The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of MicroFocus SUSE Linux Enterprise Server

computer vulnerability CVE-2016-4482

Linux kernel: information disclosure via USB proc_connectinfo

Synthesis of the vulnerability

A local attacker can read a memory fragment of USB proc_connectinfo() of the Linux kernel, in order to obtain sensitive information.
Impacted products: Debian, Fedora, Linux, openSUSE, openSUSE Leap, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Creation date: 04/05/2016.
Identifiers: CERTFR-2016-AVI-220, CERTFR-2016-AVI-267, CERTFR-2017-AVI-034, CVE-2016-4482, DLA-516-1, DSA-3607-1, FEDORA-2016-7d900003e6, FEDORA-2016-a159c484e4, openSUSE-SU-2016:1641-1, openSUSE-SU-2016:2144-1, openSUSE-SU-2016:2184-1, SUSE-SU-2016:1672-1, SUSE-SU-2016:1690-1, SUSE-SU-2016:1696-1, SUSE-SU-2016:1937-1, SUSE-SU-2016:1985-1, SUSE-SU-2016:2105-1, SUSE-SU-2016:2245-1, SUSE-SU-2017:0333-1, USN-3016-1, USN-3016-2, USN-3016-3, USN-3016-4, USN-3017-1, USN-3017-2, USN-3017-3, USN-3018-1, USN-3018-2, USN-3019-1, USN-3020-1, USN-3021-1, USN-3021-2, VIGILANCE-VUL-19515.

Description of the vulnerability

The Linux kernel implements usbfs, which uses the usbdevfs_connectinfo structure.

However, the proc_connectinfo() function of the drivers/usb/core/devio.c file does not initialize a memory area of 3 bytes before returning it to the user.

A local attacker can therefore read a memory fragment of USB proc_connectinfo() of the Linux kernel, in order to obtain sensitive information.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2016-4483

libxml2: out-of-bounds memory reading via xmlBufAttrSerializeTxtContent

Synthesis of the vulnerability

An attacker can force a read at an invalid address in xmlBufAttrSerializeTxtContent() of libxml2, in order to trigger a denial of service, or to obtain sensitive information.
Impacted products: iOS by Apple, iPhone, Mac OS X, Blue Coat CAS, ProxyAV, ProxyRA, ProxySG par Blue Coat, SGOS by Blue Coat, Debian, libxml, openSUSE, openSUSE Leap, Solaris, Splunk Enterprise, SLES, Nessus, Ubuntu.
Severity: 2/4.
Creation date: 04/05/2016.
Identifiers: 1989337, 1991909, 1991910, 1991911, 1991913, 1991997, bulletinjul2016, CVE-2016-4483, DLA-503-1, DSA-3593-1, HT206902, HT206903, openSUSE-SU-2016:1594-1, openSUSE-SU-2016:1595-1, SA129, SPL-119440, SPL-121159, SPL-123095, SUSE-SU-2016:1538-1, SUSE-SU-2016:1604-1, TNS-2017-03, USN-2994-1, VIGILANCE-VUL-19514.

Description of the vulnerability

The xmllint tool of libxml2 has the option "--recover" to try to decode a malformed XML document.

However, the xmlBufAttrSerializeTxtContent() function of the xmlsave.c file tries to read a memory area located outside the expected range, which triggers a fatal error, or leads to the disclosure of a memory fragment.

An attacker can therefore force a read at an invalid address in xmlBufAttrSerializeTxtContent() of libxml2, in order to trigger a denial of service, or to obtain sensitive information.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2016-3705

libxml2: infinite loop of xmlParserEntityCheck

Synthesis of the vulnerability

An attacker can generate an infinite recursion in xmlStringGetNodeList() of libxml2, in order to trigger a denial of service.
Impacted products: Blue Coat CAS, ProxyAV, ProxyRA, ProxySG par Blue Coat, SGOS by Blue Coat, Debian, BIG-IP Hardware, TMOS, Junos Space, libxml, McAfee Web Gateway, openSUSE, openSUSE Leap, RHEL, Splunk Enterprise, SLES, Nessus, Ubuntu.
Severity: 2/4.
Creation date: 03/05/2016.
Identifiers: 765207, CERTFR-2017-AVI-012, CVE-2016-3705, DLA-503-1, DSA-3593-1, JSA10770, openSUSE-SU-2016:1446-1, openSUSE-SU-2016:1594-1, openSUSE-SU-2016:1595-1, RHSA-2016:1292-01, SA129, SB10170, SOL54225343, SPL-119440, SPL-121159, SPL-123095, SUSE-SU-2016:1538-1, SUSE-SU-2016:1604-1, TNS-2017-03, USN-2994-1, VIGILANCE-VUL-19513.

Description of the vulnerability

The libxml2 library includes an XML parser.

However, a malformed document triggers an infinite recursion in the xmlParserEntityCheck(), xmlParseEntityValue() and xmlParseAttValueComplex() functions, which depletes the stack.

An attacker can therefore generate an infinite recursion in xmlStringGetNodeList() of libxml2, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2016-2105 CVE-2016-2106 CVE-2016-2107

OpenSSL: six vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of OpenSSL.
Impacted products: SDS, SES, SNS, Tomcat, Mac OS X, StormShield, Blue Coat CAS, ProxyAV, ProxySG par Blue Coat, Cisco ASR, Cisco Aironet, Cisco ATA, Cisco AnyConnect Secure Mobility Client, Cisco ACE, ASA, Cisco Catalyst, Cisco Content SMA, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, IronPort Email, IronPort Encryption, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco Prime LMS, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Cisco WSA, Cisco Wireless Controller, XenServer, Debian, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, Fedora, FileZilla Server, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiOS, FreeBSD, Android OS, HP Operations, HP Switch, AIX, IRAD, QRadar SIEM, IBM System x Server, Tivoli Storage Manager, Tivoli Workload Scheduler, WebSphere MQ, Copssh, Juniper J-Series, JUNOS, Junos Space, NSM Central Manager, NSMXpress, MariaDB ~ precise, McAfee NSM, Meinberg NTP Server, MySQL Community, MySQL Enterprise, Data ONTAP, NETASQ, NetScreen Firewall, ScreenOS, OpenBSD, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, Solaris, VirtualBox, WebLogic, Oracle Web Tier, Palo Alto Firewall PA***, PAN-OS, Percona Server, XtraDB Cluster, pfSense, Pulse Connect Secure, Puppet, Python, RHEL, JBoss EAP by Red Hat, SAS Management Console, Shibboleth SP, Slackware, Splunk Enterprise, stunnel, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, Nessus, Ubuntu, WindRiver Linux, VxWorks, WordPress Plugins ~ not comprehensive, X2GoClient.
Severity: 3/4.
Creation date: 03/05/2016.
Identifiers: 1982949, 1985850, 1987779, 1993215, 1995099, 1998797, 2003480, 2003620, 2003673, 9010083, bulletinapr2016, bulletinapr2017, CERTFR-2016-AVI-151, CERTFR-2016-AVI-153, cisco-sa-20160504-openssl, cpuapr2017, cpujul2016, cpujul2017, cpuoct2016, CTX212736, CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, CVE-2016-2176, DLA-456-1, DSA-3566-1, FEDORA-2016-05c567df1a, FEDORA-2016-1e39d934ed, FEDORA-2016-e1234b65a2, FG-IR-16-026, FreeBSD-SA-16:17.openssl, HPESBGN03728, HPESBHF03756, HT206903, JSA10759, K23230229, K36488941, K51920288, K75152412, K93600123, MBGSA-1603, MIGR-5099595, MIGR-5099597, NTAP-20160504-0001, openSUSE-SU-2016:1237-1, openSUSE-SU-2016:1238-1, openSUSE-SU-2016:1239-1, openSUSE-SU-2016:1240-1, openSUSE-SU-2016:1241-1, openSUSE-SU-2016:1242-1, openSUSE-SU-2016:1243-1, openSUSE-SU-2016:1273-1, openSUSE-SU-2016:1566-1, openSUSE-SU-2017:0487-1, PAN-SA-2016-0020, PAN-SA-2016-0028, RHSA-2016:0722-01, RHSA-2016:0996-01, RHSA-2016:1137-01, RHSA-2016:1648-01, RHSA-2016:1649-01, RHSA-2016:1650-01, RHSA-2016:2054-01, RHSA-2016:2055-01, RHSA-2016:2056-01, RHSA-2016:2073-01, SA123, SA40202, SB10160, SOL23230229, SOL36488941, SOL51920288, SOL75152412, SP-CAAAPPQ, SPL-119440, SPL-121159, SPL-123095, SSA:2016-124-01, STORM-2016-002, SUSE-SU-2016:1206-1, SUSE-SU-2016:1228-1, SUSE-SU-2016:1231-1, SUSE-SU-2016:1233-1, SUSE-SU-2016:1267-1, SUSE-SU-2016:1290-1, SUSE-SU-2016:1360-1, TNS-2016-10, USN-2959-1, VIGILANCE-VUL-19512, VN-2016-006, VN-2016-007.

Description of the vulnerability

Several vulnerabilities were announced in OpenSSL.

An attacker can act as a Man-in-the-Middle and use the AES CBC algorithm with a server supporting AES-NI, in order to read or write data in the session. This vulnerability was initially fixed in versions 1.0.1o and 1.0.2c, but it was not disclosed at that time. [severity:3/4; CVE-2016-2108]

An attacker can act as a Man-in-the-Middle and use the AES CBC algorithm with a server supporting AES-NI, in order to read or write data in the session. [severity:3/4; CVE-2016-2107]

An attacker can generate a buffer overflow in EVP_EncodeUpdate(), which is mainly used by command line applications, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2016-2105]

An attacker can generate a buffer overflow in EVP_EncryptUpdate(), which is difficult to reach, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2016-2106]

An attacker can trigger an excessive memory usage in d2i_CMS_bio(), in order to trigger a denial of service. [severity:2/4; CVE-2016-2109]

An attacker can force a read at an invalid address in applications using X509_NAME_oneline(), in order to trigger a denial of service, or to obtain sensitive information. [severity:2/4; CVE-2016-2176]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2016-3074 CVE-2016-3132 CVE-2016-4537

PHP: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PHP.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, openSUSE, openSUSE Leap, PHP, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Creation date: 29/04/2016.
Identifiers: 71735, 71750, 71843, 71912, 72061, 72093, 72094, 72099, CVE-2016-3074, CVE-2016-3132, CVE-2016-4537, CVE-2016-4538, CVE-2016-4539, CVE-2016-4540, CVE-2016-4541, CVE-2016-4542, CVE-2016-4543, CVE-2016-4544, DLA-499-1, DLA-628-1, DSA-3602-1, FEDORA-2016-e205218629, FEDORA-2016-f1d98cf017, openSUSE-SU-2016:1274-1, openSUSE-SU-2016:1357-1, openSUSE-SU-2016:1524-1, openSUSE-SU-2016:1553-1, RHSA-2016:2750-01, SOL35240323, SSA:2016-120-02, SUSE-SU-2016:1581-1, SUSE-SU-2016:1638-1, USN-2984-1, VIGILANCE-VUL-19483.

Description of the vulnerability

Several vulnerabilities were announced in PHP.

An attacker can generate a buffer overflow in php_raw_url_encode/ php_url_encode, in order to trigger a denial of service, and possibly to run code. [severity:2/4; 71750]

An attacker can force a read at an invalid address in exif, in order to trigger a denial of service, or to obtain sensitive information. [severity:1/4; 72094, CVE-2016-4542, CVE-2016-4543, CVE-2016-4544]

An attacker can generate a buffer overflow in libgd, in order to trigger a denial of service, and possibly to run code (VIGILANCE-VUL-19447). [severity:2/4; 71912, CVE-2016-3074]

An attacker can force a NULL pointer to be dereferenced in ZEND_RETURN_SPEC_CONST_HANDLER, in order to trigger a denial of service. [severity:1/4; 71843]

An attacker can force the usage of a freed memory area in SplDoublyLinkedList::offsetSet, in order to trigger a denial of service, and possibly to run code. [severity:2/4; 71735, CVE-2016-3132]

An attacker can force a read at an invalid address in zif_grapheme_stripos, in order to trigger a denial of service, or to obtain sensitive information. [severity:2/4; 72061, CVE-2016-4540, CVE-2016-4541]

An attacker can generate a memory corruption in bcpowmod, in order to trigger a denial of service, and possibly to run code. [severity:2/4; 72093, CVE-2016-4537, CVE-2016-4538]

An attacker can generate a memory corruption in xml_parse_into_struct, in order to trigger a denial of service, and possibly to run code. [severity:2/4; 72099, CVE-2016-4539]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2016-2167 CVE-2016-2168

Apache Subversion: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Apache Subversion.
Impacted products: Subversion, Debian, Fedora, openSUSE, openSUSE Leap, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Creation date: 28/04/2016.
Identifiers: CVE-2016-2167, CVE-2016-2168, DLA-448-1, DSA-3561-1, FEDORA-2016-e024b3e02b, openSUSE-SU-2016:1263-1, openSUSE-SU-2016:1264-1, SSA:2016-121-01, SUSE-SU-2017:2200-1, USN-3388-1, VIGILANCE-VUL-19480.

Description of the vulnerability

Several vulnerabilities were announced in Apache Subversion.

An attacker can bypass security features in svnserve/sasl, in order to escalate his privileges. [severity:2/4; CVE-2016-2167]

An attacker can force a NULL pointer to be dereferenced in mod_authz_svn, in order to trigger a denial of service. [severity:2/4; CVE-2016-2168]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2015-7704 CVE-2015-8138 CVE-2016-1547

NTP.org: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of NTP.org.
Impacted products: SNS, ASA, Cisco Catalyst, IOS by Cisco, IOS XE Cisco, IronPort Encryption, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Prime Infrastructure, Cisco Prime LMS, Cisco Router, Secure ACS, Cisco CUCM, Cisco MeetingPlace, Cisco Unity ~ precise, XenServer, Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP Switch, AIX, Juniper J-Series, JUNOS, Junos Space, McAfee Web Gateway, Meinberg NTP Server, NTP.org, openSUSE, openSUSE Leap, Solaris, Palo Alto Firewall PA***, PAN-OS, pfSense, RHEL, Slackware, Spectracom SecureSync, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Ubuntu.
Severity: 2/4.
Creation date: 27/04/2016.
Identifiers: bulletinapr2016, c05270839, CERTFR-2016-AVI-153, cisco-sa-20160428-ntpd, CTX220112, CVE-2015-7704, CVE-2015-8138, CVE-2016-1547, CVE-2016-1548, CVE-2016-1549, CVE-2016-1550, CVE-2016-1551, CVE-2016-2516, CVE-2016-2517, CVE-2016-2518, CVE-2016-2519, DLA-559-1, DSA-3629-1, FEDORA-2016-5b2eb0bf9c, FEDORA-2016-777d838c1b, FreeBSD-SA-16:16.ntp, HPESBHF03750, HPSBHF03646, JSA10776, JSA10796, K11251130, K20804323, K24613253, K43205719, K63675293, MBGSA-1602, openSUSE-SU-2016:1292-1, openSUSE-SU-2016:1329-1, openSUSE-SU-2016:1423-1, PAN-SA-2016-0019, RHSA-2016:1141-01, RHSA-2016:1552-01, SB10164, SOL11251130, SOL20804323, SOL24613253, SOL41613034, SOL43205719, SOL45427159, SOL61200338, SOL63675293, SSA:2016-120-01, STORM-2016-003, STORM-2016-004, SUSE-SU-2016:1175-1, SUSE-SU-2016:1177-1, SUSE-SU-2016:1247-1, SUSE-SU-2016:1278-1, SUSE-SU-2016:1291-1, SUSE-SU-2016:1311-1, SUSE-SU-2016:1471-1, SUSE-SU-2016:1912-1, SUSE-SU-2016:2094-1, TALOS-2016-0081, TALOS-2016-0082, TALOS-2016-0083, TALOS-2016-0084, TALOS-2016-0132, USN-3096-1, USN-3349-1, VIGILANCE-VUL-19477, VU#718152.

Description of the vulnerability

Several vulnerabilities were announced in NTP.org.

The ntpd daemon can on certain systems accept packets from 127.0.0.0/8. [severity:1/4; CVE-2016-1551, TALOS-2016-0132]

An attacker can use a Sybil attack, in order to alter the system clock. [severity:2/4; CVE-2016-1549, TALOS-2016-0083]

An attacker can force an assertion error with duplicate IP, in order to trigger a denial of service. [severity:2/4; CVE-2016-2516]

An attacker can trigger an error in the management of trustedkey/requestkey/controlkey, in order to trigger a denial of service. [severity:2/4; CVE-2016-2517]

An attacker can force a read at an invalid address in MATCH_ASSOC, in order to trigger a denial of service, or to obtain sensitive information. [severity:1/4; CVE-2016-2518]

An attacker can trigger a fatal error in ctl_getitem(), in order to trigger a denial of service. [severity:2/4; CVE-2016-2519]

An attacker can send a malicious CRYPTO-NAK packet, in order to trigger a denial of service. [severity:2/4; CVE-2016-1547, TALOS-2016-0081]

An attacker can use Interleave-pivot, in order to alter a client time. [severity:2/4; CVE-2016-1548, TALOS-2016-0082]

An attacker can trigger a fatal error in the ntp client, in order to trigger a denial of service. [severity:2/4; CVE-2015-7704]

The Zero Origin Timestamp value is not correctly checked. [severity:2/4; CVE-2015-8138]

An attacker can measure the comparison execution time, in order to guess a hash. [severity:2/4; CVE-2016-1550, TALOS-2016-0084]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2015-5589 CVE-2015-5590 CVE-2015-8838

PHP: six vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PHP.
Impacted products: Debian, Fedora, openSUSE, openSUSE Leap, pfSense, PHP, RHEL, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Ubuntu.
Severity: 2/4.
Creation date: 10/07/2015.
Revisions dates: 10/07/2015, 22/04/2016.
Identifiers: 69669, 69768, 69923, 69958, 69970, 69972, CVE-2015-5589, CVE-2015-5590, CVE-2015-8838, DSA-3344-1, FEDORA-2015-11581, openSUSE-SU-2015:1351-1, openSUSE-SU-2016:1167-1, openSUSE-SU-2016:1173-1, RHSA-2016:0457-01, SUSE-SU-2016:1145-1, SUSE-SU-2016:1166-1, SUSE-SU-2016:1581-1, SUSE-SU-2016:1638-1, USN-2758-1, USN-2952-1, USN-2952-2, VIGILANCE-VUL-17341.

Description of the vulnerability

Several vulnerabilities were announced in PHP.

An unknown vulnerability was announced in the functions escapeshell*. This may be related to an incomplete fix for CVE-2015-4642 mentioned in VIGILANCE-VUL-17113. [severity:2/4; 69768]

An attacker can generate a buffer overflow in Phar::convertToDat, in order to trigger a denial of service, and possibly to execute code. [severity:2/4; 69958, CVE-2015-5589]

An attacker can generate a buffer overflow in phar_fix_filepath, in order to trigger a denial of service, and possibly to execute code. [severity:2/4; 69923, CVE-2015-5590]

An attacker can force the usage of a freed memory area in spl_recursive_it_move_forward_ex(), in order to trigger a denial of service, and possibly to execute code. [severity:2/4; 69970]

An attacker can force the usage of a freed memory area in sqlite3SafetyCheckSickOrOk(), in order to trigger a denial of service, and possibly to execute code. [severity:2/4; 69972]

An attacker can act as a Man-in-the-Middle when the mysqlnd client asks for a TLS session, in order to read or alter exchanged data (idem VIGILANCE-VUL-16761 which has the identifier CVE-2015-3152 for MySQL, but CVE-2015-8838 for PHP). [severity:2/4; 69669, CVE-2015-8838]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2016-4051 CVE-2016-4052 CVE-2016-4053

Squid: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Squid.
Impacted products: Debian, Fedora, openSUSE Leap, RHEL, Squid, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 3/4.
Creation date: 20/04/2016.
Identifiers: CERTFR-2016-AVI-141, CVE-2016-4051, CVE-2016-4052, CVE-2016-4053, CVE-2016-4054, DLA-478-1, DLA-556-1, DSA-3625-1, FEDORA-2016-95edf19d8a, FEDORA-2016-b3b9407940, openSUSE-SU-2016:2081-1, RHSA-2016:1138-01, RHSA-2016:1139-01, RHSA-2016:1140-01, SQUID-2016:5, SQUID-2016:6, SUSE-SU-2016:1996-1, SUSE-SU-2016:2089-1, USN-2995-1, VIGILANCE-VUL-19423.

Description of the vulnerability

Several vulnerabilities were announced in Squid.

An attacker can generate a buffer overflow in cachemgr.cgi, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-4051, SQUID-2016:5]

An attacker can generate a buffer overflow in Squid ESI, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-4052, CVE-2016-4053, CVE-2016-4054, SQUID-2016:6]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2016-0686 CVE-2016-0687 CVE-2016-0695

Oracle Java: multiple vulnerabilities of April 2016

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Oracle Java.
Impacted products: Debian, Avamar, VNX Operating Environment, VNX Series, BIG-IP Hardware, TMOS, Fedora, AIX, QRadar SIEM, Tivoli Storage Manager, WebSphere AS Traditional, WebSphere MQ, JAXP, Domino, Notes, ePO, Java OpenJDK, openSUSE, openSUSE Leap, Java Oracle, Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 3/4.
Creation date: 20/04/2016.
Identifiers: 1982223, 1982566, 1984075, 1984678, 1985466, 1985875, 1987778, 484398, 486953, bulletinjan2017, CERTFR-2016-AVI-135, cpuapr2016, CVE-2016-0686, CVE-2016-0687, CVE-2016-0695, CVE-2016-3422, CVE-2016-3425, CVE-2016-3426, CVE-2016-3427, CVE-2016-3443, CVE-2016-3449, DLA-451-1, DSA-3558-1, ESA-2016-052, ESA-2016-099, FEDORA-2016-33ccc205e7, openSUSE-SU-2016:1222-1, openSUSE-SU-2016:1230-1, openSUSE-SU-2016:1235-1, openSUSE-SU-2016:1262-1, openSUSE-SU-2016:1265-1, RHSA-2016:0650-01, RHSA-2016:0651-01, RHSA-2016:0675-01, RHSA-2016:0676-01, RHSA-2016:0677-01, RHSA-2016:0678-01, RHSA-2016:0679-01, RHSA-2016:0701-01, RHSA-2016:0702-01, RHSA-2016:0708-01, RHSA-2016:0716-01, RHSA-2016:0723-01, RHSA-2016:1039-01, SB10159, SOL33285044, SOL73112451, SOL81223200, SUSE-SU-2016:1248-1, SUSE-SU-2016:1250-1, SUSE-SU-2016:1299-1, SUSE-SU-2016:1300-1, SUSE-SU-2016:1303-1, SUSE-SU-2016:1378-1, SUSE-SU-2016:1379-1, SUSE-SU-2016:1388-1, SUSE-SU-2016:1458-1, SUSE-SU-2016:1475-1, USN-2963-1, USN-2964-1, USN-2972-1, VIGILANCE-VUL-19416, ZDI-16-376.

Description of the vulnerability

Several vulnerabilities were announced in Oracle Java.

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3443, ZDI-16-376]

An attacker can use a vulnerability of Hotspot, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-0687]

An attacker can use a vulnerability of Serialization, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-0686]

An attacker can use a vulnerability of JMX, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3427]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3449]

An attacker can use a vulnerability of Security, in order to obtain information. [severity:2/4; CVE-2016-0695]

An attacker can use a vulnerability of JAXP, in order to trigger a denial of service. [severity:2/4; CVE-2016-3425]

An attacker can use a vulnerability of 2D, in order to trigger a denial of service. [severity:2/4; CVE-2016-3422]

An attacker can use a vulnerability of JCE, in order to obtain information. [severity:1/4; CVE-2016-3426]
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about MicroFocus SUSE Linux Enterprise Server: