Security Alert (A19-10-04): Multiple Vulnerabilities in Oracle Java and Oracle Products (October 2019)


 

Published on: 16 October 2019

  
  

Description:

Oracle has released Critical Patch Update (CPU) Advisory with collections of patches for multiple security vulnerabilities found in Java SE and various Oracle products.

There are 20 vulnerabilities identified in Java affecting multiple sub-components including 2D, Concurrency, Deployment, Hotspot, JAXP, JavaFX (libxslt), Javadoc, Kerberos, Libraries, Networking, Scripting, Security and Serialization.  All of them could be remotely exploited without authentication. 

For vulnerabilities identified in other Oracle products, they can be exploited by physical access or remotely through various protocols including HTTP, HTTPS, Kerberos, MySQL Protocol, MySQL Workbench, NTP, OracleNet, SNMP, SSH, T3 or TLS over a network.

There are multiple attack vectors.  For Java, an attacker could entice a user to open a specially crafted web page containing un-trusted Java applet or Java Web Start application with malicious content or submit specially crafted data to APIs in the specified component through a web service.  For other Oracle products, a remote attacker could send specially crafted network packets to the affected systems to exploit the vulnerabilities.

 

Affected Systems:

  • Oracle Java SE
  • Database
  • Oracle Linux and Virtualization
  • Oracle MySQL Product Suite
  • Oracle and Sun Systems Products Suite
  • Fusion Applications and Middleware
  • Oracle Support Tools

A complete list of the affected products can be found at:
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

 

Impact:

Depending on the vulnerability exploited, a successful attack could lead to denial of services, data tampering, information disclosure or compromise of a vulnerable system.

 

Recommendation:

Patches for affected systems are available.  Users of the affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

For Oracle Java SE products, please refer to the following link:

  • Java Platform SE 8u231 (JDK and JRE),
  • Java Platform SE 11.0.5 (JDK and JRE)
  • Java Platform SE 13.0.1 (JDK and JRE)

http://www.oracle.com/technetwork/java/javase/downloads/index.html

For other Oracle products, please refer to the section "Patch Availability Table and Risk Matrices" of corresponding security advisory at the vendor’s website:
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Users may contact their product support vendors for the fixes and assistance.

 

More Information:

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
https://www.oracle.com/technetwork/java/javase/11u-relnotes-5093844.html
https://www.oracle.com/technetwork/java/javase/13u-relnotes-5461742.html
https://www.oracle.com/technetwork/java/javase/documentation/8u-relnotes-2225394.html
https://www.hkcert.org/my_url/en/alert/19101604
https://www.us-cert.gov/ncas/current-activity/2019/10/15/oracle-releases-october-2019-security-bulletin
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5180
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0729
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4000
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6814
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7103
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6056
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12626
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17558
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0732
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2875
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3300
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7185
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8037
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11784
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14721
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15756
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18066
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000007
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0188
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0211
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0227
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0232
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1543
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2734
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2765
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2872
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2883
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2884
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2886 (to CVE-2019-2891)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2894 (to CVE-2019-2907)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2909 (to CVE-2019-2911)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2913 (to CVE-2019-2915)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2920
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2922 (to CVE-2019-2927)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2929 (to CVE-2019-3005)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3008 (to CVE-2019-3012)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3014
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3015
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3017 (to CVE-2019-3028)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3031
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3862
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5443
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6109
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8457
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9517
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10072
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10247
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11068
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12814
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17091

 



Tag: Oracle , Java , Oracle Database , Oracle Linux , MySQL , Sun Systems , Fusion , Oracle Support Tools
Tags