SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Oracle Java SE Vendors:   Oracle, Sun
(CentOS Issues Fix) Oracle Java SE Bugs Let Remote Users Access and Modify Data, Deny Service, and Gain Elevated Privileges and Remote and Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1038436
SecurityTracker URL:  http://securitytracker.com/id/1038436
CVE Reference:   CVE-2017-3509, CVE-2017-3511, CVE-2017-3526, CVE-2017-3533, CVE-2017-3539, CVE-2017-3544   (Links to External Site)
Date:  May 10 2017
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6u141, 7u131, 8u121
Description:   Multiple vulnerabilities were reported in Oracle Java SE. A remote user can access and modify data on the target system. A remote user can cause denial of service conditions on the target system. A remote or local user can obtain elevated privileges on the target system.

A remote user can exploit a flaw in the AWT component to gain elevated privileges [CVE-2017-3512, CVE-2017-3514].

A local user can exploit a flaw in the JCE component to gain elevated privileges [CVE-2017-3511].

A remote user can exploit a flaw in the JAXP component to cause denial of service conditions [CVE-2017-3526].

A remote user can exploit a flaw in the Networking component to partially access and partially modify data [CVE-2017-3509].

A remote user can exploit a flaw in the Networking component to partially modify data [CVE-2017-3533, CVE-2017-3544].

A remote user can exploit a flaw in the Security component to partially modify data [CVE-2017-3539].

An Anonymous researcher (via Beyond Security's SecuriTeam Secure Disclosure Program), Florian Bogner, and Moritz Bechler reported some of these vulnerabilities.

Impact:   A remote user can obtain data on the target system.

A remote user can modify data on the target system.

A remote user can cause denial of service conditions.

A local user can obtain elevated privileges on the target system.

A remote user can gain elevated privileges on the target system.

Solution:   CentOS has issued a fix for CVE-2017-3509, CVE-2017-3511, CVE-2017-3526, CVE-2017-3533, CVE-2017-3539, and CVE-2017-3544.

i386:
ebfdee6821a0a033abc9f5063bd2e52ce7919986a5c1739fa84ffc7b1eb9a53c java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el6_9.i686.rpm
e9307aee536ac1be8137878a836e9037076fe72d6f66d7ef730b8d0cbe0246e7 java-1.7.0-openjdk-demo-1.7.0.141-2.6.10.1.el6_9.i686.rpm
1c49b6e45452fad29dd317f5a2a30fd20dc61c1da05d7814924fb17f258db28f java-1.7.0-openjdk-devel-1.7.0.141-2.6.10.1.el6_9.i686.rpm
eb9d7593936c5c57390f1eae69cb6df41ebd3e0611fc6529ef71c47692826c78 java-1.7.0-openjdk-javadoc-1.7.0.141-2.6.10.1.el6_9.noarch.rpm
3eb6210ea2441df5ab1e72a1cd0d99b7483efd02b21d899df0b23cd5b80820d9 java-1.7.0-openjdk-src-1.7.0.141-2.6.10.1.el6_9.i686.rpm

x86_64:
ab2a99f59f85ba47eeb0a12c88c5c55f46c32c2d960a8d23a09b8f3c85718a1b java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el6_9.x86_64.rpm
c804ca8ea2a4436a90ee87a8e752cf87d2edadda1fefdefd92929729131d25ae java-1.7.0-openjdk-demo-1.7.0.141-2.6.10.1.el6_9.x86_64.rpm
b3ecfc32de925d197ad4bae86c425bd431771363121654e6a166f3ad34e362c7 java-1.7.0-openjdk-devel-1.7.0.141-2.6.10.1.el6_9.x86_64.rpm
eb9d7593936c5c57390f1eae69cb6df41ebd3e0611fc6529ef71c47692826c78 java-1.7.0-openjdk-javadoc-1.7.0.141-2.6.10.1.el6_9.noarch.rpm
9bda631ed3d3083eebe2ae9d975d22a206f7371586a04fd9754904b2f89cbb17 java-1.7.0-openjdk-src-1.7.0.141-2.6.10.1.el6_9.x86_64.rpm

Source:
d50910897cdd02147db5e3f880a10a64142e50c86bdc0ac28c752a0e5735c758 java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el6_9.src.rpm

x86_64:
4df61fba30e01dbc6d6f06ab469740e33095f989f821bd9733a42950e3f94061 java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el7_3.x86_64.rpm
97828abefb8a0350bc6b32f4329bdfe30c45f32c8179c8d86f636ba8663be71c java-1.7.0-openjdk-accessibility-1.7.0.141-2.6.10.1.el7_3.x86_64.rpm
d2bdbbfe1665ce36281f70cd6dd9bf93e61d0026e740cc732575719310412455 java-1.7.0-openjdk-demo-1.7.0.141-2.6.10.1.el7_3.x86_64.rpm
c343e8baed8419d59f502f69148bd52fbdc98e06268a4e9c6562c262c20bc23f java-1.7.0-openjdk-devel-1.7.0.141-2.6.10.1.el7_3.x86_64.rpm
90e4a58dc9fd24e3a742f6842c0546947c2c2a0be54a8207b49d150ad568c46f java-1.7.0-openjdk-headless-1.7.0.141-2.6.10.1.el7_3.x86_64.rpm
c8ef0aa0f15da23929068abf3470308518257adbc50011d5f4592614df4601c1 java-1.7.0-openjdk-javadoc-1.7.0.141-2.6.10.1.el7_3.noarch.rpm
f708168ce664ec29c4d9f49020a8ffe707a05bbe10fa35db8347065a4a2d1ea1 java-1.7.0-openjdk-src-1.7.0.141-2.6.10.1.el7_3.x86_64.rpm

Source:
08655b931427182c9701d70f6424f738edf593acafdd70fb6e8a085a7669759b java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el7_3.src.rpm

Cause:   Not specified
Underlying OS:  Linux (CentOS)
Underlying OS Comments:  6, 7

Message History:   This archive entry is a follow-up to the message listed below.
Apr 19 2017 Oracle Java SE Bugs Let Remote Users Access and Modify Data, Deny Service, and Gain Elevated Privileges and Remote and Local Users Gain Elevated Privileges



 Source Message Contents

Subject:  [CentOS-announce] CESA-2017:1204 Moderate CentOS 6 java-1.7.0-openjdk Security Update


CentOS Errata and Security Advisory 2017:1204 Moderate

Upstream details at : https://rhn.redhat.com/errata/RHSA-2017-1204.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
ebfdee6821a0a033abc9f5063bd2e52ce7919986a5c1739fa84ffc7b1eb9a53c  java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el6_9.i686.rpm
e9307aee536ac1be8137878a836e9037076fe72d6f66d7ef730b8d0cbe0246e7  java-1.7.0-openjdk-demo-1.7.0.141-2.6.10.1.el6_9.i686.rpm
1c49b6e45452fad29dd317f5a2a30fd20dc61c1da05d7814924fb17f258db28f  java-1.7.0-openjdk-devel-1.7.0.141-2.6.10.1.el6_9.i686.rpm
eb9d7593936c5c57390f1eae69cb6df41ebd3e0611fc6529ef71c47692826c78  java-1.7.0-openjdk-javadoc-1.7.0.141-2.6.10.1.el6_9.noarch.rpm
3eb6210ea2441df5ab1e72a1cd0d99b7483efd02b21d899df0b23cd5b80820d9  java-1.7.0-openjdk-src-1.7.0.141-2.6.10.1.el6_9.i686.rpm

x86_64:
ab2a99f59f85ba47eeb0a12c88c5c55f46c32c2d960a8d23a09b8f3c85718a1b  java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el6_9.x86_64.rpm
c804ca8ea2a4436a90ee87a8e752cf87d2edadda1fefdefd92929729131d25ae  java-1.7.0-openjdk-demo-1.7.0.141-2.6.10.1.el6_9.x86_64.rpm
b3ecfc32de925d197ad4bae86c425bd431771363121654e6a166f3ad34e362c7  java-1.7.0-openjdk-devel-1.7.0.141-2.6.10.1.el6_9.x86_64.rpm
eb9d7593936c5c57390f1eae69cb6df41ebd3e0611fc6529ef71c47692826c78  java-1.7.0-openjdk-javadoc-1.7.0.141-2.6.10.1.el6_9.noarch.rpm
9bda631ed3d3083eebe2ae9d975d22a206f7371586a04fd9754904b2f89cbb17  java-1.7.0-openjdk-src-1.7.0.141-2.6.10.1.el6_9.x86_64.rpm

Source:
d50910897cdd02147db5e3f880a10a64142e50c86bdc0ac28c752a0e5735c758  java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el6_9.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC