The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Oracle Java: multiple vulnerabilities of January 2016

Synthesis of the vulnerability 

An attacker can use several vulnerabilities of Oracle Java.
Impacted systems: Brocade Network Advisor, Brocade vTM, Debian, Avamar, BIG-IP Hardware, TMOS, Fedora, AIX, Domino by IBM, Notes by IBM, SPSS Modeler, Tivoli System Automation, WebSphere AS Traditional, WebSphere MQ, JAXP, ePO, SnapManager, Java OpenJDK, openSUSE, openSUSE Leap, Java Oracle, Puppet, RHEL, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Ubuntu.
Severity of this alert: 3/4.
Number of vulnerabilities in this bulletin: 9.
Creation date: 20/01/2016.
Références of this alert: 1975365, 1975424, 1976200, 1976262, 1976896, 1977127, 1977129, 1977405, 1977518, 479387, 7043086, 9010057, BSA-2016-004, CERTFR-2015-AVI-488, CERTFR-2016-AVI-027, cpujan2016, CVE-2015-7575, CVE-2015-8126, CVE-2016-0402, CVE-2016-0448, CVE-2016-0466, CVE-2016-0475, CVE-2016-0483, CVE-2016-0494, DSA-3458-1, DSA-3465-1, ESA-2016-003, FEDORA-2016-3ea667977a, FEDORA-2016-946b98126d, NTAP-20160121-0001, openSUSE-SU-2016:0263-1, openSUSE-SU-2016:0268-1, openSUSE-SU-2016:0270-1, openSUSE-SU-2016:0272-1, openSUSE-SU-2016:0279-1, RHSA-2016:0049-01, RHSA-2016:0050-01, RHSA-2016:0053-01, RHSA-2016:0054-01, RHSA-2016:0055-01, RHSA-2016:0056-01, RHSA-2016:0057-01, RHSA-2016:0067-01, RHSA-2016:0098-01, RHSA-2016:0099-01, RHSA-2016:0100-01, RHSA-2016:0101-01, SB10148, SLOTH, SOL50118123, SUSE-SU-2016:0256-1, SUSE-SU-2016:0265-1, SUSE-SU-2016:0269-1, SUSE-SU-2016:0390-1, SUSE-SU-2016:0399-1, SUSE-SU-2016:0401-1, SUSE-SU-2016:0428-1, SUSE-SU-2016:0431-1, SUSE-SU-2016:0433-1, SUSE-SU-2016:0636-1, SUSE-SU-2016:0770-1, SUSE-SU-2016:0776-1, USN-2884-1, USN-2885-1, VIGILANCE-VUL-18761, ZDI-16-032.

Description of the vulnerability 

Several vulnerabilities were announced in Oracle Java.

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to trigger a denial of service (VIGILANCE-VUL-21215). [severity:3/4; CVE-2016-0494]

An attacker can use a vulnerability of AWT libpng, in order to obtain information, to alter information, or to trigger a denial of service (VIGILANCE-VUL-18301). [severity:3/4; CERTFR-2015-AVI-488, CVE-2015-8126]

An attacker can use a vulnerability of AWT, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-0483, ZDI-16-032]

An attacker can use a vulnerability of Libraries, in order to obtain or alter information. [severity:2/4; CVE-2016-0475]

An attacker can use a vulnerability of Networking, in order to alter information. [severity:2/4; CVE-2016-0402]

An attacker can use a vulnerability of JAXP, in order to trigger a denial of service. [severity:2/4; CVE-2016-0466]

An attacker can use a vulnerability of JMX, in order to obtain information. [severity:2/4; CVE-2016-0448]

An attacker can create a MD5 collision in a TLS 1.2 session, in order to capture data belonging to this session (VIGILANCE-VUL-18586). [severity:2/4; CVE-2015-7575, SLOTH]

An attacker can generate a buffer overflow in HtmlConverter, in order to trigger a denial of service, and possibly to run code. [severity:2/4]
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This vulnerability note impacts software or systems such as Brocade Network Advisor, Brocade vTM, Debian, Avamar, BIG-IP Hardware, TMOS, Fedora, AIX, Domino by IBM, Notes by IBM, SPSS Modeler, Tivoli System Automation, WebSphere AS Traditional, WebSphere MQ, JAXP, ePO, SnapManager, Java OpenJDK, openSUSE, openSUSE Leap, Java Oracle, Puppet, RHEL, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Ubuntu.

Our Vigil@nce team determined that the severity of this cybersecurity vulnerability is important.

The trust level is of type confirmed by the editor, with an origin of document.

This bulletin is about 9 vulnerabilities.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this computer threat note.

Solutions for this threat 

Oracle Java, OpenJDK: version 8u71.
The version 8u71 is fixed:
  http://www.oracle.com/technetwork/java/javase/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/8u-relnotes-2225394.html

Oracle Java, OpenJDK: version 1.7.0_95.
The version 1.7.0_95 is fixed:
  http://www.oracle.com/technetwork/indexes/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/7u-relnotes-515228.html
  http://www.oracle.com/technetwork/java/javase/documentation/javase7supportreleasenotes-1601161.html

Oracle Java, OpenJDK: version 6u111.
The version 6u111 is fixed:
  http://www.oracle.com/technetwork/indexes/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html

AIX: fixed versions for IBM Java.
Fixed versions are indicated in information sources.

Brocade: solution for multiple vulnerabilities (04/04/2016).
The following versions fix several vulnerabilities (but not CVE-2016-0705):
  Brocade Network Advisor : install version 12.4.2 or 14.0.1.
  Brocade vTM : install version 9.9r1 or 10.3r1.
The detailled solution is indicated in information sources.

Debian: new openjdk-6 packages.
New packages are available:
  Debian 7: openjdk-6 6b38-1.13.10-1~deb7u1

Debian: new openjdk-7 packages.
New packages are available:
  Debian 7: openjdk-7 7u95-2.6.4-1~deb7u1
  Debian 8: openjdk-7 7u95-2.6.4-1~deb8u1

EMC Avamar: solution for JRE.
The solution is indicated in information sources.

F5 BIG-IP: solution for Java.
The solution is indicated in information sources.

Fedora: new java-1.8.0-openjdk packages.
New packages are available:
  Fedora 23: java-1.8.0-openjdk 1.8.0.71-1.b15.fc23
  Fedora 22: java-1.8.0-openjdk 1.8.0.71-1.b15.fc22

IBM Domino, Notes: patch for Java.
A patch is available:
  For the version 9.0.1 Fix Pack 5: http://www.ibm.com/support/docview.wss?uid=swg21657963
  For the version 8.5.3 Fix Pack 6: http://www-01.ibm.com/support/docview.wss?uid=swg21663874

IBM Notes: patch for libpng.
A patch is indicated in information sources.

IBM SPSS Modeler: patch for Java.
A patch is indicated in information sources.

IBM TADDM: solution for Java.
The solution is indicated in information sources.

IBM Tivoli System Automation: patch for IBM Java.
A patch is indicated in information sources.

IBM WebSphere Application Server: patch for Java.
A patch is indicated in information sources, depending on the installed version of WebSphere.

IBM WebSphere MQ: solution for Java.
The solution is indicated in information sources.

IBM WebSphere MQ: version 8.0.0.5.
The version 8.0.0.5 is fixed.

McAfee ePolicy Orchestrator: patch for Java, libpng.
A patch is available:
  http://www.mcafee.com/us/downloads/downloads.aspx
  For ePO 5.1.3: EPO5xHF1117371.zip
  For ePO 5.3.1: EPO5xHF1117371.zip

NetApp SnapManager: patch for Java.
A patch is available:
  SnapManager for Oracle: https://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=980939
  SnapManager for SAP: https://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=980940

openSUSE 13.2: new java-1_8_0-openjdk packages.
New packages are available:
  openSUSE 13.2: java-1_8_0-openjdk 1.8.0.72-21.1

openSUSE 13: new java-1_7_0-openjdk packages.
New packages are available:
  openSUSE 13.1: java-1_7_0-openjdk 1.7.0.95-24.27.1
  openSUSE 13.2: java-1_7_0-openjdk 1.7.0.95-16.1

openSUSE Leap 42.1: new java-1_7_0-openjdk packages.
New packages are available:
  openSUSE Leap 42.1: java-1_7_0-openjdk 1.7.0.95-25.1

openSUSE Leap 42.1: new java-1_8_0-openjdk packages.
New packages are available:
  openSUSE Leap 42.1: java-1_8_0-openjdk 1.8.0.72-6.1

Puppet Labs Puppet Enterprise: version 2015.3.2.
The version 2015.3.2 is fixed.

Puppet Labs Puppet Enterprise: version 3.8.4.
The version 3.8.4 is fixed.

RHEL: new java-1.6.0-ibm packages.
New packages are available:
  RHEL 5: java-1.6.0-ibm 1.6.0.16.20-1jpp.1.el5
  RHEL 6: java-1.6.0-ibm 1.6.0.16.20-1jpp.1.el6_7

RHEL: new java-1.6.0-openjdk packages.
New packages are available:
  RHEL 5: java-1.6.0-openjdk 1.6.0.38-1.13.10.0.el5_11
  RHEL 6: java-1.6.0-openjdk 1.6.0.38-1.13.10.0.el6_7
  RHEL 7: java-1.6.0-openjdk 1.6.0.38-1.13.10.0.el7_2

RHEL: new java-1.6.0-sun packages.
New packages are available:
  RHEL 5: java-1.6.0-sun 1.6.0.111-1jpp.3.el5_11
  RHEL 6: java-1.6.0-sun 1.6.0.111-1jpp.3.el6_7
  RHEL 7: java-1.6.0-sun 1.6.0.111-1jpp.1.el7

