Security Alert (A16-04-04): Multiple Vulnerabilities in Oracle Java and Oracle Products (April 2016)


 

Published on: 20 April 2016

  
  

Description:

Oracle has released Critical Patch Update (CPU) Advisory with collections of patches for multiple security vulnerabilities found in Java SE and various Oracle products.

There are 9 vulnerabilities identified in Java affecting multiple sub-components including 2D, Hotspot, Serialization, JMX, Deployment, Security, JAXP and JCE. All of them could be remotely exploited without authentication in which 3 of them could affect server deployment of Java (e.g. through a web service).

For vulnerabilities identified in those Oracle products, they can be remotely exploited through various protocols including ECI (Proprietary EDM Protocol), HTTP, HTTPS, IPMI, JMS, Kerberos, MySQL, OpenSSH, Oracle Net and RPC over a network.

There are multiple attack vectors. For Java, an attacker could entice a user to open a specially crafted web page containing un-trusted Java applet or Java Web Start application with malicious content, or to launch executables using the Java launcher. For other Oracle products, a remote attacker could send specially crafted network packets to the affected system to exploit the vulnerabilities.

 

Affected Systems:

Oracle Java SE

  • Oracle Java SE, version(s) 6u113, 7u99, 8u77
    Oracle Java SE Embedded, version(s) 8u77
    Oracle JRockit, version(s) R28.3.9

Database Server

  • Oracle Database Server, version(s) 11.2.0.4, 12.1.0.1, 12.1.0.2

Fusion Middleware

  • Oracle API Gateway, version(s) 11.1.2.3.0, 11.1.2.4.0
  • Oracle BI Publisher, version(s) 12.2.1.0.0
  • Oracle Business Intelligence Enterprise Edition, version(s) 11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0
  • Oracle Exalogic Infrastructure, version(s) 1.0, 2.0
  • Oracle GlassFish Server, version(s) 2.1.1
  • Oracle HTTP Server, version(s) 12.1.2.0, 12.1.3.0
  • Oracle iPlanet Web Proxy Server, version(s) 4.0
  • Oracle iPlanet Web Server, version(s) 7.0
  • Oracle OpenSSO, version(s) 3.0-0.7
  • Oracle Outside In Technology, version(s) 8.5.0, 8.5.1, 8.5.2
  • Oracle Traffic Director, version(s) 11.1.1.7.0, 11.1.1.9.0
  • Oracle Tuxedo, version(s) 12.1.1.0
  • Oracle WebCenter Sites, version(s) 11.1.1.8.0, 12.2.1
  • Oracle WebLogic Server, version(s) 10.3.6, 12.1.2, 12.1.3, 12.2.1

Enterprise Manager Grid Control

  • Oracle Application Testing Suite, version(s) 12.4.0.2, 12.5.0.2
  • OSS Support Tools Oracle Explorer, version(s) 10

E-Business Suite

  • Oracle E-Business Suite, version(s) 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5

Oracle Supply Chain Products Suite

  • Oracle Agile Engineering Data Management, version(s) 6.1.3.0, 6.2.0.0
  • Oracle Agile PLM, version(s) 9.3.1.1, 9.3.1.2, 9.3.2, 9.3.3
  • Oracle Complex Maintenance, Repair, and Overhaul, version(s) 11.5.10.2, 12.1.1, 12.1.2, 12.1.3
  • Oracle Configurator, version(s) 12.0.6, 12.1, 12.2
  • Oracle Engineering Data Management, version(s) 6.1.3.0, 6.2.2.0
  • Oracle Transportation Management, version(s) 6.1, 6.2

PeopleSoft Products

  • PeopleSoft Enterprise HCM, version(s) 9.1, 9.2
  • PeopleSoft Enterprise HCM ePerformance, version(s) 9.2
  • PeopleSoft Enterprise PeopleTools, version(s) 8, 8.53, 8.54, 8.55, 54
  • PeopleSoft Enterprise SCM, version(s) 9.1, 9.2

JD Edwards Products

  • JD Edwards EnterpriseOne Tools, version(s) 9.1, 9.2

Siebel CRM

  • Siebel Applications, version(s) 8.1.1, 8.2.2

Oracle Communications Applications

  • Oracle Communications User Data Repository, version(s) 10.0.1

Oracle Retail Applications

  • Oracle Retail MICROS ARS POS, version(s) 1.5
  • Oracle Retail MICROS C2, version(s) 9.89.0.0
  • Oracle Retail Xstore Point of Service, version(s) 5.0, 5.5, 6.0, 6.5, 7.0, 7.1

Oracle Health Sciences Applications

  • Oracle Life Sciences Data Hub, version(s) 2.1

Oracle Financial Services Software

  • Oracle FLEXCUBE Direct Banking, version(s) 12.0.2, 12.0.3

Oracle Sun Systems Products Suite

  • Fujitsu M10-1, M10-4, M10-4S Servers, version(s) prior to XCP 2290
  • Oracle Ethernet Switch ES2-72, Oracle Ethernet Switch ES2-64, version(s) prior to 2.0.0.6
  • Solaris, version(s) 10, 11.3
  • Solaris Cluster, version(s) 4.2
  • SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers, version(s) prior to XCP 1121
  • Sun Storage Common Array Manager, version(s) 6.9.0

Oracle Virtualization

  • Oracle VM VirtualBox, version(s) prior to 4.3.36, prior to 5.0.18
  • Sun Ray Software, version(s) 11.1

Oracle MySQL

  • MySQL Enterprise Monitor, version(s) 3.0.25 and prior, 3.1.2 and prior
  • MySQL Server, version(s) 5.5.48 and prior, 5.6.29 and prior, 5.7.11 and prior

Berkeley DB

  • Oracle Berkeley DB, version(s) 11.2.5.0.32, 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35, 12.1.6.1.26

 

Impact:

Depending on the vulnerability exploited, a successful attack could lead to arbitrary code execution, denial of services, gain of escalated privilege, information disclosure, bypass of security restrictions or compromise of a vulnerable system.

 

Recommendation:

Patches for affected systems are available. Users of the affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

For Oracle Java SE products, please refer to the following link:

  • Java Platform SE 8 (JDK and JRE 8 Update 91/92)
    http://www.oracle.com/technetwork/java/javase/downloads/index.html

For other Oracle products, please refer to the section "Patch Availability Table and Risk Matrices" of corresponding security advisory at the vendor’s website:

http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html

Users may contact their product support vendors for the fixes and assistance.

 

More Information:

http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
http://www.oracle.com/technetwork/java/javase/8u91-relnotes-2949462.html
http://www.oracle.com/technetwork/java/javase/8u92-relnotes-2949471.html
https://www.hkcert.org/my_url/en/alert/16042001
https://www.us-cert.gov/ncas/current-activity/2016/04/19/Oracle-Releases-Security-Bulletin
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4461
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2566
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4786
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2532
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3576
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1789
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1793
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3194 (to CVE-2015-3195)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3197
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3238
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3253
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7182
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7236
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7501
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7547
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0407 (to CVE-2016-0408)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0468 (to CVE-2016-0469)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0479
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0623
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0638 (to CVE-2016-0644)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0646 (to CVE-2016-0659)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0661 (to CVE-2016-0663)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0665 (to CVE-2016-0669)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0671 (to CVE-2016-0700)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0705
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2047
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3416 (to CVE-2016-3423)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3425 (to CVE-2016-3429)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3431
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3434 (to CVE-2016-3439)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3441 (to CVE-2016-3443)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3447
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3449
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3454 (to CVE-2016-3457)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3460 (to CVE-2016-3466) 



Tag: Oracle , Java , Oracle Database , Fusion , Enterprise Manager Grid Control , Oracle E-Business Suite , Enterprise Manager , Oracle Supply Chain Products , PeopleSoft , JD Edwards , Siebel , Oracle Communications , Oracle Retail , Oracle Health Sciences , Oracle Financial Services , Sun Systems , Oracle Virtualization , MySQL , Berkeley
Tags