Security Alert (A16-10-04): Multiple Vulnerabilities in Oracle Java and Oracle Products (October 2016)


 

Published on: 19 October 2016

  
  

Description:

Oracle has released Critical Patch Update (CPU) Advisory with collections of patches for multiple security vulnerabilities found in Java SE and various Oracle products.

There are 7 vulnerabilities identified in Java affecting multiple sub-components including 2D, AWT, Hotspot, JMX, Libraries and Networking. All of them could be remotely exploited without authentication.

For vulnerabilities identified in those Oracle products, they can be remotely exploited through various protocols including HTTP, HTTPS, IKEv2, MySQL Protocol, NTP, Oracle Net, SSH, SSL/TLS, VDRP and XML over a network.

There are multiple attack vectors. For Java, an attacker could entice a user to open a specially crafted web page containing un-trusted Java applet or Java Web Start application with malicious content, or to launch executables using the Java launcher. For other Oracle products, a remote attacker could send specially crafted network packets to the affected system to exploit the vulnerabilities.

 

Affected Systems:

  • Database
  • E-Business Suite
  • Enterprise Manager
  • Fusion Applications and Middleware
  • Health Sciences
  • JD Edwards
  • Oracle Banking Platform
  • Oracle Communications Applications
  • Oracle Financial Services Applications
  • Oracle Insurance Applications
  • Oracle Java SE
  • Oracle Knowledge Applications
  • Oracle Linux and Virtualization
  • Oracle MySQL Product Suite
  • Oracle Policy Automation
  • Oracle Primavera Products Suite
  • Oracle Supply Chain Products
  • Oracle Utilities Applications
  • Oracle and Sun Systems Products Suite
  • PeopleSoft
  • Retail Applications
  • Siebel CRM

For details of affected products, please refer to "Affected Products and Components" of corresponding security advisory at the vendor’s website:

http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html


 

Impact:

Depending on the vulnerability exploited, a successful attack could lead to arbitrary code execution, denial of services, data manipulation or information disclosure.

 

Recommendation:

Patches for affected systems are available. Users of the affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

For Oracle Java SE products, please refer to the following link:

Java Platform SE 8 (JDK and JRE 8 Update 111/112)
- http://www.oracle.com/technetwork/java/javase/downloads/index.html

For other Oracle products, please refer to the section "Patch Availability Table and Risk Matrices" of corresponding security advisory at the vendor’s website:

- http://www.oracle.com/technetwork/topics/security/cpuoct2016-2881722.html

Users may contact their product support vendors for the fixes and assistance.

 

More Information:

http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
http://www.oracle.com/technetwork/java/javase/8u111-relnotes-3124969.html
http://www.oracle.com/technetwork/java/javase/8u112-relnotes-3124973.html
https://www.hkcert.org/my_url/en/alert/16101902
https://www.us-cert.gov/ncas/current-activity/2016/10/18/Oracle-Releases-Security-Bulletin
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5312
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2067
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2566
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4286
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4322
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4444
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4590
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0075
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0096
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0099
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0119
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0227
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2532
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3571
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9296
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0286
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0381
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0382
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0409
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0411
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0423
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0433
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0500
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1351
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1791
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1793
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2568
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3195
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3197
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3253
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7501
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7940
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0635
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0714
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1181
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1881
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2107
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2176
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3081
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3473
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3492
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3495
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3505
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3551
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3562
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4979
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5479
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5480 (to CVE-2016-5482)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5486 (to CVE-2016-5493)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5495
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5497 (to CVE-2016-5508)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5510 (to CVE-2016-5519)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5521 (to CVE-2016-5527)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5529 (to CVE-2016-5540)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5542 (to CVE-2016-5544)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5553 (to CVE-2016-5589)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5591 (to CVE-2016-5613)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5615 (to CVE-2016-5622)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5624 (to CVE-2016-5635)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6662
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7440
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8281
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8283 (to CVE-2016-8296) 



Tag: Oracle , Java , Oracle Database , Oracle Linux , MySQL , Fusion , E-Business Suite , Enterprise Manager , Health Sciences , Hospitality OPERA 5 , JD Edwards , Oracle Big Data Graph , Oracle Commerce , Oracle Communications , Oracle Financial Services , Oracle Insurance , Oracle Primavera , Oracle Secure Backup , Oracle Supply Chain , Sun Systems , PeopleSoft , Oracle Retail , Siebel
Tags