Published on: 18 January 2017
Oracle has released Critical Patch Update (CPU) Advisory with collections of patches for multiple security vulnerabilities found in Java SE and various Oracle products.
There are 17 vulnerabilities identified in Java affecting multiple sub-components including 2D, AWT, Deployment, Hotspot, JAAS, Java Mission Control, Libraries, Networking and RMI. 16 of them could be remotely exploited without authentication.
For vulnerabilities identified in those Oracle products, they can be physical access or remotely exploited through various protocols including HTTP, HTTPS, LDAP, MySQL Protocol, Oracle Net, TLS, T3, and SMTP over a network.
There are multiple attack vectors. For Java, an attacker could entice a user to open a specially crafted web page containing un-trusted Java applet or Java Web Start application with malicious content, or to launch executables using the Java launcher. For other Oracle products, a remote attacker could send specially crafted network packets to the affected system to exploit the vulnerabilities.
For details of affected products, please refer to "Affected Products and Components" of corresponding security advisory at the vendor’s website:
http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
Depending on the vulnerability exploited, a successful attack could lead to arbitrary code execution, denial of services, data manipulation, information disclosure or compromise of a vulnerable system.
Patches for affected systems are available. Users of the affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.
For Oracle Java SE products, please refer to the following link:
For other Oracle products, please refer to the section "Patch Availability Table and Risk Matrices" of corresponding security advisory at the vendor’s website:
http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
Users may contact their product support vendors for the fixes and assistance.
http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html
https://www.hkcert.org/my_url/en/alert/17011801
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0250
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1791
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3237
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3253
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5055
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7501
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7940
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2183
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0635
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0714
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0734
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1182
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1903
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5000
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5019
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5509
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5528
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5541
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5545 (to CVE-2016-5549)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5552
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5590
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5614
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5623
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6303
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7052
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8282
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8297 (to CVE-2016-8320)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8322 (to CVE-2016-8330)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3231
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3235
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3236
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3238 (to CVE-2017-3253)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3255 (to CVE-2017-3287)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3289 (to CVE-2017-3301)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3303
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3310 (to CVE-2017-3328)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3330
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3332
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3333
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3359
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3361
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3362
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3363
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3368
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3369
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3372
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3373
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3415
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3418
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3421
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3440
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3443