The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of JRE Oracle

computer vulnerability note CVE-2016-3458 CVE-2016-3485 CVE-2016-3498

Oracle Java: vulnerabilities of July 2016

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Oracle Java.
Impacted products: Debian, VNX Operating Environment, VNX Series, BIG-IP Hardware, TMOS, Fedora, AIX, Domino, Notes, IRAD, SPSS Statistics, Tivoli Storage Manager, Tivoli System Automation, WebSphere AS Traditional, IBM WebSphere ESB, WebSphere MQ, JAXP, ePO, Java OpenJDK, openSUSE, openSUSE Leap, Java Oracle, JavaFX, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights, data reading, data creation/edition, data deletion, denial of service on service, denial of service on client.
Provenance: user account.
Number of vulnerabilities in this bulletin: 13.
Creation date: 20/07/2016.
Identifiers: 1988339, 1988894, 1988978, 1989049, 1989337, 1990031, 1990448, 1991383, 1991909, 1991910, 1991911, 1991913, 1991997, 1995792, 1995799, 2001630, 2007242, 486953, CERTFR-2016-AVI-243, cpujul2016, CVE-2016-3458, CVE-2016-3485, CVE-2016-3498, CVE-2016-3500, CVE-2016-3503, CVE-2016-3508, CVE-2016-3511, CVE-2016-3550, CVE-2016-3552, CVE-2016-3587, CVE-2016-3598, CVE-2016-3606, CVE-2016-3610, DLA-579-1, DSA-3641-1, ESA-2016-099, FEDORA-2016-588e386aaa, FEDORA-2016-c07d18b2a5, FEDORA-2016-c60d35c46c, openSUSE-SU-2016:2050-1, openSUSE-SU-2016:2051-1, openSUSE-SU-2016:2052-1, openSUSE-SU-2016:2058-1, RHSA-2016:1458-01, RHSA-2016:1475-01, RHSA-2016:1476-01, RHSA-2016:1477-01, RHSA-2016:1504-01, RHSA-2016:1587-01, RHSA-2016:1588-01, RHSA-2016:1589-01, RHSA-2016:1776-01, SB10166, SOL05016441, SOL25075696, SUSE-SU-2016:1997-1, SUSE-SU-2016:2012-1, SUSE-SU-2016:2261-1, SUSE-SU-2016:2286-1, SUSE-SU-2016:2347-1, SUSE-SU-2016:2348-1, SUSE-SU-2016:2726-1, USN-3043-1, USN-3062-1, USN-3077-1, VIGILANCE-VUL-20169, ZDI-16-445, ZDI-16-446, ZDI-16-447, ZDI-16-448.

Description of the vulnerability

Several vulnerabilities were announced in Oracle Communications.

An attacker can use a vulnerability via Hotspot, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3587, ZDI-16-448]

An attacker can use a vulnerability via Hotspot, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3606, ZDI-16-447]

An attacker can use a vulnerability via Libraries, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3598, ZDI-16-446]

An attacker can use a vulnerability via Libraries, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3610, ZDI-16-445]

An attacker can use a vulnerability via Install, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3552]

An attacker can use a vulnerability via Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3511]

An attacker can use a vulnerability via Install, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3503]

An attacker can use a vulnerability via JavaFX, in order to trigger a denial of service. [severity:2/4; CVE-2016-3498]

An attacker can use a vulnerability via JAXP, in order to trigger a denial of service. [severity:2/4; CVE-2016-3500]

An attacker can use a vulnerability via JAXP, in order to trigger a denial of service. [severity:2/4; CVE-2016-3508]

An attacker can use a vulnerability via CORBA, in order to alter information. [severity:2/4; CVE-2016-3458]

An attacker can use a vulnerability via Hotspot, in order to alter information, or to trigger a denial of service. [severity:2/4; CVE-2016-3550]

An attacker can use a vulnerability via Networking, in order to alter information. [severity:1/4; CVE-2016-3485]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2016-0686 CVE-2016-0687 CVE-2016-0695

Oracle Java: multiple vulnerabilities of April 2016

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Oracle Java.
Impacted products: Debian, Avamar, VNX Operating Environment, VNX Series, BIG-IP Hardware, TMOS, Fedora, AIX, Domino, Notes, QRadar SIEM, Tivoli Storage Manager, WebSphere AS Traditional, WebSphere MQ, JAXP, ePO, Java OpenJDK, openSUSE, openSUSE Leap, Java Oracle, Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights, data reading, data creation/edition, data deletion, denial of service on service, denial of service on client.
Provenance: user account.
Number of vulnerabilities in this bulletin: 9.
Creation date: 20/04/2016.
Identifiers: 1982223, 1982566, 1984075, 1984678, 1985466, 1985875, 1987778, 484398, 486953, bulletinjan2017, CERTFR-2016-AVI-135, cpuapr2016, CVE-2016-0686, CVE-2016-0687, CVE-2016-0695, CVE-2016-3422, CVE-2016-3425, CVE-2016-3426, CVE-2016-3427, CVE-2016-3443, CVE-2016-3449, DLA-451-1, DSA-3558-1, ESA-2016-052, ESA-2016-099, FEDORA-2016-33ccc205e7, openSUSE-SU-2016:1222-1, openSUSE-SU-2016:1230-1, openSUSE-SU-2016:1235-1, openSUSE-SU-2016:1262-1, openSUSE-SU-2016:1265-1, RHSA-2016:0650-01, RHSA-2016:0651-01, RHSA-2016:0675-01, RHSA-2016:0676-01, RHSA-2016:0677-01, RHSA-2016:0678-01, RHSA-2016:0679-01, RHSA-2016:0701-01, RHSA-2016:0702-01, RHSA-2016:0708-01, RHSA-2016:0716-01, RHSA-2016:0723-01, RHSA-2016:1039-01, SB10159, SOL33285044, SOL73112451, SOL81223200, SUSE-SU-2016:1248-1, SUSE-SU-2016:1250-1, SUSE-SU-2016:1299-1, SUSE-SU-2016:1300-1, SUSE-SU-2016:1303-1, SUSE-SU-2016:1378-1, SUSE-SU-2016:1379-1, SUSE-SU-2016:1388-1, SUSE-SU-2016:1458-1, SUSE-SU-2016:1475-1, USN-2963-1, USN-2964-1, USN-2972-1, VIGILANCE-VUL-19416, ZDI-16-376.

Description of the vulnerability

Several vulnerabilities were announced in Oracle Java.

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3443, ZDI-16-376]

An attacker can use a vulnerability of Hotspot, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-0687]

An attacker can use a vulnerability of Serialization, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-0686]

An attacker can use a vulnerability of JMX, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3427]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3449]

An attacker can use a vulnerability of Security, in order to obtain information. [severity:2/4; CVE-2016-0695]

An attacker can use a vulnerability of JAXP, in order to trigger a denial of service. [severity:2/4; CVE-2016-3425]

An attacker can use a vulnerability of 2D, in order to trigger a denial of service. [severity:2/4; CVE-2016-3422]

An attacker can use a vulnerability of JCE, in order to obtain information. [severity:1/4; CVE-2016-3426]
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2016-0636

