Security Alert (A17-07-05): Multiple Vulnerabilities in Oracle Java and Oracle Products (July 2017)


 

Published on: 19 July 2017

  
  

Description:

Oracle has released Critical Patch Update (CPU) Advisory with collections of patches for multiple security vulnerabilities found in Java SE and various Oracle products.

There are 32 vulnerabilities identified in Java affecting multiple sub-components including 2D, AWT, Deployment, Hotspot, ImageIO, JavaFX, JAXP, JAX-WS, JCE, Libraries, RMI, Scripting, Security, Serialization and Server. 24 of them could be remotely exploited without authentication and 4 of them could affect deployment of Java and Java Advanced Management Console.

For vulnerabilities identified in other Oracle products, they can be exploited by physical access or remotely through various protocols including HTTP, HTTP over TLS, HTTPS, IKE, LDAP, Memcached, MySQL Protocol, NFSv4, Oracle Net, SSL/TLS, TCP, T3 and X Protocol over a network.

There are multiple attack vectors.For Java, an attacker could entice a user to open a specially crafted web page containing un-trusted Java applet or Java Web Start application with malicious content, or to launch executables using the Java launcher. For other Oracle products, a remote attacker could send specially crafted network packets to the affected system to exploit the vulnerabilities.

 

Affected Systems:

  • Oracle Java SE
  • Database
  • Oracle Linux and Virtualization
  • Oracle MySQL Product Suite
  • Oracle and Sun Systems Products Suite
  • Fusion Applications and Middleware

A complete list of the affected products can be found at:
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

 

Impact:

Depending on the vulnerability exploited, a successful attack could lead to denial of services, data tampering, information disclosure or compromise of a vulnerable system.

 

Recommendation:

Patches for affected systems are available. Users of the affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

For Oracle Java SE products, please refer to the following link:

  • Java Platform SE 8 (JDK and JRE 8 Update 141)
    http://www.oracle.com/technetwork/java/javase/downloads/index.html

For other Oracle products, please refer to the section "Patch Availability Table and Risk Matrices" of corresponding security advisory at the vendor’s website:

http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

Users may contact their product support vendors for the fixes and assistance.

 

More Information:

http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
http://www.oracle.com/technetwork/java/javase/documentation/8u-relnotes-2225394.html
https://www.hkcert.org/my_url/en/alert/17071903
https://www.us-cert.gov/ncas/current-activity/2017/07/18/Oracle-Releases-Security-Bulletin
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2027
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1912
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0254
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3253
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5254
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7501
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7940
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0635
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1181
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2107
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2183
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2381
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2834
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3506
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4436
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5019
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5387
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6814
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3529
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3562
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3632 (to CVE-2017-3653)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3731 (to CVE-2017-3732)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5647
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5651
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5689
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10028 (to CVE-2017-10030)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10035
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10036
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10000 (to CVE-2017-10007)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10009 (to CVE-2017-10013)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10015 (to CVE-2017-10025)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10027 (to CVE-2017-10032)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10035 (to CVE-2017-10036)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10038 (to CVE-2017-10049)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10052
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10053
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10056 (to CVE-2017-10059)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10061 (to CVE-2017-10063)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10067
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10069 (to CVE-2017-10076)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10078 (to CVE-2017-10098)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10100 (to CVE-2017-10123)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10125 (to CVE-2017-10126)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10128 (to CVE-2017-10137)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10141 (to CVE-2017-10150)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10156
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10157
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10160
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10168 (to CVE-2017-10189)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10191 (to CVE-2017-10193)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10195 (to CVE-2017-10196)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10198 (to CVE-2017-10202)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10204 (to CVE-2017-10226)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10228 (to CVE-2017-10258) 



Tag: Oracle , Java , Oracle Database , Oracle Linux , MySQL , Sun Systems , Fusion
Tags