(Oracle Issues Fix for Oracle Linux) Oracle Java SE Multiple Flaws Let Local and Remote Users Gain Elevated Privileges, Access and Modify Data, and Deny Service
SecurityTracker Alert ID: 1034792|
SecurityTracker URL: http://securitytracker.com/id/1034792
CVE-2016-0402, CVE-2016-0448, CVE-2016-0466, CVE-2016-0483
(Links to External Site)
Date: Jan 22 2016
Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Multiple vulnerabilities were reported in Oracle Java SE. A remote user can access and modify data on the target system. A remote user can cause denial of service conditions on the target system. A remote user can gain elevated privileges.|
A remote user can exploit a flaw in the Java SE and Java SE Embedded 2D components to gain elevated privileges [CVE-2016-0494].
A remote user can exploit a flaw in the Java SE, Java SE Embedded, and JRockit AWT components to gain elevated privileges [CVE-2016-0483].
A remote user can exploit a flaw in the Java SE, Java SE Embedded, and JRockit Libraries components to partially access and partially modify data [CVE-2016-0475].
A remote user can exploit a flaw in the Java SE and Java SE Embedded Networking components to partially modify data [CVE-2016-0402].
A remote user can exploit a flaw in the Java SE, Java SE Embedded, and JRockit JAXP components to cause partial denial of service conditions [CVE-2016-0466].
A remote authenticated user can exploit a flaw in the Java SE and Java SE Embedded JMX components to partially access data [CVE-2016-0448].
The following researchers reported these and other Oracle product vulnerabilities:
Adam Willard of Raytheon Foreground Security; Alexey Tyurin of ERPScan; Andrea Micalizzi aka rgod (via HP's Zero Day Initiative); Anonymous (via HP's Zero Day Initiative); Brandon Vincent; Cybersecurity-upv; David Litchfield of Google;
Dmitry Janushkevich of Secunia Research; Fernando Russ of Onapsis; FortiGuard Labs of Fortinet, Inc.; Francois Goichon of Context Information Security; Igor Kopylenko of McAfee Database Security Research Team; Ivan Chalykin of ERPScan;
Jakub Palaczynski from ING Services Polska; Karthikeyan Bhargavan, Gaetan Leurent of INRIA; Lovi Yu of Salesforce.com; Luca Carettoni; Matias Mevied of Onapsis; Mike Arnold (Bruk0ut) (via HP's Zero Day Initiative); Nassim Bouali; Nicholas Lemonias of Advanced Information Security Corporation; Nikita Kelesis of ERPScan;
Peter Kostiuk of Salesforce.com; Ryan Giobbi of American Eagle Outfitters; Sergey Gorbaty of Salesforce.com; Shai Meir of McAfee Security Research; Spyridon Chatzimichail of COSMOTE - Mobile Telecommunications S.A.; Stefan Kanthak; Stephen Kost of Integrigy; Travis Emmert of Salesforce.com; and Will Dormann of CERT/CC.
A remote user can obtain data on the target system.|
A remote user can modify data on the target system.
A remote user can cause partial denial of service conditions.
A remote user can gain elevated privileges on the target system.
Oracle has issued a fix for CVE-2016-0402, CVE-2016-0448, CVE-2016-0466, and CVE-2016-0483.|
The Oracle Linux advisory is available at:
Vendor URL: linux.oracle.com/errata/ELSA-2016-0054.html (Links to External Site)
|Underlying OS: Linux (Oracle)|
|Underlying OS Comments: 7|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: [El-errata] ELSA-2016-0054 Important: Oracle Linux 7 java-1.7.0-openjdk security update|
Oracle Linux Security Advisory ELSA-2016-0054
The following updated rpms for Oracle Linux 7 have been uploaded to the
Unbreakable Linux Network:
Description of changes:
- Update DISTRO_NAME in specfile
- Bump to 2.6.4 and u95b00.
- Backport tarball creation script from OpenJDK 8 RPMs and update fsg.sh
to work with it.
- Drop 8072932or8074489 patch as applied upstream in u91b01.
- Add MD5 checksums for last two version of the java.security file.
- Resolves: rhbz#1295768
El-errata mailing list