Oracle Java: code execution via Hotspot

Synthesis of the vulnerability

An attacker can use a vulnerability in Hotspot of Oracle Java, in order to run code in the web browser of the victim who loads a malicious Java applet.
Impacted products: FabricOS, Brocade Network Advisor, Brocade vTM, Debian, Fedora, Domino, Notes, QRadar SIEM, Java OpenJDK, openSUSE, openSUSE Leap, Java Oracle, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 24/03/2016.
Identifiers: 1984678, 1985875, 1987778, BSA-2016-006, CERTFR-2016-AVI-108, CVE-2016-0636, DLA-451-1, DSA-3558-1, FEDORA-2016-90ee071b21, FEDORA-2016-d5dd39a1d5, openSUSE-SU-2016:0971-1, openSUSE-SU-2016:0983-1, openSUSE-SU-2016:1004-1, openSUSE-SU-2016:1005-1, openSUSE-SU-2016:1042-1, RHSA-2016:0511-01, RHSA-2016:0512-01, RHSA-2016:0513-01, RHSA-2016:0514-01, RHSA-2016:0515-01, RHSA-2016:0516-01, SE-2012-01, SUSE-SU-2016:0956-1, SUSE-SU-2016:0957-1, SUSE-SU-2016:0959-1, USN-2942-1, VIGILANCE-VUL-19232.

Description of the vulnerability

The Oracle Java product uses the Hotspot compiler.

However, a vulnerability in Hotspot leads to code execution. Technical details are unknown, but it may be related to an incomplete fix for CVE-2013-5838.

An attacker can therefore use a vulnerability in Hotspot of Oracle Java, in order to run code in the web browser of the victim who loads a malicious Java applet.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2016-0603

Oracle Java: code execution during installation

Synthesis of the vulnerability

An attacker can invite the victim to download malicious libraries on Windows, in order to run code during the installation of an application requiring these DLL.
Impacted products: Java Oracle.
Severity: 2/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 08/02/2016.
Identifiers: CERTFR-2016-AVI-049, CVE-2016-0603, VIGILANCE-VUL-18885.

Description of the vulnerability

When a user installs a new application on Windows, he downloads the installation program (install.exe for example), and then runs it.

However, the Oracle Java installation program loads several DLLs (UXTheme.dll, RASAdHlp.dll, SetupAPI.dll, HNetCfg.dll, XPSP2Res.dll, ProfAPI.dll, Secur32.dll, NTMarta.dll, Version.dll, WinHTTP.dll, NetUtils.dll, WindowsCodecs.dll) from the current directory. So, if an attacker invited the victim to download a malicious DLL file, before he runs install.exe from the Download directory, the code located in the DLL is run.

An attacker can therefore invite the victim to download malicious libraries on Windows, in order to run code during the installation of Oracle Java.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2015-7575 CVE-2015-8126 CVE-2016-0402

Oracle Java: multiple vulnerabilities of January 2016

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Oracle Java.
Impacted products: Brocade Network Advisor, Brocade vTM, Debian, Avamar, BIG-IP Hardware, TMOS, Fedora, AIX, Domino, Notes, SPSS Modeler, Tivoli System Automation, WebSphere AS Traditional, WebSphere MQ, JAXP, ePO, SnapManager, Java OpenJDK, openSUSE, openSUSE Leap, Java Oracle, Puppet, RHEL, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Ubuntu.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights, data reading, data creation/edition, data deletion, denial of service on service.
Provenance: document.
Number of vulnerabilities in this bulletin: 9.
Creation date: 20/01/2016.
Identifiers: 1975365, 1975424, 1976200, 1976262, 1976896, 1977127, 1977129, 1977405, 1977518, 479387, 7043086, 9010057, BSA-2016-004, CERTFR-2015-AVI-488, CERTFR-2016-AVI-027, cpujan2016, CVE-2015-7575, CVE-2015-8126, CVE-2016-0402, CVE-2016-0448, CVE-2016-0466, CVE-2016-0475, CVE-2016-0483, CVE-2016-0494, DSA-3458-1, DSA-3465-1, ESA-2016-003, FEDORA-2016-3ea667977a, FEDORA-2016-946b98126d, NTAP-20160121-0001, openSUSE-SU-2016:0263-1, openSUSE-SU-2016:0268-1, openSUSE-SU-2016:0270-1, openSUSE-SU-2016:0272-1, openSUSE-SU-2016:0279-1, RHSA-2016:0049-01, RHSA-2016:0050-01, RHSA-2016:0053-01, RHSA-2016:0054-01, RHSA-2016:0055-01, RHSA-2016:0056-01, RHSA-2016:0057-01, RHSA-2016:0067-01, RHSA-2016:0098-01, RHSA-2016:0099-01, RHSA-2016:0100-01, RHSA-2016:0101-01, SB10148, SLOTH, SOL50118123, SUSE-SU-2016:0256-1, SUSE-SU-2016:0265-1, SUSE-SU-2016:0269-1, SUSE-SU-2016:0390-1, SUSE-SU-2016:0399-1, SUSE-SU-2016:0401-1, SUSE-SU-2016:0428-1, SUSE-SU-2016:0431-1, SUSE-SU-2016:0433-1, SUSE-SU-2016:0636-1, SUSE-SU-2016:0770-1, SUSE-SU-2016:0776-1, USN-2884-1, USN-2885-1, VIGILANCE-VUL-18761, ZDI-16-032.

Description of the vulnerability

Several vulnerabilities were announced in Oracle Java.

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to trigger a denial of service (VIGILANCE-VUL-21215). [severity:3/4; CVE-2016-0494]

An attacker can use a vulnerability of AWT libpng, in order to obtain information, to alter information, or to trigger a denial of service (VIGILANCE-VUL-18301). [severity:3/4; CERTFR-2015-AVI-488, CVE-2015-8126]

An attacker can use a vulnerability of AWT, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-0483, ZDI-16-032]

An attacker can use a vulnerability of Libraries, in order to obtain or alter information. [severity:2/4; CVE-2016-0475]

An attacker can use a vulnerability of Networking, in order to alter information. [severity:2/4; CVE-2016-0402]

An attacker can use a vulnerability of JAXP, in order to trigger a denial of service. [severity:2/4; CVE-2016-0466]

An attacker can use a vulnerability of JMX, in order to obtain information. [severity:2/4; CVE-2016-0448]

An attacker can create a MD5 collision in a TLS 1.2 session, in order to capture data belonging to this session (VIGILANCE-VUL-18586). [severity:2/4; CVE-2015-7575, SLOTH]

An attacker can generate a buffer overflow in HtmlConverter, in order to trigger a denial of service, and possibly to run code. [severity:2/4]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2015-7575

Mozilla NSS, OpenSSL, Oracle Java: MD5 allowed in TLS 1.2

Synthesis of the vulnerability

An attacker can create a MD5 collision in a TLS 1.2 session of Mozilla NSS, OpenSSL or Oracle Java, in order to capture data belonging to this session.
Impacted products: Blue Coat CAS, ProxySG par Blue Coat, SGOS by Blue Coat, Debian, Fedora, AIX, DB2 UDB, Domino, Notes, QRadar SIEM, SPSS Modeler, Tivoli Storage Manager, WebSphere AS Traditional, WebSphere MQ, JAXP, Firefox, NSS, Thunderbird, SnapManager, Java OpenJDK, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Java Oracle, RHEL, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Ubuntu.
Severity: 1/4.
Consequences: data creation/edition.
Provenance: internet client.
Creation date: 28/12/2015.
Revision date: 08/01/2016.
Identifiers: 000008896, 1974958, 1975290, 1975424, 1976113, 1976148, 1976200, 1976262, 1976362, 1976363, 1977405, 1977517, 1977518, 1977523, 9010065, cpujan2016, cpuoct2017, CVE-2015-7575, DSA-3436-1, DSA-3457-1, DSA-3465-1, DSA-3491-1, DSA-3688-1, FEDORA-2016-4aeba0f53d, MFSA-2015-150, NTAP-20160225-0001, NTAP20160225-001, openSUSE-SU-2015:2405-1, openSUSE-SU-2016:0007-1, openSUSE-SU-2016:0161-1, openSUSE-SU-2016:0162-1, openSUSE-SU-2016:0263-1, openSUSE-SU-2016:0268-1, openSUSE-SU-2016:0270-1, openSUSE-SU-2016:0272-1, openSUSE-SU-2016:0279-1, openSUSE-SU-2016:0307-1, openSUSE-SU-2016:0308-1, openSUSE-SU-2016:0488-1, RHSA-2016:0007-01, RHSA-2016:0008-01, RHSA-2016:0049-01, RHSA-2016:0050-01, RHSA-2016:0053-01, RHSA-2016:0054-01, RHSA-2016:0055-01, RHSA-2016:0056-01, RHSA-2016:0098-01, RHSA-2016:0099-01, RHSA-2016:0100-01, RHSA-2016:0101-01, SA108, SLOTH, SUSE-SU-2016:0256-1, SUSE-SU-2016:0265-1, SUSE-SU-2016:0269-1, SUSE-SU-2016:0390-1, SUSE-SU-2016:0399-1, SUSE-SU-2016:0401-1, SUSE-SU-2016:0428-1, SUSE-SU-2016:0431-1, SUSE-SU-2016:0433-1, SUSE-SU-2016:0770-1, SUSE-SU-2016:0776-1, USN-2863-1, USN-2864-1, USN-2866-1, USN-2884-1, USN-2904-1, VIGILANCE-VUL-18586.

Description of the vulnerability

The Mozilla NSS, OpenSSL and Oracle Java products implement TLS version 1.2.

The MD5 hashing algorithm is weak. However, it is accepted in signatures of TLS 1.2 ServerKeyExchange messages.

An attacker can therefore create a MD5 collision in a TLS 1.2 session of Mozilla NSS, OpenSSL or Oracle Java, in order to capture data belonging to this session.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2015-2613 CVE-2015-7940

Bouncy Castle, Oracle Java: disclosure of elliptic curve private keys

Synthesis of the vulnerability

An attacker can use a vulnerability in the elliptic curve implementation of Bouncy Castle and Oracle Java, in order to obtain sensitive information.
Impacted products: Bouncy Castle JCE, DCFM Enterprise, FabricOS, Brocade Network Advisor, Brocade vTM, Debian, Fedora, IRAD, WebSphere MQ, Mule ESB, SnapManager, Java OpenJDK, openSUSE, openSUSE Leap, Oracle Communications, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle Internet Directory, Oracle iPlanet Web Server, Java Oracle, JavaFX, Oracle OIT, Tuxedo, Oracle Virtual Directory, WebLogic, Oracle Web Tier, Ubuntu.
Severity: 3/4.
Consequences: data reading.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 22/10/2015.
Identifiers: 1968485, 1972455, 9010041, 9010044, BSA-2016-002, cpuapr2018, cpujan2017, cpujan2018, cpujan2019, cpujul2015, cpujul2017, cpujul2018, cpuoct2017, CVE-2015-2613, CVE-2015-7940, DSA-3417-1, FEDORA-2015-7d95466eda, NTAP-20150715-0001, NTAP-20151028-0001, openSUSE-SU-2015:1911-1, RHSA-2016:2035-01, RHSA-2016:2036-01, USN-3727-1, VIGILANCE-VUL-18168.

Description of the vulnerability

The Bouncy Castle and Oracle Java products implement algorithms based on elliptic curves.

However, if the client forces the server to compute a common secret based on points located outside the chosen curve, he can progressively guess the full server key.

An attacker can therefore use a vulnerability in the elliptic curve implementation of Bouncy Castle and Oracle Java, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2015-4734 CVE-2015-4803 CVE-2015-4805

Oracle Java: several vulnerabilities of October 2015

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Oracle Java.
Impacted products: DCFM Enterprise, FabricOS, Brocade Network Advisor, Brocade vTM, Debian, Fedora, AIX, Domino, Notes, IRAD, Security Directory Server, Tivoli Directory Server, Tivoli System Automation, Tivoli Workload Scheduler, WebSphere AS Traditional, WebSphere MQ, JAXP, ePO, SnapManager, Java OpenJDK, openSUSE, openSUSE Leap, Java Oracle, JavaFX, Puppet, RHEL, SAS Add-in for Microsoft Office, SAS Analytics Pro, Base SAS Software, SAS Enterprise BI Server, SAS Enterprise Guide, SAS Management Console, SAS OLAP Server, SAS SAS/ACCESS, SAS SAS/AF, SAS SAS/CONNECT, SAS SAS/EIS, SAS SAS/ETS, SAS SAS/FSP, SAS SAS/GRAPH, SAS SAS/IML, SAS SAS/OR, SAS SAS/STAT, SAS SAS/Web Report Studio, SUSE Linux Enterprise Desktop, SLES, Ubuntu, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights, data reading, data creation/edition, data deletion, denial of service on service.
Provenance: document.
Number of vulnerabilities in this bulletin: 26.
Creation date: 21/10/2015.
Identifiers: 1969620, 1971361, 1971479, 1973785, 1974831, 1978806, 1981838, 56203, 9010041, 9010044, BSA-2016-002, BSA-2016-004, CERTFR-2015-AVI-439, cpuoct2015, CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4810, CVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4868, CVE-2015-4871, CVE-2015-4872, CVE-2015-4881, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4901, CVE-2015-4902, CVE-2015-4903, CVE-2015-4906, CVE-2015-4908, CVE-2015-4911, CVE-2015-4916, DSA-3381-1, DSA-3381-2, DSA-3401-1, FEDORA-2015-27cfe187b5, FEDORA-2015-ce54f85a3e, NTAP-20150715-0001, NTAP-20151028-0001, openSUSE-SU-2015:1902-1, openSUSE-SU-2015:1905-1, openSUSE-SU-2015:1906-1, openSUSE-SU-2015:1971-1, openSUSE-SU-2016:0268-1, openSUSE-SU-2016:0270-1, openSUSE-SU-2016:0272-1, openSUSE-SU-2016:0279-1, RHSA-2015:1919-01, RHSA-2015:1920-01, RHSA-2015:1921-01, RHSA-2015:1926-01, RHSA-2015:1927-01, RHSA-2015:1928-01, RHSA-2015:2086-01, RHSA-2015:2506-01, RHSA-2015:2507-01, RHSA-2015:2508-01, RHSA-2015:2509-01, RHSA-2015:2518-01, SB10141, SUSE-SU-2015:1874-2, SUSE-SU-2015:1875-2, SUSE-SU-2015:2166-1, SUSE-SU-2015:2168-1, SUSE-SU-2015:2168-2, SUSE-SU-2015:2182-1, SUSE-SU-2015:2192-1, SUSE-SU-2015:2216-1, SUSE-SU-2015:2268-1, SUSE-SU-2016:0113-1, SUSE-SU-2016:0265-1, SUSE-SU-2016:0269-1, USN-2784-1, USN-2818-1, USN-2827-1, VIGILANCE-VUL-18149.

Description of the vulnerability

Several vulnerabilities were announced in Oracle Java.

An attacker can use a vulnerability of CORBA, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4835]

An attacker can use a vulnerability of CORBA, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4881]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4843]

An attacker can use a vulnerability of RMI, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4883]

An attacker can use a vulnerability of RMI, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4860]

An attacker can use a vulnerability of Serialization, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4805]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to trigger a denial of service (VIGILANCE-VUL-21214). [severity:3/4; CVE-2015-4844]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4901]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4868]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4868]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:2/4; CVE-2015-4810]

An attacker can use a vulnerability of Libraries, in order to obtain or alter information. [severity:2/4; CVE-2015-4806]

An attacker can use a vulnerability of Libraries, in order to obtain or alter information. [severity:2/4; CVE-2015-4871]

An attacker can use a vulnerability of Deployment, in order to alter information. [severity:2/4; CVE-2015-4902]

An attacker can use a vulnerability of 2D, in order to obtain information. [severity:2/4; CVE-2015-4840]

An attacker can use a vulnerability of CORBA, in order to trigger a denial of service. [severity:2/4; CVE-2015-4882]

An attacker can use a vulnerability of JAXP, in order to obtain information. [severity:2/4; CVE-2015-4842]

An attacker can use a vulnerability of JGSS, in order to obtain information. [severity:2/4; CVE-2015-4734]

An attacker can use a vulnerability of RMI, in order to obtain information. [severity:2/4; CVE-2015-4903]

An attacker can use a vulnerability of JAXP, in order to trigger a denial of service. [severity:2/4; CVE-2015-4803]

An attacker can use a vulnerability of JAXP, in order to trigger a denial of service. [severity:2/4; CVE-2015-4893]

An attacker can use a vulnerability of JAXP, in order to trigger a denial of service. [severity:2/4; CVE-2015-4911]

An attacker can use a vulnerability of Security, in order to alter information. [severity:2/4; CVE-2015-4872]

An attacker can use a vulnerability of JavaFX, in order to obtain information. [severity:2/4; CVE-2015-4906]

An attacker can use a vulnerability of JavaFX, in order to obtain information. [severity:2/4; CVE-2015-4916]

An attacker can use a vulnerability of JavaFX, in order to obtain information. [severity:2/4; CVE-2015-4908]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2015-5738

RSA: private key computation via CRT

Synthesis of the vulnerability

An attacker can exchange with an application not implementing the RSA-CRT protection, in order to progressively guess the private key.
Impacted products: FortiGate, FortiGate Virtual Appliance, FortiOS, Java OpenJDK, openSUSE, Java Oracle, JavaFX, SSL protocol, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 08/09/2015.
Identifiers: cpuapr2015, CVE-2015-5738, openSUSE-SU-2015:1596-1, RSA-CRT, VIGILANCE-VUL-17836.

Description of the vulnerability

An implementation of the RSA algorithm can use the CRT (Chinese Remainder Theorem) optimization, so computations are faster. However, the RSA-CRT signature is affected by a side-channel attack, known since 1996 (Arjen Lenstra). OpenSSL and NSS are for example protected.

The GnuPG software is protected, but the Libgcrypt library is not. An attacker can therefore exchange with an application linked to Libgcrypt, to trigger a series of error and attack RSA-CRT, in order to progressively guess the private key.

The TLS protocol can use the Perfect Forward Secrecy. In this case, a RSA signature is used. However, several implementations, such as OpenJDK or JRE, do not have the RSA-CRT protection. An attacker can therefore exchange with a TLS server with the Perfect Forward Secrecy enabled, to trigger a series of error and attack RSA-CRT, in order to progressively guess the private key.

An attacker can therefore exchange with an application not implementing the RSA-CRT protection, in order to progressively guess the private key.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2015-2590 CVE-2015-2596 CVE-2015-2597

Oracle Java: several vulnerabilities of July 2015

Synthesis of the vulnerability

Several vulnerabilities of Oracle Java were announced in July 2015.
Impacted products: DCFM Enterprise, FabricOS, Brocade Network Advisor, Brocade vTM, Debian, Avamar, BIG-IP Hardware, TMOS, Fedora, AIX, DB2 UDB, Domino, Notes, IRAD, SPSS Data Collection, SPSS Modeler, SPSS Statistics, Tivoli Storage Manager, Tivoli System Automation, WebSphere MQ, Junos Space, ePO, SnapManager, Java OpenJDK, openSUSE, Java Oracle, JavaFX, Puppet, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 3/4.
Consequences: user access/rights, data reading, data creation/edition, data deletion, denial of service on service, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 25.
Creation date: 15/07/2015.
Identifiers: 1963330, 1963331, 1963812, 1964236, 1966040, 1966536, 1967222, 1967498, 1967893, 1968485, 1972455, 206954, 9010041, 9010044, BSA-2016-002, CERTFR-2015-ALE-007, CERTFR-2015-AVI-305, CERTFR-2016-AVI-128, cpujul2015, CVE-2015-2590, CVE-2015-2596, CVE-2015-2597, CVE-2015-2601, CVE-2015-2613, CVE-2015-2619, CVE-2015-2621, CVE-2015-2625, CVE-2015-2627, CVE-2015-2628, CVE-2015-2632, CVE-2015-2637, CVE-2015-2638, CVE-2015-2659, CVE-2015-2664, CVE-2015-2808, CVE-2015-4000, CVE-2015-4729, CVE-2015-4731, CVE-2015-4732, CVE-2015-4733, CVE-2015-4736, CVE-2015-4748, CVE-2015-4749, CVE-2015-4760, DSA-3316-1, DSA-3339-1, ESA-2015-134, FEDORA-2015-11859, FEDORA-2015-11860, JSA10727, NTAP-20150715-0001, NTAP-20151028-0001, openSUSE-SU-2015:1288-1, openSUSE-SU-2015:1289-1, RHSA-2015:1228-01, RHSA-2015:1229-01, RHSA-2015:1230-01, RHSA-2015:1241-01, RHSA-2015:1242-01, RHSA-2015:1243-01, RHSA-2015:1485-01, RHSA-2015:1486-01, RHSA-2015:1488-01, RHSA-2015:1526-01, RHSA-2015:1544-01, SB10139, SOL17079, SOL17169, SOL17170, SOL17171, SOL17173, SUSE-SU-2015:1319-1, SUSE-SU-2015:1320-1, SUSE-SU-2015:1329-1, SUSE-SU-2015:1331-1, SUSE-SU-2015:1345-1, SUSE-SU-2015:1375-1, SUSE-SU-2015:1509-1, SUSE-SU-2015:2166-1, SUSE-SU-2015:2192-1, USN-2696-1, USN-2706-1, VIGILANCE-VUL-17371.

Description of the vulnerability

Several vulnerabilities were announced in Oracle Java.

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to trigger a denial of service (VIGILANCE-VUL-17558). [severity:3/4; CVE-2015-4760]

An attacker can use a vulnerability of CORBA, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-2628]

An attacker can use a vulnerability of JMX, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4731]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-2590]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4732]

An attacker can use a vulnerability of RMI, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4733]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-2638]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4736]

An attacker can use a vulnerability of Security, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4748]

An attacker can use a vulnerability of Install, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-2597]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-2664]

An attacker can use a vulnerability of 2D, in order to obtain information. [severity:2/4; CVE-2015-2632]

An attacker can use a vulnerability of JCE, in order to obtain information. [severity:2/4; CVE-2015-2601]

An attacker can use a vulnerability of JCE, in order to obtain information (VIGILANCE-VUL-18168). [severity:2/4; CVE-2015-2613]

An attacker can use a vulnerability of JMX, in order to obtain information. [severity:2/4; CVE-2015-2621]

An attacker can use a vulnerability of Security, in order to trigger a denial of service. [severity:2/4; CVE-2015-2659]

An attacker can use a vulnerability of 2D, in order to obtain information. [severity:2/4; CVE-2015-2619]

An attacker can bypass security features in 2D, in order to obtain sensitive information. [severity:2/4; CVE-2015-2637]

An attacker can use a vulnerability of Hotspot, in order to alter information. [severity:2/4; CVE-2015-2596]

An attacker can use a vulnerability of JNDI, in order to trigger a denial of service. [severity:2/4; CVE-2015-4749]

An attacker can use a vulnerability of Deployment, in order to obtain or alter information. [severity:2/4; CVE-2015-4729]

An attacker can use a vulnerability of JSSE, in order to obtain or alter information. [severity:2/4; CVE-2015-4000]

An attacker can use a vulnerability of JSSE, in order to obtain or alter information. [severity:2/4; CVE-2015-2808]

An attacker can use a vulnerability of Install, in order to obtain information. [severity:1/4; CVE-2015-2627]

An attacker can use a vulnerability of JSSE, in order to obtain information. [severity:1/4; CVE-2015-2625]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about JRE Oracle: