Security Alert (A19-04-05): Multiple Vulnerabilities in Oracle Java and Oracle Products (April 2019)


 

Published on: 17 April 2019

  
  

Description:

Oracle has released Critical Patch Update (CPU) Advisory with collections of patches for multiple security vulnerabilities found in Java SE and various Oracle products.

There are 5 vulnerabilities identified in Java affecting multiple sub-components including 2D, Libraries, RMI and Windows DLL. All of them could be remotely exploited without authentication.

For vulnerabilities identified in other Oracle products, they can be exploited by physical access or remotely through various protocols including HTTP, HTTPS, JDBC, JDENET, Local Logon, MySQL Protocol, Oracle Net, SSH, T3, TCP or TLS over a network.

There are multiple attack vectors. For Java, an attacker could entice a user to open a specially crafted web page containing un-trusted Java applet or Java Web Start application with malicious content or to submit specially crafted data to APIs in the specified Component through a web service. For other Oracle products, a remote attacker could send specially crafted network packets to the affected systems to exploit the vulnerabilities.

 

Affected Systems:

  • Oracle Java SE
  • Database
  • Oracle Linux and Virtualization
  • Oracle MySQL Product Suite
  • Oracle and Sun Systems Products Suite
  • Fusion Applications and Middleware
  • Oracle Support Tools

A complete list of the affected products can be found at:
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

 

Impact:

Depending on the vulnerability exploited, a successful attack could lead to denial of services, data tampering, information disclosure or compromise of a vulnerable system.

 

Recommendation:

Patches for affected systems are available. Users of the affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

For Oracle Java SE products, please refer to the following link:

  • Java Platform SE 8u211, 8u212 (JDK and JRE),
  • Java Platform SE 11.0.3 (JDK and JRE)
  • Java Platform SE 12.0.1 (JDK and JRE)
    http://www.oracle.com/technetwork/java/javase/downloads/index.html

For other Oracle products, please refer to the section "Patch Availability Table and Risk Matrices" of corresponding security advisory at the vendor’s website:
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Users may contact their product support vendors for the fixes and assistance.

 

More Information:

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.oracle.com/technetwork/java/javase/12u-relnotes-5211424.html
https://www.oracle.com/technetwork/java/javase/11-0-3-oracle-relnotes-5290048.html
https://www.oracle.com/technetwork/java/javase/8u211-relnotes-5290139.html
https://www.oracle.com/technetwork/java/javase/8u212-relnotes-5292913.html
https://www.hkcert.org/my_url/en/alert/19041701
https://www.us-cert.gov/ncas/current-activity/2019/04/16/Oracle-Releases-April-2019-Security-Bulletin
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0107
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9515
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1832
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3253
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0635
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1181
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2141
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4000
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7103
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0861
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5533
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5664
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8105
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8287
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14952
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0161
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0732
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0734
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1258
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1305
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1656
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2880
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3120
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3123
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3312
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3314
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7489
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8013
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8088
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11219
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11236
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11761
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11763
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11775
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11784
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12023
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14718
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15756
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16864
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20685
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000180
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2424
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2516 (to CVE-2019-2518)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2551
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2557
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2558
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2564 (to CVE-2019-2568)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2570 (to CVE-2019-2598)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2600 (to CVE-2019-2665)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2669 (to CVE-2019-2671)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2673 (to CVE-2019-2709)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2712
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2713
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2719 (to CVE-2019-2723)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3772
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3822

 



Tag: Oracle , Java , Oracle Database , Oracle Linux , MySQL , Sun Systems , Fusion , OSS Support Tools
Tags