Security Alert (A16-01-06): Multiple Vulnerabilities in Oracle Java and Oracle Products (January 2016)


 

Published on: 20 January 2016

  
  

Description:

Oracle has released Critical Patch Update (CPU) Advisory with collections of patches for multiple security vulnerabilities found in Java SE and various Oracle products.

There are 8 vulnerabilities identified in Java affecting multiple sub-components including 2D, AWT, JAXP, JMX, Libraries, Networking and Security. 7 of them could be remotely exploited without authentication and 4 of them could affect server deployment of Java (e.g. through a web service).

For vulnerabilities identified in those Oracle products, they can be remotely exploited through various protocols including HTTP, HTTPS, JMS, MySQL Protocol, NFS, Oracle GoldenGate, Oracle Net, RPC, SMB, SSL/TLS, T3 and WebSocket over a network.

There are multiple attack vectors. For Java, an attacker could entice a user to open a specially crafted web page containing un-trusted Java applet or Java Web Start application with malicious content, or to launch executables using the Java launcher. For other Oracle products, a remote attacker could send specially crafted network packets to the affected system to exploit the vulnerabilities.


Affected Systems:

  • Communications Converged Application Server - Service Controller
  • E-Business Suite
  • Enterprise Manager
  • Fusion Applications & Middleware
  • iLearning
  • JD Edwards
  • MICROS CW Direct
  • Oracle and Sun Systems Products Suite
  • Oracle GoldenGate
  • Oracle Java SE
  • Oracle Linux and Virtualization
  • Oracle MySQL Product Suite
  • Oracle Supply Chain Products Suite
  • PeopleSoft Enterprise
  • Retail Open Commerce Platform Cloud Service
  • Retail Order Broker Cloud Service
  • Retail Order Management System Cloud Service
  • Retail Point-of-Service

For details of affected products, please refer to "Affected Products and Components" of corresponding security advisory at the vendor’s website:

http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html


Impact:

Depending on the vulnerability exploited, a successful attack could lead to arbitrary code execution, denial of services, gain of escalated privilege, information disclosure, bypass of security restrictions or compromise of a vulnerable system.


Recommendation:

Patches for affected systems are available. Users of the affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

For Oracle Java SE products, please refer to the following link:

  • Java Platform SE 8 (JDK and JRE 8 Update 71)
    http://www.oracle.com/technetwork/java/javase/downloads/index.html

For other Oracle products, please refer to the section "Patch Availability Table and Risk Matrices" of corresponding security advisory at the vendor’s website:

http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html

Users may contact their product support vendors for the fixes and assistance.

 

More Information:

http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
http://www.oracle.com/technetwork/java/javase/8u71-relnotes-2773756.html
https://www.us-cert.gov/ncas/current-activity/2016/01/19/Oracle-Releases-Security-Bulletin
https://www.hkcert.org/my_url/en/alert/16012001
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1741
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2186
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0107
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3583
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0286
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1793
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3153
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3183
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3195
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4808
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4885
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4919
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4920 (to CVE-2015-4926)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5307
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6013 (to CVE-2015-6015)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7183
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7575
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7744
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8104
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8126
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8370
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0401 (to CVE-2016-0406)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0409
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0411 (to CVE-2016-0602)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0605 (to CVE-2016-0611)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0614
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0616
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0618



Tag: Oracle , Java , Oracle Database , Oracle GoldenGate , Fusion , Enterprise Manager , Oracle E-Business , Oracle Supply Chain , PeopleSoft , JD Edwards , Oracle iLearning , Oracle Communications , MICROS CW Direct , Siebel , Oracle Retail , Sun Systems , Oracle Linux , MySQL
Tags