Security Alert (A18-01-10): Multiple Vulnerabilities in Oracle Java and Oracle Products (January 2018)


 

Published on: 17 January 2018

  
  

Description:

Oracle has released Critical Patch Update (CPU) Advisory with collections of patches for multiple security vulnerabilities found in Java SE and various Oracle products. Patches are also available for some products to address the Meltdown and Spectre issues. Please refer to the Recommendation section for more information.

There are 21 vulnerabilities identified in Java affecting multiple sub-components including AWT, Hotspot, I18n, Installer, JavaFX, JCE, JGSS, JMX, JNDI, LDAP, Libraries, Serialization and Server. 18 of them could be remotely exploited without authentication and other vulnerabilities could affect the deployment of Java.

For vulnerabilities identified in other Oracle products, they can be exploited by physical access or remotely through various protocols including HTTP, HTTPS, ICMP, TLS, MySQL Protocol, TCP/UDP and Oracle Net over a network.

There are multiple attack vectors. For Java, an attacker could entice a user to open a specially crafted web page containing un-trusted Java applet or Java Web Start application with malicious content, or to launch executables using the Java launcher. For other Oracle products, a remote attacker could send specially crafted network packets to the affected system to exploit the vulnerabilities.

 

Affected Systems:

  • Oracle Java SE
  • Database
  • Oracle Linux and Virtualization
  • Oracle MySQL Product Suite
  • Oracle and Sun Systems Products Suite
  • Fusion Applications and Middleware
  • Oracle Support Tools

A complete list of the affected products can be found at:

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

 

Impact:

Depending on the vulnerability exploited, a successful attack could lead to denial of services, data tampering, information disclosure or compromise of a vulnerable system.

 

Recommendation:

Patches to address Meltdown and Spectre issues are released for some Oracle products, including Oracle Linux, Oracle VM, Oracle VM VirtualBox and Oracle X86 Servers. System administrators should refer to the addendum for the latest update.

https://support.oracle.com/rs?type=doc&id=2347948.1

Patches for affected systems are available. Users of the affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

For Oracle Java SE products, please refer to the following link:

  • Java Platform SE 8 (JDK and JRE 8 Update 161/162),
    Java Platform SE 9.0.4 ((JDK and JRE)
    http://www.oracle.com/technetwork/java/javase/downloads/index.html

For other Oracle products, please refer to the section "Patch Availability Table and Risk Matrices" of corresponding security advisory at the vendor’s website:

  • http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Users may contact their product support vendors for the fixes and assistance.

 

More Information:

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
http://www.oracle.com/technetwork/java/javase/documentation/9u-relnotes-3704429.html
http://www.oracle.com/technetwork/java/javase/documentation/8u-relnotes-2225394.html
https://www.hkcert.org/my_url/en/alert/18011702
https://www.us-cert.gov/ncas/current-activity/2018/01/16/Oracle-Releases-January-2018-Security-Bulletin
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2566
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3253
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7501
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7940
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0635
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0704
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1182
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2107
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2179
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5385
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9878
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0781
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3732
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3736
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3737
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5461
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5664
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9072
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9798
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10068
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10262
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10273
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10282
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10301
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10352
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13077
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2560 (to CVE-2018-2562)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2564 (to CVE-2018-2571)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2573 (to CVE-2018-2586)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2588 (to CVE-2018-2597)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2599 (to CVE-2018-2627)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2629 (to CVE-2018-2717)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2719 (to CVE-2018-2733)

 



Tag: Oracle , Java , Oracle Database , Oracle Linux , MySQL , Sun Systems , Fusion , OSS Support Tools
Tags