RHEL: new java-1.7.0-openjdk packages.
New packages are available:
  RHEL 5: java-1.7.0-openjdk 1.7.0.95-2.6.4.1.el5_11
  RHEL 6: java-1.7.0-openjdk 1.7.0.95-2.6.4.0.el6_7
  RHEL 7: java-1.7.0-openjdk 1.7.0.95-2.6.4.0.el7_2

RHEL: new java-1.7.0-oracle packages.
New packages are available:
  RHEL 5: java-1.7.0-oracle 1.7.0.95-1jpp.1.el5_11
  RHEL 6: java-1.7.0-oracle 1.7.0.95-1jpp.1.el6_7
  RHEL 7: java-1.7.0-oracle 1.7.0.95-1jpp.2.el7

RHEL: new java-1.7.x-ibm packages.
New packages are available:
  RHEL 6: java-1.7.1-ibm 1.7.1.3.30-1jpp.2.el6_7
  RHEL 5: java-1.7.0-ibm 1.7.0.9.30-1jpp.1.el5

RHEL: new java-1.8.0-ibm packages.
New packages are available:
  RHEL 7: java-1.8.0-ibm 1.8.0.2.10-1jpp.1.el7

RHEL: new java-1.8.0-openjdk packages.
New packages are available:
  RHEL 7: java-1.8.0-openjdk 1.8.0.71-2.b15.el7_2
  RHEL 6: java-1.8.0-openjdk 1.8.0.71-1.b15.el6_7

RHEL: new java-1.8.0-oracle packages.
New packages are available:
  RHEL 6: java-1.8.0-oracle 1.8.0.71-1jpp.1.el6_7
  RHEL 7: java-1.8.0-oracle 1.8.0.71-1jpp.1.el7

SUSE LE 10 SP4: new java-1_6_0-ibm packages.
New packages are available:
  SUSE LE 10 SP4: java-1_6_0-ibm 1.6.0_sr16.20-0.8.1

SUSE LE 11 SP3: new java-1_7_0-ibm packages.
New packages are available:
  SUSE LE 11 SP3: java-1_7_0-ibm 1.7.0_sr9.30-47.1

SUSE LE 12: new java-1_8_0-openjdk packages.
New packages are available:
  SUSE LE 12 SP1: java-1_8_0-openjdk 1.8.0.72-3.2

SUSE LE: new java-1_6_0-ibm packages.
New packages are available:
  SUSE LE 11 SP2: java-1_6_0-ibm 1.6.0_sr16.20-49.1
  SUSE LE 11 SP3: java-1_6_0-ibm 1.6.0_sr16.20-51.1
  SUSE LE 12 RTM: java-1_6_0-ibm 1.6.0_sr16.20-30.1

SUSE LE: new java-1_7_0-ibm packages.
New packages are available:
  SUSE LE 11 SP2: java-1_7_0-ibm 1.7.0_sr9.30-45.1

SUSE LE: new java-1_7_0-openjdk packages (28/01/2016).
New packages are available:
  SUSE LE 12 SP1: java-1_7_0-openjdk 1.7.0.95-24.2
  SUSE LE 12 RTM: java-1_7_0-openjdk 1.7.0.95-24.2
  SUSE LE 11 SP4: java-1_7_0-openjdk 1.7.0.95-0.17.2
  SUSE LE 11 SP3: java-1_7_0-openjdk 1.7.0.95-0.17.2

SUSE LE: new java-1_7_1-ibm packages.
New packages are available:
  SUSE LE 11 SP4: java-1_7_1-ibm 1.7.1_sr3.30-9.1
  SUSE LE 12 RTM: java-1_7_1-ibm 1.7.1_sr3.30-21.1
  SUSE LE 12 SP1: java-1_7_1-ibm 1.7.1_sr3.30-21.1

SUSE LE: new java-1_8_0-ibm packages.
New packages are available:
  SUSE LE 12 SP1: java-1_8_0-ibm 1.8.0_sr2.10-7.1

Synology DS, RS: version 5.2-5644 Update 3.
The version 5.2-5644 Update 3 is fixed:
  https://www.synology.com

Ubuntu: new openjdk-6 packages.
New packages are available:
  Ubuntu 12.04 LTS: openjdk-6-jre 6b38-1.13.10-0ubuntu0.12.04.1

Ubuntu: new openjdk-7 packages.
New packages are available:
  Ubuntu 15.10: openjdk-7-jre 7u95-2.6.4-0ubuntu0.15.10.1
  Ubuntu 15.04: openjdk-7-jre 7u95-2.6.4-0ubuntu0.15.04.1
  Ubuntu 14.04 LTS: openjdk-7-jre 7u95-2.6.4-0ubuntu0.14.04.1
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides software vulnerability announces. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.