The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of Oracle Java: multiple vulnerabilities of April 2016

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Oracle Java.
Severity of this weakness: 3/4.
Number of vulnerabilities in this bulletin: 9.
Creation date: 20/04/2016.
Références of this bulletin: 1982223, 1982566, 1984075, 1984678, 1985466, 1985875, 1987778, 484398, 486953, bulletinjan2017, CERTFR-2016-AVI-135, cpuapr2016, CVE-2016-0686, CVE-2016-0687, CVE-2016-0695, CVE-2016-3422, CVE-2016-3425, CVE-2016-3426, CVE-2016-3427, CVE-2016-3443, CVE-2016-3449, DLA-451-1, DSA-3558-1, ESA-2016-052, ESA-2016-099, FEDORA-2016-33ccc205e7, openSUSE-SU-2016:1222-1, openSUSE-SU-2016:1230-1, openSUSE-SU-2016:1235-1, openSUSE-SU-2016:1262-1, openSUSE-SU-2016:1265-1, RHSA-2016:0650-01, RHSA-2016:0651-01, RHSA-2016:0675-01, RHSA-2016:0676-01, RHSA-2016:0677-01, RHSA-2016:0678-01, RHSA-2016:0679-01, RHSA-2016:0701-01, RHSA-2016:0702-01, RHSA-2016:0708-01, RHSA-2016:0716-01, RHSA-2016:0723-01, RHSA-2016:1039-01, SB10159, SOL33285044, SOL73112451, SOL81223200, SUSE-SU-2016:1248-1, SUSE-SU-2016:1250-1, SUSE-SU-2016:1299-1, SUSE-SU-2016:1300-1, SUSE-SU-2016:1303-1, SUSE-SU-2016:1378-1, SUSE-SU-2016:1379-1, SUSE-SU-2016:1388-1, SUSE-SU-2016:1458-1, SUSE-SU-2016:1475-1, USN-2963-1, USN-2964-1, USN-2972-1, VIGILANCE-VUL-19416, ZDI-16-376.

Description of the vulnerability

Several vulnerabilities were announced in Oracle Java.

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3443, ZDI-16-376]

An attacker can use a vulnerability of Hotspot, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-0687]

An attacker can use a vulnerability of Serialization, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-0686]

An attacker can use a vulnerability of JMX, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3427]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3449]

An attacker can use a vulnerability of Security, in order to obtain information. [severity:2/4; CVE-2016-0695]

An attacker can use a vulnerability of JAXP, in order to trigger a denial of service. [severity:2/4; CVE-2016-3425]

An attacker can use a vulnerability of 2D, in order to trigger a denial of service. [severity:2/4; CVE-2016-3422]

An attacker can use a vulnerability of JCE, in order to obtain information. [severity:1/4; CVE-2016-3426]
Full Vigil@nce bulletin... (Free trial)

This cybersecurity note impacts software or systems such as Debian, Avamar, VNX Operating Environment, VNX Series, BIG-IP Hardware, TMOS, Fedora, AIX, Domino, Notes, QRadar SIEM, Tivoli Storage Manager, WebSphere AS Traditional, WebSphere MQ, JAXP, ePO, Java OpenJDK, openSUSE, openSUSE Leap, Java Oracle, Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.

Our Vigil@nce team determined that the severity of this computer weakness announce is important.

The trust level is of type confirmed by the editor, with an origin of user account.

This bulletin is about 9 vulnerabilities.

An attacker with a expert ability can exploit this cybersecurity vulnerability.

Solutions for this threat

Oracle Java: version 8u91/8u92.
The version 8u91/8u92 is fixed:
  http://www.oracle.com/technetwork/java/javase/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/8u-relnotes-2225394.html
  http://www.oracle.com/technetwork/java/javase/8all-relnotes-2226344.html

Oracle Java: version 7u101.
The version 7u101 is fixed:
  http://www.oracle.com/technetwork/indexes/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/javase7supportreleasenotes-1601161.html

Oracle Java: version 6u115.
The version 6u115 is fixed:
  http://www.oracle.com/technetwork/indexes/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html

AIX: patch for Java.
A patch is indicated in information sources.

Debian: new openjdk-7 packages.
New packages are available:
  Debian 7: openjdk-7 7u101-2.6.6-2~deb7u1
  Debian 8: openjdk-7 7u101-2.6.6-1~deb8u1

EMC Avamar: solution for JRE.
The solution is indicated in information sources.

EMC VNX1: solution for Oracle Java SE.
The solution is indicated in information sources.

ePolicy Orchestrator: patch EPO5xHF1133331.
A patch is indicated in information sources.

F5 BIG-IP: solution for Java.
The solution is indicated in information sources.

Fedora 23: new java-1.8.0-openjdk packages.
New packages are available:
  Fedora 23: java-1.8.0-openjdk 1.8.0.91-1.b14.fc23

IBM Domino, Notes: patch for IBM SDK Java.
A patch is available:
  http://www.ibm.com/support/docview.wss?uid=swg21657963
  http://www-01.ibm.com/support/docview.wss?uid=swg21663874

IBM Notes: version 9.0.1 Fix Pack 6.
The version 9.0.1 Fix Pack 6 is fixed:
  http://www-01.ibm.com/support/docview.wss?uid=swg24037141

IBM QRadar SIEM: fixed versions for IBM Java.
Fixed versions are indicated in information sources.

IBM TADDM: patch for JAVA.
Un patch est indiqué dans les sources d'information.

IBM Tivoli Storage Manager: patch for Java.
A patch is available:
  http://www-01.ibm.com/support/docview.wss?uid=swg24042232

IBM WebSphere MQ: patch for Java.
A patch is indicated in information sources.

openSUSE: new java-1_7_0-openjdk packages.
New packages are available:
  openSUSE 13.1: java-1_7_0-openjdk 1.7.0.101-24.36.2
  openSUSE 13.2: java-1_7_0-openjdk 1.7.0.101-22.1
  openSUSE Leap 42.1: java-1_7_0-openjdk 1.7.0.101-31.1

openSUSE: new java-1_8_0-openjdk packages.
New packages are available:
  openSUSE 13.2: java-1_8_0-openjdk 1.8.0.91-27.1
  openSUSE Leap 42.1: java-1_8_0-openjdk 1.8.0.91-12.1

RHEL 5: new java-1.7.0-ibm packages.
New packages are available:
  RHEL 5: java-1.7.0-ibm 1.7.0.9.40-1jpp.1.el5

RHEL 6.7: new java-1.6.0-ibm packages.
New packages are available:
  RHEL 5: java-1.6.0-ibm 1.6.0.16.25-1jpp.1.el5
  RHEL 6: java-1.6.0-ibm 1.6.0.16.25-1jpp.1.el6_7

RHEL 6, 7: new java-1.7.1-ibm packages.
New packages are available:
  RHEL 6: java-1.7.1-ibm 1.7.1.3.40-1jpp.1.el6_7
  RHEL 7: java-1.7.1-ibm 1.7.1.3.40-1jpp.1.el7

RHEL: new java-1.6.0-openjdk packages.
New packages are available:
  RHEL 5: java-1.6.0-openjdk 1.6.0.39-1.13.11.0.el5_11
  RHEL 6: java-1.6.0-openjdk 1.6.0.39-1.13.11.0.el6_7
  RHEL 7: java-1.6.0-openjdk 1.6.0.39-1.13.11.0.el7_2

RHEL: new java-1.6.0-sun packages.
New packages are available:
  RHEL 5: java-1.6.0-sun 1.6.0.115-1jpp.1.el5_11
  RHEL 6: java-1.6.0-sun 1.6.0.115-1jpp.1.el6_7
  RHEL 7: java-1.6.0-sun 1.6.0.115-1jpp.1.el7

RHEL: new java-1.7.0-openjdk packages.
New packages are available:
  RHEL 5: java-1.7.0-openjdk 1.7.0.101-2.6.6.1.el5_11
  RHEL 6: java-1.7.0-openjdk 1.7.0.101-2.6.6.1.el6_7
  RHEL 7: java-1.7.0-openjdk 1.7.0.101-2.6.6.1.el7_2

RHEL: new java-1.7.0-oracle packages.
New packages are available:
  RHEL 5: java-1.7.0-oracle 1.7.0.101-1jpp.1.el5_11
  RHEL 6: java-1.7.0-oracle 1.7.0.101-1jpp.1.el6_7
  RHEL 7: java-1.7.0-oracle 1.7.0.101-1jpp.1.el7

RHEL: new java-1.8.0-ibm packages.
New packages are available:
  RHEL 6: java-1.8.0-ibm 1.8.0.3.0-1jpp.1.el6
  RHEL 7: java-1.8.0-ibm 1.8.0.3.0-1jpp.1.el7

RHEL: new java-1.8.0-openjdk packages.
New packages are available:
  RHEL 6: java-1.8.0-openjdk 1.8.0.91-0.b14.el6_7
  RHEL 7: java-1.8.0-openjdk 1.8.0.91-0.b14.el7_2

RHEL: new java-1.8.0-oracle packages.
New packages are available:
  RHEL 6: java-1.8.0-oracle 1.8.0.91-1jpp.1.el6_7
  RHEL 7: java-1.8.0-oracle 1.8.0.91-1jpp.1.el7

Solaris: patch for third party software of January 2017 v1.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

SUSE LE 11: new java-1_7_0-ibm packages.
New packages are available:
  SUSE LE 11 SP2: java-1_7_0-ibm 1.7.0_sr9.40-52.1
  SUSE LE 11 SP3: java-1_7_0-ibm 1.7.0_sr9.40-52.1

SUSE LE 12: new java-1_8_0-ibm packages.
New packages are available:
  SUSE LE 12 SP1: java-1_8_0-ibm 1.8.0_sr3.0-10.1

SUSE LE: new java-1_6_0-ibm packages.
New packages are available:
  SUSE LE 10 SP4: java-1_6_0-ibm 1.6.0_sr16.25-0.11.1
  SUSE LE 11 SP2: java-1_6_0-ibm 1.6.0_sr16.25-69.1
  SUSE LE 11 SP3: java-1_6_0-ibm 1.6.0_sr16.25-69.1
  SUSE LE 12 RTM: java-1_6_0-ibm 1.6.0_sr16.25-34.1
  SUSE LE 12 SP1: java-1_6_0-ibm 1.6.0_sr16.25-34.1

SUSE LE: new java-1_7_0-openjdk packages.
New packages are available:
  SUSE LE 12 RTM: java-1_7_0-openjdk 1.7.0.101-30.1
  SUSE LE 12 SP1: java-1_7_0-openjdk 1.7.0.101-30.1

SUSE LE: new java-1_7_1-ibm packages.
New packages are available:
  SUSE LE 11 SP4: java-1_7_1-ibm 1.7.1_sr3.40-13.1
  SUSE LE 12 RTM: java-1_7_1-ibm 1.7.1_sr3.40-25.1
  SUSE LE 12 SP1: java-1_7_1-ibm 1.7.1_sr3.40-25.1

SUSE LE: new java-1_8_0-openjdk packages.
New packages are available:
  SUSE LE 12 SP1: java-1_8_0-openjdk 1.8.0.91-11.1

Ubuntu: new openjdk-6 packages.
New packages are available:
  Ubuntu 12.04 LTS: icedtea-6 6b39-1.13.11-0ubuntu0.12.04.1, openjdk-6 6b39-1.13.11-0ubuntu0.12.04.1

Ubuntu: new openjdk-7 packages.
New packages are available:
  Ubuntu 15.10: openjdk-7 7u101-2.6.6-0ubuntu0.15.10.1
  Ubuntu 14.04 LTS: openjdk-7 7u101-2.6.6-0ubuntu0.14.04.1

Ubuntu: new openjdk-8 packages.
New packages are available:
  Ubuntu 16.04 LTS: openjdk-8 8u91-b14-0ubuntu4~16.04.1

WebSphere AS: patch for Java.
A patch is indicated in information sources.
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides network vulnerability alerts. The technology watch team tracks security threats targeting the computer system.