Published on: 15 April 2015
Oracle has released Critical Patch Update (CPU) Advisory with collections of patches for multiple security vulnerabilities found in Java SE and various Oracle products.
There are 14 vulnerabilities identified in Java affecting multiple sub-components including 2D, Beans, Deployment, Hotspot, JavaFX, JCE, JSSE and Tools. All of them could be remotely exploitable without authentication and 3 of them could affect server deployment of Java (e.g. through a web service).
For vulnerabilities identified in those Oracle products, they can be remotely exploited through various protocols including HTTP, HTTPS, LDAP, MySQL Protocol, Oracle Net, SQLNET, SSL/TLS and UDP over a network.
There are multiple attack vectors. For Java, an attacker could entice a user to open a specially crafted web page containing un-trusted Java applet or Java Web Start application with malicious content, or to launch executables using the Java launcher. For other Oracle products, a remote attacker could send specially crafted network packets to the affected system to exploit the vulnerabilities.
For details of affected products, please refer to "Affected Products and Components" of corresponding security advisory at the vendor’s website:
http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
Depending on the vulnerability exploited, a successful attack could lead to arbitrary code execution, gain of escalated privilege, denial of services, retrieval of sensitive information, bypass of security restrictions or compromise of a vulnerable system.
Patches for affected systems are available. Users of the affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.
For Oracle Java SE products, please refer to the following link:
For other Oracle products, please refer to the section "Patch Availability Table and Risk Matrices" of corresponding security advisory at the vendor’s website:
http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
Users may contact their product support vendors for the fixes and assistance.
http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
http://www.oracle.com/technetwork/java/javase/7u80-relnotes-2494162.html
https://www.hkcert.org/my_url/en/alert/15041513
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4286
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4545
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0112
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1568
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3569
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3571
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7809
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0405
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0423
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0433
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0438 (to CVE-2015-0441)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0447 (to CVE-2015-0453)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0455 (to CVE-2015-0466)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0469 (to CVE-2015-0480)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0482 (to CVE-2015-0511)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2565 (to CVE-2015-2568)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2570 (to CVE-2015-2579)