Security Alert (A17-04-06): Multiple Vulnerabilities in Oracle Java and Oracle Products (April 2017)


 

Published on: 19 April 2017

  
  

Description:

Oracle has released Critical Patch Update (CPU) Advisory with collections of patches for multiple security vulnerabilities found in Java SE and various Oracle products.

There are 8 vulnerabilities identified in Java affecting multiple sub-components including AWT, JAXP, JCE, Networking, and Security. 7 of them could be remotely exploited without authentication and 4 of them could affect server deployment of Java.

For vulnerabilities identified in other Oracle products, they can be exploited by physical access or remotely through various protocols including HTTP, HTTPS, ICMP, MySQL Protocol, Oracle Net, SCTP, SFT, SMB, SSH, SSL/TLS, TCP, TLS, and T3 over a network.

There are multiple attack vectors. For Java, an attacker could entice a user to open a specially crafted web page containing un-trusted Java applet or Java Web Start application with malicious content, or to launch executables using the Java launcher. For other Oracle products, a remote attacker could send specially crafted network packets to the affected system to exploit the vulnerabilities.

 

Affected Systems:

  • Oracle Java SE
  • Database
  • Oracle Linux and Virtualization
  • Oracle MySQL Product Suite
  • Oracle and Sun Systems Products Suite
  • Fusion Applications and Middleware

A complete list of the affected products can be found at:
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html

 

Impact:

Depending on the vulnerability exploited, a successful attack could lead to arbitrary code execution, denial of services, data tampering, information disclosure or compromise of a vulnerable system.

 

Recommendation:

Patches for affected systems are available. Users of the affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

For Oracle Java SE products, please refer to the following link:

Java Platform SE 8 (JDK and JRE 8 Update 131)
- http://www.oracle.com/technetwork/java/javase/downloads/index.html

For other Oracle products, please refer to the section "Patch Availability Table and Risk Matrices" of corresponding security advisory at the vendor’s website:

- http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html

Users may contact their product support vendors for the fixes and assistance.

 

More Information:

http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
http://www.oracle.com/technetwork/java/javase/documentation/8u-relnotes-2225394.html
https://www.hkcert.org/my_url/en/alert/17041901
https://www.us-cert.gov/ncas/current-activity/2017/04/18/Oracle-Releases-Security-Bulletin
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2761 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0920 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5881 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1982 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2566 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5209 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3596 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3237 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4852 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5252 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7501 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7940 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0635 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0714 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0729 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0762 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1181 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2107 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2176 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2510 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3506 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3607 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3674 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3739 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5019 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5407 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5551 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6290 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6303 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3230 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3232 (to CVE-2017-3234)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3237 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3254 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3288 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3302 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3304 (to CVE-2017-3309)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3329 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3331 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3337 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3393 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3432 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3450 (to CVE-2017-3465)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3467 (to CVE-2017-3522)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3524 (to CVE-2017-3528)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3530 (to CVE-2017-3561)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3563 (to CVE-2017-3565)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3567 (to CVE-2017-3587)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3589 (to CVE-2017-3623)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3625 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3626 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3731 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3732 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638 



Tag: Oracle , Java , Oracle Database , Oracle Linux , MySQL , Sun Systems , Fusion
Tags