SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Oracle Java SE Vendors:   Oracle, Sun
(CentOS Issues Fix) Oracle Java SE Multiple Flaws Let Local and Remote Users Gain Elevated Privileges and Remote Users Access and Modify Data and Deny Service
SecurityTracker Alert ID:  1033936
SecurityTracker URL:  http://securitytracker.com/id/1033936
CVE Reference:   CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4872, CVE-2015-4881, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4903, CVE-2015-4911   (Links to External Site)
Date:  Oct 22 2015
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6u101, 7u85, 8u60; Embedded 8u51
Description:   Multiple vulnerabilities were reported in Oracle Java SE. A remote user can gain elevated privileges. A remote user can access and modify data on the target system. A remote user can cause denial of service conditions on the target system. A local user can obtain elevated privileges on the target system.

A remote user can exploit a flaw in the Embedded CORBA component to gain elevated privileges [CVE-2015-4835, CVE-2015-4881].

A remote user can exploit a flaw in the Java SE Embedded Libraries component to gain elevated privileges [CVE-2015-4843, CVE-2015-4868].

A remote user can exploit a flaw in the Embedded RMI component to gain elevated privileges [CVE-2015-4860, CVE-2015-4883].

A remote user can exploit a flaw in the Embedded Serialization component to gain elevated privileges [CVE-2015-4805].

A remote user can exploit a flaw in the Embedded 2D component to gain elevated privileges [CVE-2015-4844].

A remote user can exploit a flaw in the JavaFX component to gain elevated privileges [CVE-2015-4901].

A local user can exploit a flaw in the Java SE Deployment component to gain elevated privileges [CVE-2015-4810].

A remote user can exploit a flaw in the Java SE Embedded Libraries component to partially access and partially modify data [CVE-2015-4806].

A remote user can exploit a flaw in the Java SE Libraries component to partially access and partially modify data [CVE-2015-4871].

A remote user can exploit a flaw in the Java SE Deployment component to partially modify data [CVE-2015-4902].

A remote user can exploit a flaw in the Embedded 2D component to partially access data [CVE-2015-4840].

A remote user can exploit a flaw in the Embedded CORBA component to cause partial denial of service conditions [CVE-2015-4882].

A remote user can exploit a flaw in the Embedded JAXP component to partially access data [CVE-2015-4842].

A remote user can exploit a flaw in the Embedded JGSS component to partially access data [CVE-2015-4734].

A remote user can exploit a flaw in the Embedded RMI component to partially access data [CVE-2015-4903].

A remote user can exploit a flaw in the JRockit JAXP component to cause partial denial of service conditions [CVE-2015-4803, CVE-2015-4893, CVE-2015-4911].

A remote user can exploit a flaw in the JRockit Security component to partially modify data [CVE-2015-4872].

A remote user can exploit a flaw in the JavaFX component to partially access data [CVE-2015-4906, CVE-2015-4908, CVE-2015-4916].

The following researchers reported these and other Oracle product vulnerabilities:

Aaron Portnoy of Exodus Intelligence; Adam Gowdiak of Security Explorations; Adam Willard of Foreground Security; Advanced Threat Research Team, Intel Security; Aleksandr Dubinsky of SyncWords; Alexey Tyurin of ERPScan; Andrea Palazzo of Truel IT; Behzad Najjarpour Jabbari of Secunia Research; Borked of the Google Security Team; Brooks Li of Trend Micro; Cihan Oncu of Biznet Bilisim A.S.;Colm O hEigeartaigh; Dan Peled; David Byrne of Trustwave SpiderLabs; David Litchfield of Google; Egor Karbutov of ERPScan; Erlend Oftedal; FortiGuard Labs of Fortinet, Inc.; Francis Provencher from COSIG; Francois Goichon of Context Information Security; G. Geshev from MWR Labs; Gregory Golds; Guido Vranken; Ivan Chalykin of ERPScan; Jacob Smith; Jakub Palaczynski from ING Services Polska;Jeff Kayser of Jibe Consulting; Kana Toko; Khai Tran of Netspi; Leopold von Niebelschuetz-Godlewski of Trustwave; Marcin Gebarowski; Nikita Kelesis of ERPScan; Osanda Malith Jayathissa; Oscar Andersson; Red Hat Product Security; Sergey Gorbaty of Salesforce.com; Travis Emmert of Salesforce.com; and Ugur Cihan Koc of Avea Iletisim Hizmetleri A.S.

Impact:   A remote user can obtain data on the target system.

A remote user can modify data on the target system.

A remote user can cause denial of service conditions.

A local user can obtain elevated privileges on the target system.

A remote user can gain elevated privileges on the target system.

Solution:   CentOS has issued a fix for CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4872, CVE-2015-4881, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4903, and CVE-2015-4911 for java-1.7.0-openjdk.

i386:
728f0c0642d42864b96a7dbd7310360f8787ab90fa17bec6ee5ddb7bc0950b97 java-1.7.0-openjdk-1.7.0.91-2.6.2.1.el5_11.i386.rpm
707c41d31d5b7f03704db767124d21dd6de652d64d22a2cc0758afe6f5a68aec java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.1.el5_11.i386.rpm
4e6876cbad92bb25d26c0bd8b05c407eab7064e59d4eb58eab6b1f50ab122f9b java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.1.el5_11.i386.rpm
72055bec04fcf49a9b744866389d67dfd83bc0cb6ccd64a2c417f230e18a1431 java-1.7.0-openjdk-javadoc-1.7.0.91-2.6.2.1.el5_11.i386.rpm
35504f2d7eaebb7b10d3a7eb8bb918169f740a296984cf976db242947c77c1d9 java-1.7.0-openjdk-src-1.7.0.91-2.6.2.1.el5_11.i386.rpm

x86_64:
744c714a9d9dd4a4c54cedad94af99f6093dd5a41f230dba3cd1d30e989a6c80 java-1.7.0-openjdk-1.7.0.91-2.6.2.1.el5_11.x86_64.rpm
e7a6d7045f53ccc49104ac40c727708d3d91c553a81896a0e08ab141e441a4d8 java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.1.el5_11.x86_64.rpm
f014c30d7aaa0935def0ec0fe8aaa46eab3a23abef79e8fedff1a071be61ddbc java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.1.el5_11.x86_64.rpm
7a6d280dd08f2936ed2aa8c66adabab6d400d8b6bfa072fe03d020e0cca76f40 java-1.7.0-openjdk-javadoc-1.7.0.91-2.6.2.1.el5_11.x86_64.rpm
fe02e4316dee3cb6c77a53cb3f3de560c88b343b36e66f46870928961d7b6c53 java-1.7.0-openjdk-src-1.7.0.91-2.6.2.1.el5_11.x86_64.rpm

Source:
5107c8d5774a3ba475574a51c986bb8af63414ca30a54ab7940bf5739da707e7 java-1.7.0-openjdk-1.7.0.91-2.6.2.1.el5_11.src.rpm

i386:
d72e2661b3d3f63dd3e31e134305c90051559fed089dc7df2f11f42d647d39da java-1.7.0-openjdk-1.7.0.91-2.6.2.2.el6_7.i686.rpm
d1e333fdef177c54ed4ad4da2bbaeec79150f27ca845161661689f568ff6a6a6 java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.2.el6_7.i686.rpm
ba0e0cdd9252a2c4e40199868178e9c33294813a3a946fb63d6ee6b05e764296 java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.2.el6_7.i686.rpm
96005bc8eb6c0a4e9a13f0fe27aef3fe2b8f117087391c256ae4b67975e4f157 java-1.7.0-openjdk-javadoc-1.7.0.91-2.6.2.2.el6_7.noarch.rpm
90573960582711048b0f60e63cc8e8a220d0d59820c82dbf5e758754dfe1a66c java-1.7.0-openjdk-src-1.7.0.91-2.6.2.2.el6_7.i686.rpm

x86_64:
fca9faa6089825a6e753a197c1579310d03a2c023a965c0798cd36a5dcc27b8b java-1.7.0-openjdk-1.7.0.91-2.6.2.2.el6_7.x86_64.rpm
6f8e52dff818c08a09b8498d677401205aecc486976571f58f0476d64acf97cb java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.2.el6_7.x86_64.rpm
27adba1b3a6f4f570d4be23c87e973cfd72890aa18845dd12274d47632cfe0cc java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.2.el6_7.x86_64.rpm
96005bc8eb6c0a4e9a13f0fe27aef3fe2b8f117087391c256ae4b67975e4f157 java-1.7.0-openjdk-javadoc-1.7.0.91-2.6.2.2.el6_7.noarch.rpm
ded1524d436b2319d7aea5296df26ff154edb863709bbb900dd0b42e7c18a401 java-1.7.0-openjdk-src-1.7.0.91-2.6.2.2.el6_7.x86_64.rpm

Source:
4bf598bec324eebeda3229568573df701a70d28b9e54bd30f58338b3dac7997e java-1.7.0-openjdk-1.7.0.91-2.6.2.2.el6_7.src.rpm

x86_64:
826d53b513a6bb5b067028561c663245b39634e764ac64008a09ffdfb26711b6 java-1.7.0-openjdk-1.7.0.91-2.6.2.1.el7_1.x86_64.rpm
43556ec3d4af6b5efae46bed907e81e3b5f69b33cd25b2e1992504685f69dda5 java-1.7.0-openjdk-accessibility-1.7.0.91-2.6.2.1.el7_1.x86_64.rpm
a9813ff0692254f9d70a49ec9cef8514706b533836619591967a03f306d146f3 java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.1.el7_1.x86_64.rpm
138f0282b13a511bbe2cc21a1e2a61543255bc767b654f13e7c27cacdd5fdd83 java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.1.el7_1.x86_64.rpm
a34323f74e4423d38d298a06cdd26788851b6ac5d9c5787b6f6a2c4144f816bd java-1.7.0-openjdk-headless-1.7.0.91-2.6.2.1.el7_1.x86_64.rpm
f8a71a52a20f34d1d0db714c399308561280441a5dfa886fb96de692b41c2bf8 java-1.7.0-openjdk-javadoc-1.7.0.91-2.6.2.1.el7_1.noarch.rpm
0cd7e499729498b74f1898eef23578299a97ab004992d0f6dea78b12e4d86302 java-1.7.0-openjdk-src-1.7.0.91-2.6.2.1.el7_1.x86_64.rpm

Source:
494032ee883593af2f18afc2992d5afd2da7bfd02f3aa9b015b441496ad8546a java-1.7.0-openjdk-1.7.0.91-2.6.2.1.el7_1.src.rpm

Cause:   Not specified
Underlying OS:  Linux (CentOS)
Underlying OS Comments:  5, 6, 7

Message History:   This archive entry is a follow-up to the message listed below.
Oct 20 2015 Oracle Java SE Multiple Flaws Let Local and Remote Users Gain Elevated Privileges and Remote Users Access and Modify Data and Deny Service



 Source Message Contents

Subject:  [CentOS-announce] CESA-2015:1920 Critical CentOS 7 java-1.7.0-openjdk Security Update


CentOS Errata and Security Advisory 2015:1920 Critical

Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1920.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

x86_64:
826d53b513a6bb5b067028561c663245b39634e764ac64008a09ffdfb26711b6  java-1.7.0-openjdk-1.7.0.91-2.6.2.1.el7_1.x86_64.rpm
43556ec3d4af6b5efae46bed907e81e3b5f69b33cd25b2e1992504685f69dda5  java-1.7.0-openjdk-accessibility-1.7.0.91-2.6.2.1.el7_1.x86_64.rpm
a9813ff0692254f9d70a49ec9cef8514706b533836619591967a03f306d146f3  java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.1.el7_1.x86_64.rpm
138f0282b13a511bbe2cc21a1e2a61543255bc767b654f13e7c27cacdd5fdd83  java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.1.el7_1.x86_64.rpm
a34323f74e4423d38d298a06cdd26788851b6ac5d9c5787b6f6a2c4144f816bd  java-1.7.0-openjdk-headless-1.7.0.91-2.6.2.1.el7_1.x86_64.rpm
f8a71a52a20f34d1d0db714c399308561280441a5dfa886fb96de692b41c2bf8  java-1.7.0-openjdk-javadoc-1.7.0.91-2.6.2.1.el7_1.noarch.rpm
0cd7e499729498b74f1898eef23578299a97ab004992d0f6dea78b12e4d86302  java-1.7.0-openjdk-src-1.7.0.91-2.6.2.1.el7_1.x86_64.rpm

Source:
494032ee883593af2f18afc2992d5afd2da7bfd02f3aa9b015b441496ad8546a  java-1.7.0-openjdk-1.7.0.91-2.6.2.1.el7_1.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC