SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Oracle Java SE Vendors:   Oracle, Sun
(CentOS Issues Fix) Oracle Java SE Multiple Flaws Let Local and Remote Users Gain Elevated Privileges, Access and Modify Data, and Deny Service
SecurityTracker Alert ID:  1034799
SecurityTracker URL:  http://securitytracker.com/id/1034799
CVE Reference:   CVE-2016-0402, CVE-2016-0448, CVE-2016-0466, CVE-2016-0475, CVE-2016-0483, CVE-2016-0494   (Links to External Site)
Date:  Jan 22 2016
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Multiple vulnerabilities were reported in Oracle Java SE. A remote user can access and modify data on the target system. A remote user can cause denial of service conditions on the target system. A remote user can gain elevated privileges.

A remote user can exploit a flaw in the Java SE and Java SE Embedded 2D components to gain elevated privileges [CVE-2016-0494].

A remote user can exploit a flaw in the Java SE, Java SE Embedded, and JRockit AWT components to gain elevated privileges [CVE-2016-0483].

A remote user can exploit a flaw in the Java SE, Java SE Embedded, and JRockit Libraries components to partially access and partially modify data [CVE-2016-0475].

A remote user can exploit a flaw in the Java SE and Java SE Embedded Networking components to partially modify data [CVE-2016-0402].

A remote user can exploit a flaw in the Java SE, Java SE Embedded, and JRockit JAXP components to cause partial denial of service conditions [CVE-2016-0466].

A remote authenticated user can exploit a flaw in the Java SE and Java SE Embedded JMX components to partially access data [CVE-2016-0448].

The following researchers reported these and other Oracle product vulnerabilities:

Adam Willard of Raytheon Foreground Security; Alexey Tyurin of ERPScan; Andrea Micalizzi aka rgod (via HP's Zero Day Initiative); Anonymous (via HP's Zero Day Initiative); Brandon Vincent; Cybersecurity-upv; David Litchfield of Google;
Dmitry Janushkevich of Secunia Research; Fernando Russ of Onapsis; FortiGuard Labs of Fortinet, Inc.; Francois Goichon of Context Information Security; Igor Kopylenko of McAfee Database Security Research Team; Ivan Chalykin of ERPScan;
Jakub Palaczynski from ING Services Polska; Karthikeyan Bhargavan, Gaetan Leurent of INRIA; Lovi Yu of Salesforce.com; Luca Carettoni; Matias Mevied of Onapsis; Mike Arnold (Bruk0ut) (via HP's Zero Day Initiative); Nassim Bouali; Nicholas Lemonias of Advanced Information Security Corporation; Nikita Kelesis of ERPScan;
Peter Kostiuk of Salesforce.com; Ryan Giobbi of American Eagle Outfitters; Sergey Gorbaty of Salesforce.com; Shai Meir of McAfee Security Research; Spyridon Chatzimichail of COSMOTE - Mobile Telecommunications S.A.; Stefan Kanthak; Stephen Kost of Integrigy; Travis Emmert of Salesforce.com; and Will Dormann of CERT/CC.

Impact:   A remote user can obtain data on the target system.

A remote user can modify data on the target system.

A remote user can cause partial denial of service conditions.

A remote user can gain elevated privileges on the target system.

Solution:   CentOS has issued a fix for java-1.8.0-openjdk.

x86_64:
ce972ee5146c1601bd4e80cc7f233935d91a6561eae2c6646e23fa901e8803e2 java-1.8.0-openjdk-1.8.0.71-2.b15.el7_2.x86_64.rpm
231d337b267173e8a97b639e1decd8fd3c363dca5b7e99d0431e1132b2b79ab3 java-1.8.0-openjdk-accessibility-1.8.0.71-2.b15.el7_2.x86_64.rpm
da7363c0e8de3f8029fd0b53c6d9360e5329c00bbb49fba45250e36fd90b3343 java-1.8.0-openjdk-accessibility-debug-1.8.0.71-2.b15.el7_2.x86_64.rpm
98bd270515a7c1aafad7eb97903d03c222bb20a313396def8b5e0707b280feaa java-1.8.0-openjdk-debug-1.8.0.71-2.b15.el7_2.x86_64.rpm
cdea29711a04ec7cbdde298f32f0e9797322b57a0bd27347f941b59187246932 java-1.8.0-openjdk-demo-1.8.0.71-2.b15.el7_2.x86_64.rpm
08d660cc791cf5774ff85f4898f1e07c1478f9432b9df92db2c99ea983fef652 java-1.8.0-openjdk-demo-debug-1.8.0.71-2.b15.el7_2.x86_64.rpm
28a1a1670ec397215ae6d086921433e848fd6afdf3b151c3f9c22b65da3750c0 java-1.8.0-openjdk-devel-1.8.0.71-2.b15.el7_2.x86_64.rpm
4390bc07cdbd221b9660f6234d6a5a31266763266b0235ecebdb00280e825f29 java-1.8.0-openjdk-devel-debug-1.8.0.71-2.b15.el7_2.x86_64.rpm
695fa0a9f4dd4c5355cd9d6fe6ad3fbcd72a37f827fe04391b4ad2b26e13eb03 java-1.8.0-openjdk-headless-1.8.0.71-2.b15.el7_2.x86_64.rpm
2b3511bd9252d1a35c8487619477676fa4f407efc0714a99521be7782e1c67a5 java-1.8.0-openjdk-headless-debug-1.8.0.71-2.b15.el7_2.x86_64.rpm
5027f41974391053607acdca9acf710f69404acdfacc503ff27c57f3e422e67d java-1.8.0-openjdk-javadoc-1.8.0.71-2.b15.el7_2.noarch.rpm
9f36232b55a394ac03320db4b967818d2c9bf8c2f625880db5ba0c2d8e8b4862 java-1.8.0-openjdk-javadoc-debug-1.8.0.71-2.b15.el7_2.noarch.rpm
47b026a2dff15ec605adae0f006cf38315119bc8d958cd06fa372286f944253a java-1.8.0-openjdk-src-1.8.0.71-2.b15.el7_2.x86_64.rpm
2eccd02abf028db63f02189ad0612456f350442199ac954f32f35aaa203ce52f java-1.8.0-openjdk-src-debug-1.8.0.71-2.b15.el7_2.x86_64.rpm

Source:
4c3401804b87f95607cbbe70d70a11b51c8317418c508e2edd19d8d3cc73c851 java-1.8.0-openjdk-1.8.0.71-2.b15.el7_2.src.rpm

Cause:   Not specified
Underlying OS:  Linux (CentOS)
Underlying OS Comments:  7

Message History:   This archive entry is a follow-up to the message listed below.
Jan 19 2016 Oracle Java SE Multiple Flaws Let Local and Remote Users Gain Elevated Privileges, Access and Modify Data, and Deny Service



 Source Message Contents

Subject:  [CentOS-announce] CESA-2016:0049 Critical CentOS 7 java-1.8.0-openjdk Security Update


CentOS Errata and Security Advisory 2016:0049 Critical

Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-0049.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

x86_64:
ce972ee5146c1601bd4e80cc7f233935d91a6561eae2c6646e23fa901e8803e2  java-1.8.0-openjdk-1.8.0.71-2.b15.el7_2.x86_64.rpm
231d337b267173e8a97b639e1decd8fd3c363dca5b7e99d0431e1132b2b79ab3  java-1.8.0-openjdk-accessibility-1.8.0.71-2.b15.el7_2.x86_64.rpm
da7363c0e8de3f8029fd0b53c6d9360e5329c00bbb49fba45250e36fd90b3343  java-1.8.0-openjdk-accessibility-debug-1.8.0.71-2.b15.el7_2.x86_64.rpm
98bd270515a7c1aafad7eb97903d03c222bb20a313396def8b5e0707b280feaa  java-1.8.0-openjdk-debug-1.8.0.71-2.b15.el7_2.x86_64.rpm
cdea29711a04ec7cbdde298f32f0e9797322b57a0bd27347f941b59187246932  java-1.8.0-openjdk-demo-1.8.0.71-2.b15.el7_2.x86_64.rpm
08d660cc791cf5774ff85f4898f1e07c1478f9432b9df92db2c99ea983fef652  java-1.8.0-openjdk-demo-debug-1.8.0.71-2.b15.el7_2.x86_64.rpm
28a1a1670ec397215ae6d086921433e848fd6afdf3b151c3f9c22b65da3750c0  java-1.8.0-openjdk-devel-1.8.0.71-2.b15.el7_2.x86_64.rpm
4390bc07cdbd221b9660f6234d6a5a31266763266b0235ecebdb00280e825f29  java-1.8.0-openjdk-devel-debug-1.8.0.71-2.b15.el7_2.x86_64.rpm
695fa0a9f4dd4c5355cd9d6fe6ad3fbcd72a37f827fe04391b4ad2b26e13eb03  java-1.8.0-openjdk-headless-1.8.0.71-2.b15.el7_2.x86_64.rpm
2b3511bd9252d1a35c8487619477676fa4f407efc0714a99521be7782e1c67a5  java-1.8.0-openjdk-headless-debug-1.8.0.71-2.b15.el7_2.x86_64.rpm
5027f41974391053607acdca9acf710f69404acdfacc503ff27c57f3e422e67d  java-1.8.0-openjdk-javadoc-1.8.0.71-2.b15.el7_2.noarch.rpm
9f36232b55a394ac03320db4b967818d2c9bf8c2f625880db5ba0c2d8e8b4862  java-1.8.0-openjdk-javadoc-debug-1.8.0.71-2.b15.el7_2.noarch.rpm
47b026a2dff15ec605adae0f006cf38315119bc8d958cd06fa372286f944253a  java-1.8.0-openjdk-src-1.8.0.71-2.b15.el7_2.x86_64.rpm
2eccd02abf028db63f02189ad0612456f350442199ac954f32f35aaa203ce52f  java-1.8.0-openjdk-src-debug-1.8.0.71-2.b15.el7_2.x86_64.rpm

Source:
4c3401804b87f95607cbbe70d70a11b51c8317418c508e2edd19d8d3cc73c851  java-1.8.0-openjdk-1.8.0.71-2.b15.el7_2.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC