The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Oracle JavaFX

threat announce CVE-2017-10053 CVE-2017-10067 CVE-2017-10074

Oracle Java: vulnerabilities of July 2017

Synthesis of the vulnerability

Several vulnerabilities were announced in Oracle Java.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 32.
Creation date: 19/07/2017.
Identifiers: 2007002, 2008025, 2008360, 2008362, 2008757, 2009206, 2009232, 2009253, 2009415, 2009663, 2011594, 2012301, CERTFR-2017-AVI-223, cpujul2017, CVE-2017-10053, CVE-2017-10067, CVE-2017-10074, CVE-2017-10078, CVE-2017-10081, CVE-2017-10086, CVE-2017-10087, CVE-2017-10089, CVE-2017-10090, CVE-2017-10096, CVE-2017-10101, CVE-2017-10102, CVE-2017-10104, CVE-2017-10105, CVE-2017-10107, CVE-2017-10108, CVE-2017-10109, CVE-2017-10110, CVE-2017-10111, CVE-2017-10114, CVE-2017-10115, CVE-2017-10116, CVE-2017-10117, CVE-2017-10118, CVE-2017-10121, CVE-2017-10125, CVE-2017-10135, CVE-2017-10145, CVE-2017-10176, CVE-2017-10193, CVE-2017-10198, CVE-2017-10243, DLA-1073-1, DSA-3919-1, DSA-3954-1, DSA-4005-1, FEDORA-2017-605557de96, FEDORA-2017-721314e3b3, FEDORA-2017-735e2ae663, FEDORA-2017-be3df4fe14, FEDORA-2017-fe57cf60c3, ibm10718843, JSA10873, NTAP-20170720-0001, openSUSE-SU-2017:2211-1, openSUSE-SU-2018:0042-1, RHSA-2017:1789-01, RHSA-2017:1790-01, RHSA-2017:1791-01, RHSA-2017:1792-01, RHSA-2017:2424-01, RHSA-2017:2469-01, RHSA-2017:2481-01, RHSA-2017:2530-01, SB10208, SUSE-SU-2017:2175-1, SUSE-SU-2017:2263-1, SUSE-SU-2017:2280-1, SUSE-SU-2017:2281-1, SUSE-SU-2018:0005-1, USN-3366-1, USN-3366-2, USN-3396-1, VIGILANCE-VUL-23289.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in Oracle Java.
Full Vigil@nce bulletin... (Free trial)

computer weakness alert CVE-2016-5542 CVE-2016-5554 CVE-2016-5556

Oracle Java: vulnerabilities of October 2016

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Oracle Java.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 7.
Creation date: 19/10/2016.
Identifiers: 1993440, 1994049, 1994123, 1994478, 1997764, 1999054, 1999395, 1999474, 1999478, 1999479, 1999488, 1999532, 2000212, 2000544, 2000904, 2000988, 2000990, 2001608, 2002331, 2002479, 2002537, 2003145, 2004036, 491108, CERTFR-2016-AVI-349, CERTFR-2017-AVI-012, cpuoct2016, CVE-2016-5542, CVE-2016-5554, CVE-2016-5556, CVE-2016-5568, CVE-2016-5573, CVE-2016-5582, CVE-2016-5597, DLA-704-1, DSA-3707-1, ESA-2016-137, FEDORA-2016-73054cfeeb, JSA10770, NTAP-20161019-0001, openSUSE-SU-2016:2862-1, openSUSE-SU-2016:2900-1, openSUSE-SU-2016:2985-1, openSUSE-SU-2016:2990-1, openSUSE-SU-2016:3088-1, RHSA-2016:2079-01, RHSA-2016:2088-01, RHSA-2016:2089-01, RHSA-2016:2090-01, RHSA-2016:2136-01, RHSA-2016:2137-01, RHSA-2016:2138-01, RHSA-2016:2658-01, RHSA-2016:2659-01, RHSA-2017:0061-01, SUSE-SU-2016:2887-1, SUSE-SU-2016:3010-1, SUSE-SU-2016:3040-1, SUSE-SU-2016:3041-1, SUSE-SU-2016:3043-1, SUSE-SU-2016:3068-1, SUSE-SU-2016:3078-1, USN-3121-1, USN-3130-1, USN-3154-1, VIGILANCE-VUL-20906, ZDI-16-571.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in Oracle Java.

An attacker can use a vulnerability via 2D, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-5556]

An attacker can use a vulnerability via AWT, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-5568, ZDI-16-571]

An attacker can use a vulnerability via Hotspot, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-5582]

An attacker can use a vulnerability via Hotspot, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-5573]

An attacker can use a vulnerability via Networking, in order to obtain information. [severity:2/4; CVE-2016-5597]

An attacker can use a vulnerability via JMX, in order to alter information. [severity:2/4; CVE-2016-5554]

An attacker can use a vulnerability via Libraries, in order to alter information. [severity:1/4; CVE-2016-5542]
Full Vigil@nce bulletin... (Free trial)

computer weakness CVE-2016-3458 CVE-2016-3485 CVE-2016-3498

Oracle Java: vulnerabilities of July 2016

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Oracle Java.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 13.
Creation date: 20/07/2016.
Identifiers: 1988339, 1988894, 1988978, 1989049, 1989337, 1990031, 1990448, 1991383, 1991909, 1991910, 1991911, 1991913, 1991997, 1995792, 1995799, 2001630, 2007242, 486953, CERTFR-2016-AVI-243, cpujul2016, CVE-2016-3458, CVE-2016-3485, CVE-2016-3498, CVE-2016-3500, CVE-2016-3503, CVE-2016-3508, CVE-2016-3511, CVE-2016-3550, CVE-2016-3552, CVE-2016-3587, CVE-2016-3598, CVE-2016-3606, CVE-2016-3610, DLA-579-1, DSA-3641-1, ESA-2016-099, FEDORA-2016-588e386aaa, FEDORA-2016-c07d18b2a5, FEDORA-2016-c60d35c46c, openSUSE-SU-2016:2050-1, openSUSE-SU-2016:2051-1, openSUSE-SU-2016:2052-1, openSUSE-SU-2016:2058-1, RHSA-2016:1458-01, RHSA-2016:1475-01, RHSA-2016:1476-01, RHSA-2016:1477-01, RHSA-2016:1504-01, RHSA-2016:1587-01, RHSA-2016:1588-01, RHSA-2016:1589-01, RHSA-2016:1776-01, SB10166, SOL05016441, SOL25075696, SUSE-SU-2016:1997-1, SUSE-SU-2016:2012-1, SUSE-SU-2016:2261-1, SUSE-SU-2016:2286-1, SUSE-SU-2016:2347-1, SUSE-SU-2016:2348-1, SUSE-SU-2016:2726-1, USN-3043-1, USN-3062-1, USN-3077-1, VIGILANCE-VUL-20169, ZDI-16-445, ZDI-16-446, ZDI-16-447, ZDI-16-448.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in Oracle Communications.

An attacker can use a vulnerability via Hotspot, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3587, ZDI-16-448]

An attacker can use a vulnerability via Hotspot, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3606, ZDI-16-447]

An attacker can use a vulnerability via Libraries, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3598, ZDI-16-446]

An attacker can use a vulnerability via Libraries, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3610, ZDI-16-445]

An attacker can use a vulnerability via Install, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3552]

An attacker can use a vulnerability via Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3511]

An attacker can use a vulnerability via Install, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3503]

An attacker can use a vulnerability via JavaFX, in order to trigger a denial of service. [severity:2/4; CVE-2016-3498]

An attacker can use a vulnerability via JAXP, in order to trigger a denial of service. [severity:2/4; CVE-2016-3500]

An attacker can use a vulnerability via JAXP, in order to trigger a denial of service. [severity:2/4; CVE-2016-3508]

An attacker can use a vulnerability via CORBA, in order to alter information. [severity:2/4; CVE-2016-3458]

An attacker can use a vulnerability via Hotspot, in order to alter information, or to trigger a denial of service. [severity:2/4; CVE-2016-3550]

An attacker can use a vulnerability via Networking, in order to alter information. [severity:1/4; CVE-2016-3485]
Full Vigil@nce bulletin... (Free trial)

cybersecurity bulletin CVE-2015-2613 CVE-2015-7940

Bouncy Castle, Oracle Java: disclosure of elliptic curve private keys

Synthesis of the vulnerability

An attacker can use a vulnerability in the elliptic curve implementation of Bouncy Castle and Oracle Java, in order to obtain sensitive information.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 22/10/2015.
Identifiers: 1968485, 1972455, 9010041, 9010044, BSA-2016-002, CERTFR-2019-AVI-325, cpuapr2018, cpujan2017, cpujan2018, cpujan2019, cpujul2015, cpujul2017, cpujul2018, cpuoct2017, CVE-2015-2613, CVE-2015-7940, DSA-3417-1, FEDORA-2015-7d95466eda, JSA10939, NTAP-20150715-0001, NTAP-20151028-0001, openSUSE-SU-2015:1911-1, RHSA-2016:2035-01, RHSA-2016:2036-01, USN-3727-1, VIGILANCE-VUL-18168.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Bouncy Castle and Oracle Java products implement algorithms based on elliptic curves.

However, if the client forces the server to compute a common secret based on points located outside the chosen curve, he can progressively guess the full server key.

An attacker can therefore use a vulnerability in the elliptic curve implementation of Bouncy Castle and Oracle Java, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

security alert CVE-2015-4734 CVE-2015-4803 CVE-2015-4805

Oracle Java: several vulnerabilities of October 2015

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Oracle Java.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 26.
Creation date: 21/10/2015.
Identifiers: 1969620, 1971361, 1971479, 1973785, 1974831, 1978806, 1981838, 56203, 9010041, 9010044, BSA-2016-002, BSA-2016-004, CERTFR-2015-AVI-439, cpuoct2015, CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4810, CVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4868, CVE-2015-4871, CVE-2015-4872, CVE-2015-4881, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4901, CVE-2015-4902, CVE-2015-4903, CVE-2015-4906, CVE-2015-4908, CVE-2015-4911, CVE-2015-4916, DSA-3381-1, DSA-3381-2, DSA-3401-1, FEDORA-2015-27cfe187b5, FEDORA-2015-ce54f85a3e, NTAP-20150715-0001, NTAP-20151028-0001, openSUSE-SU-2015:1902-1, openSUSE-SU-2015:1905-1, openSUSE-SU-2015:1906-1, openSUSE-SU-2015:1971-1, openSUSE-SU-2016:0268-1, openSUSE-SU-2016:0270-1, openSUSE-SU-2016:0272-1, openSUSE-SU-2016:0279-1, RHSA-2015:1919-01, RHSA-2015:1920-01, RHSA-2015:1921-01, RHSA-2015:1926-01, RHSA-2015:1927-01, RHSA-2015:1928-01, RHSA-2015:2086-01, RHSA-2015:2506-01, RHSA-2015:2507-01, RHSA-2015:2508-01, RHSA-2015:2509-01, RHSA-2015:2518-01, SB10141, SUSE-SU-2015:1874-2, SUSE-SU-2015:1875-2, SUSE-SU-2015:2166-1, SUSE-SU-2015:2168-1, SUSE-SU-2015:2168-2, SUSE-SU-2015:2182-1, SUSE-SU-2015:2192-1, SUSE-SU-2015:2216-1, SUSE-SU-2015:2268-1, SUSE-SU-2016:0113-1, SUSE-SU-2016:0265-1, SUSE-SU-2016:0269-1, USN-2784-1, USN-2818-1, USN-2827-1, VIGILANCE-VUL-18149.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in Oracle Java.

An attacker can use a vulnerability of CORBA, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4835]

An attacker can use a vulnerability of CORBA, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4881]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4843]

An attacker can use a vulnerability of RMI, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4883]

An attacker can use a vulnerability of RMI, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4860]

An attacker can use a vulnerability of Serialization, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4805]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to trigger a denial of service (VIGILANCE-VUL-21214). [severity:3/4; CVE-2015-4844]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4901]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4868]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4868]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:2/4; CVE-2015-4810]

An attacker can use a vulnerability of Libraries, in order to obtain or alter information. [severity:2/4; CVE-2015-4806]

An attacker can use a vulnerability of Libraries, in order to obtain or alter information. [severity:2/4; CVE-2015-4871]

An attacker can use a vulnerability of Deployment, in order to alter information. [severity:2/4; CVE-2015-4902]

An attacker can use a vulnerability of 2D, in order to obtain information. [severity:2/4; CVE-2015-4840]

An attacker can use a vulnerability of CORBA, in order to trigger a denial of service. [severity:2/4; CVE-2015-4882]

An attacker can use a vulnerability of JAXP, in order to obtain information. [severity:2/4; CVE-2015-4842]

An attacker can use a vulnerability of JGSS, in order to obtain information. [severity:2/4; CVE-2015-4734]

An attacker can use a vulnerability of RMI, in order to obtain information. [severity:2/4; CVE-2015-4903]

An attacker can use a vulnerability of JAXP, in order to trigger a denial of service. [severity:2/4; CVE-2015-4803]

An attacker can use a vulnerability of JAXP, in order to trigger a denial of service. [severity:2/4; CVE-2015-4893]

An attacker can use a vulnerability of JAXP, in order to trigger a denial of service. [severity:2/4; CVE-2015-4911]

An attacker can use a vulnerability of Security, in order to alter information. [severity:2/4; CVE-2015-4872]

An attacker can use a vulnerability of JavaFX, in order to obtain information. [severity:2/4; CVE-2015-4906]

An attacker can use a vulnerability of JavaFX, in order to obtain information. [severity:2/4; CVE-2015-4916]

An attacker can use a vulnerability of JavaFX, in order to obtain information. [severity:2/4; CVE-2015-4908]
Full Vigil@nce bulletin... (Free trial)

cybersecurity alert CVE-2015-5738

RSA: private key computation via CRT

Synthesis of the vulnerability

An attacker can exchange with an application not implementing the RSA-CRT protection, in order to progressively guess the private key.
Severity: 2/4.
Creation date: 08/09/2015.
Identifiers: cpuapr2015, CVE-2015-5738, openSUSE-SU-2015:1596-1, RSA-CRT, VIGILANCE-VUL-17836.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An implementation of the RSA algorithm can use the CRT (Chinese Remainder Theorem) optimization, so computations are faster. However, the RSA-CRT signature is affected by a side-channel attack, known since 1996 (Arjen Lenstra). OpenSSL and NSS are for example protected.

The GnuPG software is protected, but the Libgcrypt library is not. An attacker can therefore exchange with an application linked to Libgcrypt, to trigger a series of error and attack RSA-CRT, in order to progressively guess the private key.

The TLS protocol can use the Perfect Forward Secrecy. In this case, a RSA signature is used. However, several implementations, such as OpenJDK or JRE, do not have the RSA-CRT protection. An attacker can therefore exchange with a TLS server with the Perfect Forward Secrecy enabled, to trigger a series of error and attack RSA-CRT, in order to progressively guess the private key.

An attacker can therefore exchange with an application not implementing the RSA-CRT protection, in order to progressively guess the private key.
Full Vigil@nce bulletin... (Free trial)

computer threat CVE-2015-2590 CVE-2015-2596 CVE-2015-2597

Oracle Java: several vulnerabilities of July 2015

Synthesis of the vulnerability

Several vulnerabilities of Oracle Java were announced in July 2015.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 25.
Creation date: 15/07/2015.
Identifiers: 1963330, 1963331, 1963812, 1964236, 1966040, 1966536, 1967222, 1967498, 1967893, 1968485, 1972455, 206954, 9010041, 9010044, BSA-2016-002, CERTFR-2015-ALE-007, CERTFR-2015-AVI-305, CERTFR-2016-AVI-128, cpujul2015, CVE-2015-2590, CVE-2015-2596, CVE-2015-2597, CVE-2015-2601, CVE-2015-2613, CVE-2015-2619, CVE-2015-2621, CVE-2015-2625, CVE-2015-2627, CVE-2015-2628, CVE-2015-2632, CVE-2015-2637, CVE-2015-2638, CVE-2015-2659, CVE-2015-2664, CVE-2015-2808, CVE-2015-4000, CVE-2015-4729, CVE-2015-4731, CVE-2015-4732, CVE-2015-4733, CVE-2015-4736, CVE-2015-4748, CVE-2015-4749, CVE-2015-4760, DSA-3316-1, DSA-3339-1, ESA-2015-134, FEDORA-2015-11859, FEDORA-2015-11860, JSA10727, NTAP-20150715-0001, NTAP-20151028-0001, openSUSE-SU-2015:1288-1, openSUSE-SU-2015:1289-1, RHSA-2015:1228-01, RHSA-2015:1229-01, RHSA-2015:1230-01, RHSA-2015:1241-01, RHSA-2015:1242-01, RHSA-2015:1243-01, RHSA-2015:1485-01, RHSA-2015:1486-01, RHSA-2015:1488-01, RHSA-2015:1526-01, RHSA-2015:1544-01, SB10139, SOL17079, SOL17169, SOL17170, SOL17171, SOL17173, SUSE-SU-2015:1319-1, SUSE-SU-2015:1320-1, SUSE-SU-2015:1329-1, SUSE-SU-2015:1331-1, SUSE-SU-2015:1345-1, SUSE-SU-2015:1375-1, SUSE-SU-2015:1509-1, SUSE-SU-2015:2166-1, SUSE-SU-2015:2192-1, USN-2696-1, USN-2706-1, VIGILANCE-VUL-17371.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in Oracle Java.

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to trigger a denial of service (VIGILANCE-VUL-17558). [severity:3/4; CVE-2015-4760]

An attacker can use a vulnerability of CORBA, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-2628]

An attacker can use a vulnerability of JMX, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4731]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-2590]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4732]

An attacker can use a vulnerability of RMI, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4733]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-2638]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4736]

An attacker can use a vulnerability of Security, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4748]

An attacker can use a vulnerability of Install, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-2597]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-2664]

An attacker can use a vulnerability of 2D, in order to obtain information. [severity:2/4; CVE-2015-2632]

An attacker can use a vulnerability of JCE, in order to obtain information. [severity:2/4; CVE-2015-2601]

An attacker can use a vulnerability of JCE, in order to obtain information (VIGILANCE-VUL-18168). [severity:2/4; CVE-2015-2613]

An attacker can use a vulnerability of JMX, in order to obtain information. [severity:2/4; CVE-2015-2621]

An attacker can use a vulnerability of Security, in order to trigger a denial of service. [severity:2/4; CVE-2015-2659]

An attacker can use a vulnerability of 2D, in order to obtain information. [severity:2/4; CVE-2015-2619]

An attacker can bypass security features in 2D, in order to obtain sensitive information. [severity:2/4; CVE-2015-2637]

An attacker can use a vulnerability of Hotspot, in order to alter information. [severity:2/4; CVE-2015-2596]

An attacker can use a vulnerability of JNDI, in order to trigger a denial of service. [severity:2/4; CVE-2015-4749]

An attacker can use a vulnerability of Deployment, in order to obtain or alter information. [severity:2/4; CVE-2015-4729]

An attacker can use a vulnerability of JSSE, in order to obtain or alter information. [severity:2/4; CVE-2015-4000]

An attacker can use a vulnerability of JSSE, in order to obtain or alter information. [severity:2/4; CVE-2015-2808]

An attacker can use a vulnerability of Install, in order to obtain information. [severity:1/4; CVE-2015-2627]

An attacker can use a vulnerability of JSSE, in order to obtain information. [severity:1/4; CVE-2015-2625]
Full Vigil@nce bulletin... (Free trial)

weakness CVE-2015-0204 CVE-2015-0458 CVE-2015-0459

Oracle Java: several vulnerabilities of April 2015

Synthesis of the vulnerability

Several vulnerabilities of Oracle Java were announced in April 2015.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 14.
Creation date: 15/04/2015.
Identifiers: 1610582, 1902260, 1903541, 1903704, 1958902, 1960194, 1964236, 1966551, 1967498, 1968485, 205086, 206954, 7045736, BSA-2015-009, CERTFR-2015-AVI-172, cpuapr2015, CVE-2015-0204, CVE-2015-0458, CVE-2015-0459, CVE-2015-0460, CVE-2015-0469, CVE-2015-0470, CVE-2015-0477, CVE-2015-0478, CVE-2015-0480, CVE-2015-0484, CVE-2015-0486, CVE-2015-0488, CVE-2015-0491, CVE-2015-0492, DSA-3234-1, DSA-3235-1, DSA-3316-1, ESA-2015-085, ESA-2015-134, FEDORA-2015-6357, FEDORA-2015-6369, FEDORA-2015-6397, FREAK, MDVSA-2015:212, openSUSE-SU-2015:0773-1, openSUSE-SU-2015:0774-1, RHSA-2015:0806-01, RHSA-2015:0807-01, RHSA-2015:0808-01, RHSA-2015:0809-01, RHSA-2015:0854-01, RHSA-2015:0857-01, RHSA-2015:0858-01, RHSA-2015:1006-01, RHSA-2015:1007-01, RHSA-2015:1020-01, RHSA-2015:1021-01, RHSA-2015:1091-01, SB10119, SUSE-SU-2015:0833-1, SUSE-SU-2015:1085-1, SUSE-SU-2015:1086-1, SUSE-SU-2015:1086-2, SUSE-SU-2015:1086-3, SUSE-SU-2015:1086-4, SUSE-SU-2015:1138-1, SUSE-SU-2015:1161-1, SUSE-SU-2015:2166-1, SUSE-SU-2015:2168-1, SUSE-SU-2015:2168-2, SUSE-SU-2015:2182-1, SUSE-SU-2015:2192-1, SUSE-SU-2015:2216-1, USN-2573-1, USN-2574-1, VIGILANCE-VUL-16607, VU#243585.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in Oracle Java.

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0469]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0459]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0491]

An attacker can use a vulnerability of Hotspot, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0460]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0492]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0458]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0484]

An attacker can use a vulnerability of Tools, in order to alter information, or to trigger a denial of service. [severity:2/4; CVE-2015-0480]

An attacker can use a vulnerability of Deployment, in order to obtain information. [severity:2/4; CVE-2015-0486]

An attacker can use a vulnerability of JSSE, in order to trigger a denial of service. [severity:2/4; CVE-2015-0488]

An attacker can use a vulnerability of Beans, in order to alter information. [severity:2/4; CVE-2015-0477]

An attacker can use a vulnerability of Hotspot, in order to alter information. [severity:2/4; CVE-2015-0470]

An attacker can use a vulnerability of JCE, in order to obtain information (VIGILANCE-VUL-17836). [severity:2/4; CVE-2015-0478]

An attacker, located as a Man-in-the-Middle, can force the Chrome, JSSE, LibReSSL, Mono or OpenSSL client to accept a weak export algorithm, in order to more easily capture or alter exchanged data (VIGILANCE-VUL-16301). [severity:2/4; CVE-2015-0204, FREAK, VU#243585]
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2014-6593 CVE-2015-0205

JSSE, CyaSSL, Mono, OpenSSL: clear text session via SKIP-TLS

Synthesis of the vulnerability

An attacker, who has a TLS server, can force the JSSE, CyaSSL, Mono or OpenSSL client/server to use a clear text session, in order to allow a third party to capture or alter exchanged data.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 04/03/2015.
Revision date: 09/03/2015.
Identifiers: 1699051, 1700706, 1701485, 9010028, ARUBA-PSA-2015-003, bulletinjan2015, c04517481, c04556853, c04580241, c04583581, CERTFR-2015-AVI-108, CERTFR-2015-AVI-146, CERTFR-2016-AVI-303, cisco-sa-20150310-ssl, cpujan2015, cpuoct2017, CTX216642, CVE-2014-6593, CVE-2015-0205, DSA-3125-1, DSA-3144-1, DSA-3147-1, FEDORA-2015-0512, FEDORA-2015-0601, FEDORA-2015-0983, FEDORA-2015-1075, FEDORA-2015-1150, FEDORA-2015-8251, FEDORA-2015-8264, FreeBSD-SA-15:01.openssl, HPSBUX03219, HPSBUX03244, HPSBUX03273, HPSBUX03281, JSA10679, MDVSA-2015:019, MDVSA-2015:033, MDVSA-2015:062, NetBSD-SA2015-006, NTAP-20150205-0001, openSUSE-SU-2015:0130-1, openSUSE-SU-2015:0190-1, openSUSE-SU-2015:1277-1, RHSA-2015:0066-01, RHSA-2015:0067-01, RHSA-2015:0068-01, RHSA-2015:0069-01, RHSA-2015:0079-01, RHSA-2015:0080-01, RHSA-2015:0085-01, RHSA-2015:0086-01, RHSA-2015:0133-01, RHSA-2015:0134-01, RHSA-2015:0135-01, RHSA-2015:0136-01, RHSA-2015:0263-01, RHSA-2015:0264-01, SA40015, SA88, SB10104, SB10108, SKIP-TLS, SOL16120, SOL16123, SOL16124, SOL16126, SOL16135, SOL16136, SOL16139, SPL-95203, SSA:2015-009-01, SSRT101859, SSRT101885, SSRT101951, SSRT101968, SUSE-SU-2015:0336-1, SUSE-SU-2015:0503-1, USN-2459-1, USN-2486-1, USN-2487-1, VIGILANCE-VUL-16300, VMSA-2015-0003, VMSA-2015-0003.1, VMSA-2015-0003.10, VMSA-2015-0003.11, VMSA-2015-0003.12, VMSA-2015-0003.13, VMSA-2015-0003.14, VMSA-2015-0003.15, VMSA-2015-0003.2, VMSA-2015-0003.3, VMSA-2015-0003.4, VMSA-2015-0003.5, VMSA-2015-0003.6, VMSA-2015-0003.8, VMSA-2015-0003.9.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The TLS protocol uses a series of messages which have to be exchanged between the client and the server, before establishing a secured session.

However, clients such as JSSE or CyaSSL accept if the server directly skips to the final state (CVE-2014-6593, first analyzed in VIGILANCE-VUL-16014). Moreover, servers such as Mono or OpenSSL accept if the client directly skips to the final state (CVE-2015-0205, first analyzed in VIGILANCE-VUL-15934).The established session thus uses no encryption.

An attacker, who has a TLS server, can therefore force the JSSE, CyaSSL, Mono or OpenSSL client/server to use a clear text session, in order to allow a third party to capture or alter exchanged data.
Full Vigil@nce bulletin... (Free trial)

cybersecurity announce CVE-2014-3566 CVE-2014-6549 CVE-2014-6585

Oracle Java: several vulnerabilities of January 2015

Synthesis of the vulnerability

Several vulnerabilities of Oracle Java were announced in January 2015.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 19.
Creation date: 21/01/2015.
Identifiers: 1698239, 1699051, 1700706, 1701485, 7045736, c04517481, c04580241, c04583581, CERTFR-2015-AVI-034, CERTFR-2016-AVI-303, cpujan2015, CTX216642, CVE-2014-3566, CVE-2014-6549, CVE-2014-6585, CVE-2014-6587, CVE-2014-6591, CVE-2014-6593, CVE-2014-6601, CVE-2015-0383, CVE-2015-0395, CVE-2015-0400, CVE-2015-0403, CVE-2015-0406, CVE-2015-0407, CVE-2015-0408, CVE-2015-0410, CVE-2015-0412, CVE-2015-0413, CVE-2015-0421, CVE-2015-0437, DSA-3144-1, DSA-3147-1, FEDORA-2015-0983, FEDORA-2015-1075, FEDORA-2015-1150, FEDORA-2015-8251, FEDORA-2015-8264, HPSBUX03219, HPSBUX03273, HPSBUX03281, MDVSA-2015:033, MDVSA-2015:198, openSUSE-SU-2015:0190-1, RHSA-2015:0067-01, RHSA-2015:0068-01, RHSA-2015:0069-01, RHSA-2015:0079-01, RHSA-2015:0080-01, RHSA-2015:0085-01, RHSA-2015:0086-01, RHSA-2015:0133-01, RHSA-2015:0134-01, RHSA-2015:0135-01, RHSA-2015:0136-01, RHSA-2015:0263-01, RHSA-2015:0264-01, SB10104, SSRT101859, SSRT101951, SSRT101968, SUSE-SU-2015:0336-1, SUSE-SU-2015:0503-1, USN-2486-1, USN-2487-1, VIGILANCE-VUL-16014, VMSA-2015-0003, VMSA-2015-0003.1, VMSA-2015-0003.10, VMSA-2015-0003.11, VMSA-2015-0003.12, VMSA-2015-0003.13, VMSA-2015-0003.14, VMSA-2015-0003.15, VMSA-2015-0003.2, VMSA-2015-0003.3, VMSA-2015-0003.4, VMSA-2015-0003.5, VMSA-2015-0003.6, VMSA-2015-0003.8, VMSA-2015-0003.9.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in Oracle Java.

An attacker can use a vulnerability of Hotspot, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-6601]

An attacker can use a vulnerability of JAX-WS, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0412]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-6549]

An attacker can use a vulnerability of RMI, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0408]

An attacker can use a vulnerability of Hotspot, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0395]

An attacker can use a vulnerability of Hotspot, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0437]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0403]

An attacker can use a vulnerability of Install, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0421]

An attacker can use a vulnerability of Deployment, in order to obtain information, or to trigger a denial of service. [severity:2/4; CVE-2015-0406]

An attacker can use a vulnerability of Hotspot, in order to alter information, or to trigger a denial of service. [severity:2/4; CVE-2015-0383]

An attacker can use a vulnerability of Libraries, in order to obtain information. [severity:2/4; CVE-2015-0400]

An attacker can use a vulnerability of Swing, in order to obtain information. [severity:2/4; CVE-2015-0407]

An attacker can use a vulnerability of Security, in order to trigger a denial of service. [severity:2/4; CVE-2015-0410]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to trigger a denial of service. [severity:2/4; CVE-2014-6587]

An attacker can use a vulnerability of JSSE, in order to obtain information. [severity:2/4; CVE-2014-3566]

An attacker can use a vulnerability of JSSE, in order to obtain or alter information (VIGILANCE-VUL-16300). [severity:2/4; CVE-2014-6593]

An attacker can use a vulnerability of 2D, in order to obtain information (VIGILANCE-VUL-17559). [severity:1/4; CVE-2014-6585]

An attacker can use a vulnerability of 2D, in order to obtain information. [severity:1/4; CVE-2014-6591]

An attacker can use a vulnerability of Serviceability, in order to alter information. [severity:1/4; CVE-2015-0413]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.