Published on: 18 October 2018
Oracle has released Critical Patch Update (CPU) Advisory with collections of patches for multiple security vulnerabilities found in Java SE and various Oracle products.
There are 12 vulnerabilities identified in Java affecting multiple sub-components including Deployment, Hotspot, JNDI, JSSE, JavaFX, Networking, Scripting, Security, Serviceability, Sound and Utility. 11 of them could be remotely exploited without authentication.
For vulnerabilities identified in other Oracle products, they can be exploited by physical access or remotely through various protocols including FTP, HTTP, Portmap, SMB, TLS, T3, VRDP, MySQL protocol and X protocol over a network.
There are multiple attack vectors. For Java, an attacker could entice a user to open a specially crafted web page containing un-trusted Java applet or Java Web Start application with malicious content or to submit specially crafted data to APIs in the specified Component through a web service. For other Oracle products, a remote attacker could send specially crafted network packets to the affected systems to exploit the vulnerabilities.
A complete list of the affected products can be found at:
https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
Depending on the vulnerability exploited, a successful attack could lead to denial of services, data tampering, information disclosure or compromise of a vulnerable system.
Patches for affected systems are available. Users of the affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.
For Oracle Java SE products, please refer to the following link:
For other Oracle products, please refer to the section "Patch Availability Table and Risk Matrices" of corresponding security advisory at the vendor’s website:
https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
Users may contact their product support vendors for the fixes and assistance.
https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
https://www.oracle.com/technetwork/java/javase/11u-relnotes-5093844.html
https://www.oracle.com/technetwork/java/javase/8u191-relnotes-5032181.html
https://www.oracle.com/technetwork/java/javase/8u192-relnotes-4479409.html
https://www.hkcert.org/my_url/en/alert/18101801
https://www.us-cert.gov/ncas/current-activity/2018/10/16/Oracle-Releases-October-2018-Security-Bulletin
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3490
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6937
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7501
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0635
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0729
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1182
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2107
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4000
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5019
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5080
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5244
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6814
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7167
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3736
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5533
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7805
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9798
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14735
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15095
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0732
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0739
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1258
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1275
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1305
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2887
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2889
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2902
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2909
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2911 (to CVE-2018-2914)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2922
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2971
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3011
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3059
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3115
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3122
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3126 (to CVE-2018-3198)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3200 (to CVE-2018-3215)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3217 (to CVE-2018-3239)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3241 (to CVE-2018-3259)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3261 (to CVE-2018-3299)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3301
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3302
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7489
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8013
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8014
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11039
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12023
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13785
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18223
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18224
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000300