el6_7.x86_64.rpm

Source:
b32e71cdd92dcd427b30f6a34bba062cde7b06e915db2fddab39bf742ee43c0e java-1.8.0-openjdk-1.8.0.65-0.b17.el6_7.src.rpm

x86_64:
fc1d78f8fbdd55837a77e54915ceed26b916b85834ebfb9457ec153b1a40309a java-1.8.0-openjdk-1.8.0.65-2.b17.el7_1.x86_64.rpm
88300297b48c26c73023f0e9592202bae019244f9386e62b1fce66a8265fbba4 java-1.8.0-openjdk-accessibility-1.8.0.65-2.b17.el7_1.x86_64.rpm
b4ee076fe89b4c03f9a27adc2ab09d242924ddbc52028cb473aed21b80af346d java-1.8.0-openjdk-demo-1.8.0.65-2.b17.el7_1.x86_64.rpm
0ca829e2fa8e41cc21b986052018237a264536c61e246f78f585539dc43bc465 java-1.8.0-openjdk-devel-1.8.0.65-2.b17.el7_1.x86_64.rpm
adcf8842049a55bdf370857e875b42bc803f170ee594660f97581004ea143fb0 java-1.8.0-openjdk-headless-1.8.0.65-2.b17.el7_1.x86_64.rpm
3fc3d79d30601dab4335761b29a97157f9238636ecbbc77c3d8598a92b5a9bea java-1.8.0-openjdk-javadoc-1.8.0.65-2.b17.el7_1.noarch.rpm
b533526fd6d3a382cd62fb5f1c983b1e7cb4c1794cece5cf10968c7aef61d1f8 java-1.8.0-openjdk-src-1.8.0.65-2.b17.el7_1.x86_64.rpm

Source:
78aa5064e82314dc93f46cad65f69a89d82e70881811c19fe34bc68079056108 java-1.8.0-openjdk-1.8.0.65-2.b17.el7_1.src.rpm

Cause:   Not specified
Underlying OS:  Linux (CentOS)
Underlying OS Comments:  6, 7

Message History:   This archive entry is a follow-up to the message listed below.
Oct 20 2015 Oracle Java SE Multiple Flaws Let Local and Remote Users Gain Elevated Privileges and Remote Users Access and Modify Data and Deny Service



 Source Message Contents

Subject:  [CentOS-announce] CESA-2015:1919 Important CentOS 7 java-1.8.0-openjdk Security Update


CentOS Errata and Security Advisory 2015:1919 Important

Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1919.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

x86_64:
fc1d78f8fbdd55837a77e54915ceed26b916b85834ebfb9457ec153b1a40309a  java-1.8.0-openjdk-1.8.0.65-2.b17.el7_1.x86_64.rpm
88300297b48c26c73023f0e9592202bae019244f9386e62b1fce66a8265fbba4  java-1.8.0-openjdk-accessibility-1.8.0.65-2.b17.el7_1.x86_64.rpm
b4ee076fe89b4c03f9a27adc2ab09d242924ddbc52028cb473aed21b80af346d  java-1.8.0-openjdk-demo-1.8.0.65-2.b17.el7_1.x86_64.rpm
0ca829e2fa8e41cc21b986052018237a264536c61e246f78f585539dc43bc465  java-1.8.0-openjdk-devel-1.8.0.65-2.b17.el7_1.x86_64.rpm
adcf8842049a55bdf370857e875b42bc803f170ee594660f97581004ea143fb0  java-1.8.0-openjdk-headless-1.8.0.65-2.b17.el7_1.x86_64.rpm
3fc3d79d30601dab4335761b29a97157f9238636ecbbc77c3d8598a92b5a9bea  java-1.8.0-openjdk-javadoc-1.8.0.65-2.b17.el7_1.noarch.rpm
b533526fd6d3a382cd62fb5f1c983b1e7cb4c1794cece5cf10968c7aef61d1f8  java-1.8.0-openjdk-src-1.8.0.65-2.b17.el7_1.x86_64.rpm

Source:
78aa5064e82314dc93f46cad65f69a89d82e70881811c19fe34bc68079056108  java-1.8.0-openjdk-1.8.0.65-2.b17.el7_1.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC