SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Oracle Java SE Vendors:   Oracle, Sun
(CentOS Issues Fix) Oracle Java SE Bugs Let Remote Usrs Access and Modify Data, Deny Service, and Gain Elevated Privileges
SecurityTracker Alert ID:  1037811
SecurityTracker URL:  http://securitytracker.com/id/1037811
CVE Reference:   CVE-2016-5546, CVE-2016-5547, CVE-2016-5548, CVE-2016-5552, CVE-2017-3231, CVE-2017-3241, CVE-2017-3252, CVE-2017-3253, CVE-2017-3261, CVE-2017-3272, CVE-2017-3289   (Links to External Site)
Date:  Feb 14 2017
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6u131, 7u121, 8u112
Description:   Multiple vulnerabilities were reported in Oracle Java SE. A remote user can access data on the target system. A remote user can modify data on the target system. A remote user can cause denial of service conditions on the target system. A remote user can gain elevated privileges.

A remote user can exploit a flaw in the Hotspot component to gain elevated privileges [CVE-2017-3289].

A remote user can exploit a flaw in the Libraries component to gain elevated privileges [CVE-2017-3272].

A remote user can exploit a flaw in the RMI component to gain elevated privileges [CVE-2017-3241].

A remote user can exploit a flaw in the AWT component to gain elevated privileges [CVE-2017-3260].

A remote user can exploit a flaw in the 2D component to cause denial of service conditions [CVE-2017-3253].

A remote user can exploit a flaw in the Libraries component to modify data [CVE-2016-5546].

A remote user can exploit a flaw in the Libraries component to access data [CVE-2016-5548, CVE-2016-5549].

A remote authenticated user can exploit a flaw in the JAAS component to modify data [CVE-2017-3252].

A remote user can exploit a flaw in the Java Mission Control component to partially access data [CVE-2017-3262].

A remote user can exploit a flaw in the Libraries component to cause partial denial of service conditions [CVE-2016-5547].

A remote user can exploit a flaw in the Networking component to partially modify data [CVE-2016-5552].

A remote user can exploit a flaw in the Networking component to partially access data [CVE-2017-3231, CVE-2017-3261].

A remote user can exploit a flaw in the Deployment component to partially access data [CVE-2017-3259].

A remote user can exploit a flaw in the Java Mission Control component to partially modify data [CVE-2016-8328].

The following researchers reported these and other Oracle product vulnerabilities:

Aleksandar Nikolic of Cisco Talos; Alexander Mirosh of Hewlett Packard Enterprise; Alvaro Munoz of Hewlett Packard Enterprise; Andrew Fowler of Lithium; Behzad Najjarpour Jabbari, Secunia Research at Flexera Software; Blessen Thomas of EY Global Delivery Services; Brian Martin of Tenable Network Security;
Daniel Bleichenbacher of Google; Daniel Fahlgren; David Litchfield formerly of Google; Dawid Golunski of Legal Hackers; Deniz Cevik of Biznet Bilisim A.S.; Dmitry Yudin of ERPScan; Emiliano J. Fausto of Onapsis; Gaston Traberg of Onapsis; Jacob Baines - Tenable Network Security (via Trend Micro's Zero Day Initiative); John Page (hyp3rlinx); Kristian Hermansen at undisclosed; Li Qiang of the Qihoo 360 Gear Team;
ma.la of LINE Corporation; Mala; Maris Elsins of Google; Matias Mevied of Onapsis; Moritz Bechler; Nicholas Lemonias of Advanced Information Security Corporation; Owais Mehtab of IS; Per Lindberg; Red Hat Product Security; Roman Shalymov of ERPScan; Shannon Hickey of Adobe; Tayeeb Rana of IS; Ubais PK of EY Global Delivery Services; Wladislaw Mitzel; Wolfgang Hotwagner; Xiejingwei Fei of FINRA;
XOR19 of Trend Micro's Zero Day Initiative; and Zuozhi Fan formerly of Alibaba.

Impact:   A remote user can obtain data on the target system.

A remote user can modify data on the target system.

A remote user can cause denial of service conditions.

A remote user can gain elevated privileges on the target system.

Solution:   CentOS has issued a fix for CVE-2016-5546, CVE-2016-5547, CVE-2016-5548, CVE-2016-5552, CVE-2017-3231, CVE-2017-3241, CVE-2017-3252, CVE-2017-3253, CVE-2017-3261, CVE-2017-3272, and CVE-2017-3289.

i386:
f2fb7e8343760a6cc3535a6124bd71411b20795da0ac056b8361c8826ce9a69e java-1.7.0-openjdk-1.7.0.131-2.6.9.0.el5_11.i386.rpm
72c2fee994a496787fe7a8080b0871b0d015c63fc57cf5f2457107620bbb9ac1 java-1.7.0-openjdk-demo-1.7.0.131-2.6.9.0.el5_11.i386.rpm
2563c40d3b9b9d9ce7787284a8f8808491d4adb7af5ee3a6f9a1daeba47e8012 java-1.7.0-openjdk-devel-1.7.0.131-2.6.9.0.el5_11.i386.rpm
d4ca35c4e689c276e1f746664e9d9f7fd46a44df643bc7e42a87183473870530 java-1.7.0-openjdk-javadoc-1.7.0.131-2.6.9.0.el5_11.i386.rpm
c9e4741823aec2cfc8674f0c0bf52d87eca0fb31c5ea682a7d4208d1d2f29928 java-1.7.0-openjdk-src-1.7.0.131-2.6.9.0.el5_11.i386.rpm

x86_64:
b277770918246adb9966adbdcc06306e0863392d4cbf327bdfb570d4ade8bf73 java-1.7.0-openjdk-1.7.0.131-2.6.9.0.el5_11.x86_64.rpm
e0ce4d7487d50528ea6fffb32c47f5e2405f3863a91b7ca85025b5b86e07ae99 java-1.7.0-openjdk-demo-1.7.0.131-2.6.9.0.el5_11.x86_64.rpm
f18a46c869e0fe0bda885e6876f117e3a35604ef23a3c7cdc6c71df754d59ab1 java-1.7.0-openjdk-devel-1.7.0.131-2.6.9.0.el5_11.x86_64.rpm
4a16817c9069a4f5f7d176df443a30e6309bb3551244bfe057054c058b329b70 java-1.7.0-openjdk-javadoc-1.7.0.131-2.6.9.0.el5_11.x86_64.rpm
1d7b5898fd46ae5a447d7b8116919e8e7e16179b40ea3551c0f2ed62b5d1e22f java-1.7.0-openjdk-src-1.7.0.131-2.6.9.0.el5_11.x86_64.rpm

Source:
41d3efcc5b6cccbb9ea0af1bde1b2fc4aab16274d55d26db3e64924068128bc8 java-1.7.0-openjdk-1.7.0.131-2.6.9.0.el5_11.src.rpm

i386:
5e812e4583b71107b72779cfc77f78c7fdc1a147a56126136f87d14cc3b4efb8 java-1.7.0-openjdk-1.7.0.131-2.6.9.0.el6_8.i686.rpm
ce382ede1a4eac4ffdba9aa870cc9c06a083749fb40b4d9ca342b17354836553 java-1.7.0-openjdk-demo-1.7.0.131-2.6.9.0.el6_8.i686.rpm
4ad8906f9df3db8a1812a2b3b326762a9c2a694d6a494eb0e5220b9596d0718c java-1.7.0-openjdk-devel-1.7.0.131-2.6.9.0.el6_8.i686.rpm
191ff23c7449d819ca45243beb432c700c66476597fd08c57c39ae8ceda8ffd2 java-1.7.0-openjdk-javadoc-1.7.0.131-2.6.9.0.el6_8.noarch.rpm
800b7ed498f4b4fd6d0e024652ad05eef8682237fe2349f82a69106a4ca09d54 java-1.7.0-openjdk-src-1.7.0.131-2.6.9.0.el6_8.i686.rpm

x86_64:
d9381ac7f354a3d066efe9ef1160264309f46c9373c5b28e26365ca3d81dad1a java-1.7.0-openjdk-1.7.0.131-2.6.9.0.el6_8.x86_64.rpm
0057a0bbfe965f73222b4806b7be62f4b79507a1c9903ccc5c4daeb65cd1addf java-1.7.0-openjdk-demo-1.7.0.131-2.6.9.0.el6_8.x86_64.rpm
7872f4fef9d877d2e9de8d9e1c11cd64e6afaf3620266997706fcdad9d9b196d java-1.7.0-openjdk-devel-1.7.0.131-2.6.9.0.el6_8.x86_64.rpm
191ff23c7449d819ca45243beb432c700c66476597fd08c57c39ae8ceda8ffd2 java-1.7.0-openjdk-javadoc-1.7.0.131-2.6.9.0.el6_8.noarch.rpm
3c2b900af1a17e21b63aab28f034e6026d983cf96e1ffd7231a677e1ada30623 java-1.7.0-openjdk-src-1.7.0.131-2.6.9.0.el6_8.x86_64.rpm

Source:
bf4fbc5136e1640ade4a455baa073d802fc25f099af1075fd636d3d1484ee9cb java-1.7.0-openjdk-1.7.0.131-2.6.9.0.el6_8.src.rpm

x86_64:
afcc43329737c25752cc4e38a34c8ea0430ab0be696d4cfd2c50f9ac82184984 java-1.7.0-openjdk-1.7.0.131-2.6.9.0.el7_3.x86_64.rpm
57c42d32708e71c1778811b6201f189f0d9682ef1ee64ac4f5ca221725ecf41f java-1.7.0-openjdk-accessibility-1.7.0.131-2.6.9.0.el7_3.x86_64.rpm
962b228787c68649003f8a1e5df6875958fdda37866a9d55dc451643ebf1b865 java-1.7.0-openjdk-demo-1.7.0.131-2.6.9.0.el7_3.x86_64.rpm
c68e9ed21e04c0ab6d86cbb445f692eb277346a3a51ffc735ba0893d295a109a java-1.7.0-openjdk-devel-1.7.0.131-2.6.9.0.el7_3.x86_64.rpm
629a4dc16c4fb283a3be2b19070cc97ea864018f3b2a18f7a5383eb483154bee java-1.7.0-openjdk-headless-1.7.0.131-2.6.9.0.el7_3.x86_64.rpm
087c956bb48670bd96f861a5996b8535c89b3c83b7f1472af81fbacd7946d754 java-1.7.0-openjdk-javadoc-1.7.0.131-2.6.9.0.el7_3.noarch.rpm
a8237710facd516d1d6eda6d749a5fb724746172d866b93168c261933569192f java-1.7.0-openjdk-src-1.7.0.131-2.6.9.0.el7_3.x86_64.rpm

Source:
1edbdfcdfacb9daec6390aed4fdad4fe38dbf36023f1a095fff518d29e585594 java-1.7.0-openjdk-1.7.0.131-2.6.9.0.el7_3.src.rpm

Cause:   Not specified
Underlying OS:  Linux (CentOS)
Underlying OS Comments:  5, 6, 7

Message History:   This archive entry is a follow-up to the message listed below.
Jan 19 2017 Oracle Java SE Bugs Let Remote Usrs Access and Modify Data, Deny Service, and Gain Elevated Privileges



 Source Message Contents

Subject:  [CentOS-announce] CESA-2017:0269 Critical CentOS 7 java-1.7.0-openjdk Security Update


CentOS Errata and Security Advisory 2017:0269 Critical

Upstream details at : https://rhn.redhat.com/errata/RHSA-2017-0269.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

x86_64:
afcc43329737c25752cc4e38a34c8ea0430ab0be696d4cfd2c50f9ac82184984  java-1.7.0-openjdk-1.7.0.131-2.6.9.0.el7_3.x86_64.rpm
57c42d32708e71c1778811b6201f189f0d9682ef1ee64ac4f5ca221725ecf41f  java-1.7.0-openjdk-accessibility-1.7.0.131-2.6.9.0.el7_3.x86_64.rpm
962b228787c68649003f8a1e5df6875958fdda37866a9d55dc451643ebf1b865  java-1.7.0-openjdk-demo-1.7.0.131-2.6.9.0.el7_3.x86_64.rpm
c68e9ed21e04c0ab6d86cbb445f692eb277346a3a51ffc735ba0893d295a109a  java-1.7.0-openjdk-devel-1.7.0.131-2.6.9.0.el7_3.x86_64.rpm
629a4dc16c4fb283a3be2b19070cc97ea864018f3b2a18f7a5383eb483154bee  java-1.7.0-openjdk-headless-1.7.0.131-2.6.9.0.el7_3.x86_64.rpm
087c956bb48670bd96f861a5996b8535c89b3c83b7f1472af81fbacd7946d754  java-1.7.0-openjdk-javadoc-1.7.0.131-2.6.9.0.el7_3.noarch.rpm
a8237710facd516d1d6eda6d749a5fb724746172d866b93168c261933569192f  java-1.7.0-openjdk-src-1.7.0.131-2.6.9.0.el7_3.x86_64.rpm

Source:
1edbdfcdfacb9daec6390aed4fdad4fe38dbf36023f1a095fff518d29e585594  java-1.7.0-openjdk-1.7.0.131-2.6.9.0.el7_3.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC