Security Alert (A19-07-03): Multiple Vulnerabilities in Oracle Java and Oracle Products (July 2019)


 

Published on: 17 July 2019

  
  

Description:

Oracle has released Critical Patch Update (CPU) Advisory with collections of patches for multiple security vulnerabilities found in Java SE and various Oracle products.

There are 10 vulnerabilities identified in Java affecting multiple sub-components including AWT(libpng), JCE, JSSE, Networking, Security and Utilities. 9 of them could be remotely exploited without authentication.

For vulnerabilities identified in other Oracle products, they can be exploited by physical access or remotely through various protocols including HTTP, HTTPS, ICMPv6, IPv6, JDENET, Local Logon, MySQL Protocol, OracleNet, NFS, T3 or TLS over a network.

There are multiple attack vectors. For Java, an attacker could entice a user to open a specially crafted web page containing un-trusted Java applet or Java Web Start application with malicious content or submit specially crafted data to APIs in the specified Component through a web service. For other Oracle products, a remote attacker could send specially crafted network packets to the affected systems to exploit the vulnerabilities.

 

Affected Systems:

  • Oracle Java SE
  • Database
  • Oracle Linux and Virtualization
  • Oracle MySQL Product Suite
  • Oracle and Sun Systems Products Suite
  • Fusion Applications and Middleware
  • Oracle Support Tools

A complete list of the affected products can be found at:
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

 

Impact:

Depending on the vulnerability exploited, a successful attack could lead to denial of services, data tampering, information disclosure or compromise of a vulnerable system.

 

Recommendation:

Patches for affected systems are available.  Users of the affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

For Oracle Java SE products, please refer to the following link:

  • Java Platform SE 8u221 (JDK and JRE),

  • Java Platform SE 11.0.4 (JDK and JRE)

  • Java Platform SE 12.0.2 (JDK and JRE)
    http://www.oracle.com/technetwork/java/javase/downloads/index.html

For other Oracle products, please refer to the section "Patch Availability Table and Risk Matrices" of corresponding security advisory at the vendor’s website:
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Users may contact their product support vendors for the fixes and assistance.

 

More Information:

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
https://www.oracle.com/technetwork/java/javase/12u-relnotes-5211424.html
https://www.oracle.com/technetwork/java/javase/11u-relnotes-5093844.html
https://www.oracle.com/technetwork/java/javase/8u-relnotes-2225394.html
https://www.us-cert.gov/ncas/current-activity/2019/07/16/oracle-releases-july-2019-security-bulletin
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6814
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7103
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9572
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0734
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8013
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11058
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12022
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15756
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000180
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000873
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0211
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0222
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1543
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2484
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2569
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2725
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2729 (to CVE-2019-2731)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2737 (to CVE-2019-2743)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2745 (to CVE-2019-2747)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2749
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2751 (to CVE-2019-2753)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2755 (to CVE-2019-2760)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2762
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2764
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2766 (to CVE-2019-2769)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2771
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2774
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2776
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2778
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2780
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2784 (to CVE-2019-2792)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2795 (to CVE-2019-2805)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2807
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2808
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2810 (to CVE-2019-2812)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2814 (to CVE-2019-2816)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2818 (to CVE-2019-2822)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2824
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2826
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2827
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2830
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2832
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2834
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2835
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2838
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2842
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2844
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2848
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2850
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2852 (to CVE-2019-2856)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2858 (to CVE-2019-2860)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2863 (to CVE-2019-2871)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2873 (to CVE-2019-2879)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3822
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5597
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5598
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7317
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

 



Tag: Oracle , Java , Oracle Database , Oracle Linux , MySQL , Sun Systems , Fusion , Oracle Support Tools
Tags