GovCERT.HK - Security Alert (A15-07-08): Multiple Vulnerabilities in Oracle Java and Oracle Products (July 2015)

Description:

Oracle has released Critical Patch Update (CPU) Advisory with collections of patches for multiple security vulnerabilities found in Java SE and various Oracle products.

There are 25 vulnerabilities identified in Java affecting multiple sub-components including 2D, CORBA, Deployment, Hotspot, Install, JCE, JMX, JNDI, JSSE, Libraries, RMI and Security. 23 of them could be remotely exploitable without authentication and 8 of them could affect server deployment of Java (e.g. through a web service).

For vulnerabilities identified in those Oracle products, they can be remotely exploited through various protocols including HTTP, HTTPS, Kerberos, MySQL Protocol, Oracle Net, SQLNET, SSL/TLS and X11 over a network.

There are multiple attack vectors. For Java, an attacker could entice a user to open a specially crafted web page containing un-trusted Java applet or Java Web Start application with malicious content, or to launch executables using the Java launcher. For other Oracle products, a remote attacker could send specially crafted network packets to the affected system to exploit the vulnerabilities.

Affected Systems:

Database
E-Business Suite
Enterprise Manager
Fusion Applications and Middleware
Oracle and Sun Systems Products Suite
Oracle Berkeley DB
Oracle Commerce Applications
Oracle Communications Applications
Oracle Java SE
Oracle Linux and Virtualization
Oracle MySQL Product Suite
Oracle Supply Chain Products Suite
PeopleSoft Enterprise
Siebel

For details of affected products, please refer to "Affected Products and Components" of corresponding security advisory at the vendor’s website:

http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

Impact:

Depending on the vulnerability exploited, a successful attack could lead to arbitrary code execution, denial of services, gain of escalated privilege, information disclosure, bypass of security restrictions or compromise of a vulnerable system.

Recommendation:

Patches for affected systems are available. Users of the affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

For Oracle Java SE products, please refer to the following link:

Java Platform SE 8 (JDK and JRE 8 Update 51)
http://www.oracle.com/technetwork/java/javase/downloads/index.html

Java SE 7 has reached its end of public updates since April 2015. Users should consider upgrading to the latest Java SE version(s) or contact their product support vendors for extended support.

> http://www.oracle.com/technetwork/java/javase/overview/index.html

For other Oracle products, please refer to the section "Patch Availability Table and Risk Matrices" of corresponding security advisory at the vendor’s website:

http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

Users may contact their product support vendors for the fixes and assistance.

More Information:

http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
http://www.oracle.com/technetwork/java/javase/8u51-relnotes-2587590.html
https://www.hkcert.org/my_url/en/alert/15071519
https://www.us-cert.gov/ncas/current-activity/2015/07/14/Oracle-Releases-July-2015-Security-Advisory
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1324
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0036
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2186
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2251
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5704
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0227
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0230
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1568 to (CVE-2014-1569)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566 to (CVE-2014-3567)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3570 to (CVE-2014-3571)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7809
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8102
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0255
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0286
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0443 to (CVE-2015-0446)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0467 to (CVE-2015-0468)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1803
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1926
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2580 to (CVE-2015-2607)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2609 to (CVE-2015-2632)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2634 to (CVE-2015-2641)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2643 to (CVE-2015-2664)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2808
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4727 to (CVE-2015-4729)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4731 to (CVE-2015-4733)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4735 to (CVE-2015-4761)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4763 to (CVE-2015-4765)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4767 to (CVE-2015-4790)

Tag: Oracle , Java , Oracle Database , Fusion , Enterprise Manager , Oracle E-Business , Oracle Supply Chain , PeopleSoft , Siebel , Oracle Commerce , Oracle Communications , Sun Systems , Oracle Linux , MySQL , Berkeley