High Threat Security Alert (A18-07-06): Multiple Vulnerabilities in Oracle Java and Oracle Products (July 2018)


 

Published on: 18 July 2018

Last update on: 25 July 2018

  
  

Description:

Oracle has released Critical Patch Update (CPU) Advisory with collections of patches for multiple security vulnerabilities found in Java SE and various Oracle products.

There are 8 vulnerabilities identified in Java affecting multiple sub-components including Java DB, Deployment, JavaFX, Windows DLL, Security, JSSE, Libraries and Concurrency. All of them could be remotely exploited without authentication.

For vulnerabilities identified in other Oracle products, they can be exploited by physical access or remotely through various protocols including HTTP, HTTPS, TLS, SSH, T3, Jolt, Local Logon, SSL, Log4j, memcached, RPC, ISCSI, IPMI, DHCP and MySQL protocol over a network.

There are multiple attack vectors. For Java, an attacker could entice a user to open a specially crafted web page containing un-trusted Java applet or Java Web Start application with malicious content, or to submit specially crafted data to APIs in the specified Component through a web service. For other Oracle products, a remote attacker could send specially crafted network packets to the affected system to exploit the vulnerabilities.

As proof-of-concept exploit code against CVE-2018-2893 were reported to be publicly disclosed, the risk of cyber attacks on the vulnerable Oracle WebLogic Server will be elevated. For detailed information of the available patches, please refer to the corresponding security advisory at
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html#AppendixFMW

 

Affected Systems:

  • Oracle Java SE
  • Database
  • Oracle Linux and Virtualization
  • Oracle MySQL Product Suite
  • Oracle and Sun Systems Products Suite
  • Fusion Applications and Middleware
  • Oracle Support Tools

A complete list of the affected products can be found at:

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

 

Impact:

Depending on the vulnerability exploited, a successful attack could lead to denial of services, data tampering, information disclosure or compromise of a vulnerable system.

 

Recommendation:

Patches for affected systems are available. Users of the affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

For Oracle Java SE products, please refer to the following link:

  • Java Platform SE 8u181 (JDK and JRE),
  • Java Platform SE 10.0.2 (JDK and JRE)
    http://www.oracle.com/technetwork/java/javase/downloads/index.html

For other Oracle products, please refer to the section "Patch Availability Table and Risk Matrices" of corresponding security advisory at the vendor’s website:

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Users may contact their product support vendors for the fixes and assistance.

 

More Information:

https://isc.sans.edu/forums/diary/Weblogic+Exploit+Code+Made+Public+CVE20182893/23896/
http://blog.netlab.360.com/malicious-campaign-luoxk-is-actively-exploiting-cve-2018-2893/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2893
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
http://www.oracle.com/technetwork/java/javase/10-0-2-relnotes-4477557.html
http://www.oracle.com/technetwork/java/javase/8u181-relnotes-4479407.html
https://www.hkcert.org/my_url/en/alert/18071801
https://www.us-cert.gov/ncas/current-activity/2018/07/17/Oracle-Releases-July-2018-Security-Bulletin
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4461
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0230
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2532
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3577
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7810
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8157
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9029
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9746
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3414 (to CVE-2015-3416)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5174
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5262
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5345
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5346
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5351
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5600
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6420
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7501
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7940
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0706
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0714
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1181
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1182
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2099
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2105 (to CVE-2016-2107)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2109
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2176
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3506
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4055
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4463
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5019
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5300
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6814
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7103
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8735
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9841
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9878
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0379
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0785
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3633 (to CVE-2017-3636)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3641
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3647 (to CVE-2017-3649)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3651 (to CVE-2017-3653)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3732
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3735 (to CVE-2017-3738)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5529
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5533
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5662
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5664
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6074
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9526
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9798
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10989
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13088
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13218
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15095
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15707
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0733
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0739
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1171
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1258
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1270 (to CVE-2018-1272)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1275
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1304
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1305
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1327
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2598
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2767
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2881
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2882
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2888
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2891 (to CVE-2018-2901)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2903 (to CVE-2018-2908)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2915 (to CVE-2018-2921)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2923 (to CVE-2018-2930)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2932 (to CVE-2018-2970)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2972 (to CVE-2018-2982)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2984 (to CVE-2018-3010)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3012 (to CVE-2018-3058)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3060 (to CVE-2018-3082)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3084 (to CVE-2018-3105)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3108
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3109
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3640
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7489
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8013
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000120 (to CVE-2018-1000122)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000300
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000301

 



Tag: Oracle , Java , Oracle Database , Oracle Linux , MySQL , Sun Systems , Fusion , OSS Support Tools , WebLogic
Tags