The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

weakness CVE-2015-0204 CVE-2015-0458 CVE-2015-0459

Oracle Java: several vulnerabilities of April 2015

Synthesis of the vulnerability

Several vulnerabilities of Oracle Java were announced in April 2015.
Severity of this alert: 3/4.
Number of vulnerabilities in this bulletin: 14.
Creation date: 15/04/2015.
Références of this alert: 1610582, 1902260, 1903541, 1903704, 1958902, 1960194, 1964236, 1966551, 1967498, 1968485, 205086, 206954, 7045736, BSA-2015-009, CERTFR-2015-AVI-172, cpuapr2015, CVE-2015-0204, CVE-2015-0458, CVE-2015-0459, CVE-2015-0460, CVE-2015-0469, CVE-2015-0470, CVE-2015-0477, CVE-2015-0478, CVE-2015-0480, CVE-2015-0484, CVE-2015-0486, CVE-2015-0488, CVE-2015-0491, CVE-2015-0492, DSA-3234-1, DSA-3235-1, DSA-3316-1, ESA-2015-085, ESA-2015-134, FEDORA-2015-6357, FEDORA-2015-6369, FEDORA-2015-6397, FREAK, MDVSA-2015:212, openSUSE-SU-2015:0773-1, openSUSE-SU-2015:0774-1, RHSA-2015:0806-01, RHSA-2015:0807-01, RHSA-2015:0808-01, RHSA-2015:0809-01, RHSA-2015:0854-01, RHSA-2015:0857-01, RHSA-2015:0858-01, RHSA-2015:1006-01, RHSA-2015:1007-01, RHSA-2015:1020-01, RHSA-2015:1021-01, RHSA-2015:1091-01, SB10119, SUSE-SU-2015:0833-1, SUSE-SU-2015:1085-1, SUSE-SU-2015:1086-1, SUSE-SU-2015:1086-2, SUSE-SU-2015:1086-3, SUSE-SU-2015:1086-4, SUSE-SU-2015:1138-1, SUSE-SU-2015:1161-1, SUSE-SU-2015:2166-1, SUSE-SU-2015:2168-1, SUSE-SU-2015:2168-2, SUSE-SU-2015:2182-1, SUSE-SU-2015:2192-1, SUSE-SU-2015:2216-1, USN-2573-1, USN-2574-1, VIGILANCE-VUL-16607, VU#243585.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in Oracle Java.

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0469]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0459]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0491]

An attacker can use a vulnerability of Hotspot, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0460]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0492]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0458]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0484]

An attacker can use a vulnerability of Tools, in order to alter information, or to trigger a denial of service. [severity:2/4; CVE-2015-0480]

An attacker can use a vulnerability of Deployment, in order to obtain information. [severity:2/4; CVE-2015-0486]

An attacker can use a vulnerability of JSSE, in order to trigger a denial of service. [severity:2/4; CVE-2015-0488]

An attacker can use a vulnerability of Beans, in order to alter information. [severity:2/4; CVE-2015-0477]

An attacker can use a vulnerability of Hotspot, in order to alter information. [severity:2/4; CVE-2015-0470]

An attacker can use a vulnerability of JCE, in order to obtain information (VIGILANCE-VUL-17836). [severity:2/4; CVE-2015-0478]

An attacker, located as a Man-in-the-Middle, can force the Chrome, JSSE, LibReSSL, Mono or OpenSSL client to accept a weak export algorithm, in order to more easily capture or alter exchanged data (VIGILANCE-VUL-16301). [severity:2/4; CVE-2015-0204, FREAK, VU#243585]
Full Vigil@nce bulletin... (Free trial)

This vulnerability announce impacts software or systems such as DCFM Enterprise, Brocade Network Advisor, Brocade vTM, Debian, Avamar, ECC, Fedora, AIX, DB2 UDB, Domino, Notes, IRAD, Security Directory Server, SPSS Modeler, Tivoli Storage Manager, Tivoli System Automation, Tivoli Workload Scheduler, WebSphere AS Traditional, WebSphere MQ, ePO, Java OpenJDK, openSUSE, Java Oracle, JavaFX, Puppet, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.

Our Vigil@nce team determined that the severity of this cybersecurity threat is important.

The trust level is of type confirmed by the editor, with an origin of document.

This bulletin is about 14 vulnerabilities.

An attacker with a expert ability can exploit this computer threat bulletin.

Solutions for this threat

Oracle Java, OpenJDK: version 8u45.
The version 8u45 is fixed:
  http://www.oracle.com/technetwork/java/javase/downloads/index.html

Oracle Java, OpenJDK: version 7u80.
The version 7u80 is fixed:
  http://www.oracle.com/technetwork/java/javase/downloads/index.html

Oracle Java, OpenJDK: version 6u95.
The version 6u95 is fixed:
  http://www.oracle.com/technetwork/indexes/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html

Oracle Java, OpenJDK: version 5.0u85.
The version 5.0u85 is fixed:
  http://www.oracle.com/technetwork/indexes/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/overview-137139.html

Brocade: fixed versions for Java, OpenSSL, OpenSSH, BIND.
Fixed versions are indicated in information sources.

Debian: new openjdk-6 packages.
New packages are available:
  Debian 7: openjdk-6 6b35-1.13.7-1~deb7u1

Debian: new openjdk-7 packages (27/04/2015).
New packages are available:
  Debian 7: openjdk-7 7u79-2.5.5-1~deb7u1
  Debian 8: openjdk-7 7u79-2.5.5-1~deb8u1

Debian: new openjdk-7 packages (27/07/2015).
New packages are available:
  Debian 7: openjdk-7 7u79-2.5.6-1~deb7u1
  Debian 8: openjdk-7 7u79-2.5.6-1~deb8u1

EMC Avamar: solution for Java JRE 1.7.
The solution is indicated in information sources.

EMC ControlCenter: solution for Oracle CPU April 2015.
The solution is indicated in information sources.

Fedora 20: new java-1.7.0-openjdk packages.
New packages are available:
  Fedora 20: java-1.7.0-openjdk 1.7.0.79-2.5.5.0.fc20

Fedora: new java-1.8.0-openjdk packages.
New packages are available:
  Fedora 20: java-1.8.0-openjdk 1.8.0.45-31.b13.fc20
  Fedora 21: java-1.8.0-openjdk 1.8.0.45-31.b13.fc21

IBM AIX: patch for Java.
The announce states the URLs of the applicable patch for each version of the SDK.

IBM DB2: version 10.1 Fix Pack 6.
The version 10.1 Fix Pack 6 is fixed.

IBM Notes, Domino: patch for Java 6.
A patch is available:
  version 9.0.1.x: http://www-01.ibm.com/support/docview.wss?uid=swg21657963
  version 8.5.3: http://www-01.ibm.com/support/docview.wss?uid=swg21663874

IBM Rational Application Developer for WebSphere: solution for IBM Java SDK.
The solution is indicated in information sources.

IBM Rational Application Developer: version 9.0.1.2.
The version 9.0.1.2 is fixed:
  http://www.ibm.com/support/docview.wss?uid=swg24039952

IBM SPSS Modeler: fixed versions for IBM Java.
Fixed versions are as follows:
  14.2 Fix Pack 3 Interim Fix 025
  15.0 Fix Pack 3 Interim Fix 013
  16.0 Fix Pack 2 Interim Fix 003
  17.0 Fix Pack 1 Interim Fix 002

IBM Tiivoli Directory Server: patch for Java.
A patch is available in information sources.

IBM Tivoli Storage Manager for Virtual Environments: patch for IBM Java.
A patch is indicated in information sources.

IBM Tivoli Workload Scheduler: patch for Java.
A patch is indicated in information sources.

IBM WebSphere MQ: solution for Java.
The solution is indicated in information sources.

Mandriva: new java-1.7.0-openjdk packages.
New packages are available:
  Mandriva BS1: java-1.7.0-openjdk 1.7.0.65-2.5.5.1.mbs1

McAfee ePolicy Orchestrator: patch for Java.
A patch is available in information sources.

openSUSE: new java-1_x_0-openjdk packages.
New packages are available:
  openSUSE 13.2: java-1_7_0-openjdk 1.7.0.79-7.4, java-1_8_0-openjdk 1.8.0.45-9.3

Puppet Enterprise: version 3.8.0.
The version 3.8.0 is fixed:
  https://puppetlabs.com/

Red Hat Satellite 5: new java-1.6.0-ibm packages.
New packages are available:
  RHEL 5: java-1.6.0-ibm 1.6.0.16.4-1jpp.1.el5
  RHEL 6: java-1.6.0-ibm 1.6.0.16.4-1jpp.1.el6_6

RHEL 5, 6: new java-1.6.0-ibm packages.
New packages are available:
  RHEL 5: java-1.6.0-ibm 1.6.0.16.4-1jpp.1.el5
  RHEL 6: java-1.6.0-ibm 1.6.0.16.4-1jpp.1.el6_6

RHEL 5: new java-1.7.0-ibm packages.
New packages are available:
  RHEL 5: java-1.7.0-ibm 1.7.0.9.0-1jpp.1.el5

RHEL: new java-1.5.0-ibm packages.
New packages are available:
  RHEL 5: java-1.5.0-ibm 1.5.0.16.10-1jpp.1.el5
  RHEL 6: java-1.5.0-ibm 1.5.0.16.10-1jpp.1.el6_6

RHEL: new java-1.6.0-sun packages.
New packages are available:
  RHEL 5: java-1.6.0-sun 1.6.0.95-1jpp.3.el5_11
  RHEL 6: java-1.6.0-sun 1.6.0.95-1jpp.3.el6_6

RHEL: new java-1.7.0-oracle packages.
New packages are available:
  RHEL 5: java-1.7.0-oracle 1.7.0.79-1jpp.1.el5_11
  RHEL 6: java-1.7.0-oracle 1.7.0.79-1jpp.1.el6_6
  RHEL 7: java-1.7.0-oracle 1.7.0.79-1jpp.1.el7_1

RHEL: new java-1.7.1-ibm packages.
New packages are available:
  RHEL 6: java-1.7.1-ibm 1.7.1.3.0-1jpp.2.el6_6
  RHEL 7: java-1.7.1-ibm 1.7.1.3.0-1jpp.2.el7_1

RHEL: new java-1.8.0-oracle packages.
New packages are available:
  RHEL 6: java-1.8.0-oracle 1.8.0.45-1jpp.2.el6_6
  RHEL 7: java-1.8.0-oracle 1.8.0.45-1jpp.2.el7_1

RHEL: new java-1.x.0-openjdk packages.
New packages are available:
  RHEL 5: java-1.6.0-openjdk 1.6.0.35-1.13.7.1.el5_11, java-1.7.0-openjdk 1.7.0.79-2.5.5.2.el5_11
  RHEL 6: java-1.6.0-openjdk 1.6.0.35-1.13.7.1.el6_6, java-1.7.0-openjdk 1.7.0.79-2.5.5.1.el6_6, java-1.8.0-openjdk 1.8.0.45-28.b13.el6_6
  RHEL 7: java-1.6.0-openjdk 1.6.0.35-1.13.7.1.el7_1, java-1.7.0-openjdk 1.7.0.79-2.5.5.1.el7_1

SUSE LE 10: new IBM Java packages.
New packages are available:
  SUSE LE 10: java-1_6_0-ibm 1.6.0_sr16.4-0.8.1

SUSE LE 11: new java-1_6_0-ibm packages (02/12/2015).
New packages are available:
  SUSE LE 11 SP2: java-1_6_0-ibm 1.6.0_sr16.15-46.1
  SUSE LE 11 SP3: java-1_6_0-ibm 1.6.0_sr16.15-46.1

SUSE LE 11: new java-1_7_0-ibm packages.
New packages are available:
  SUSE LE 11 SP2: java-1_7_0-ibm 1.7.0_sr9.20-42.1
  SUSE LE 11 SP3: java-1_7_0-ibm 1.7.0_sr9.20-42.1

SUSE LE 11: new java-1_7_0-openjdk packages.
New packages are available:
  SUSE LE 11: java-1_7_0-openjdk 1.7.0.75-0.9.1

SUSE LE 12: new java-1_6_0-ibm packages.
New packages are available:
  SUSE LE 12: java-1_6_0-ibm 1.6.0_sr16.4-15.1

SUSE LE 12: new java-1_7_1-ibm packages.
New packages are available:
  SUSE LE 12 RTM: java-1_7_1-ibm 1.7.1_sr3.20-17.1

SUSE LE 12 SP1: new java-1_7_1-ibm packages.
New packages are available:
  SUSE LE 12 SP1: java-1_7_1-ibm 1.7.1_sr3.20-18.1

SUSE LE: new IBM Java packages.
New packages are available:
  SUSE LE 10: java-1_5_0-ibm 1.5.0_sr16.10-0.6.1
  SUSE LE 11: java-1_6_0-ibm 1.6.0_sr16.4-0.3.1, java-1_7_0-ibm 1.7.0_sr9.0-0.7.1

Ubuntu: new openjdk-6 packages.
New packages are available:
  Ubuntu 12.04 LTS: openjdk-6 6b35-1.13.7-1ubuntu0.12.04.2
  Ubuntu 10.04 LTS: openjdk-6 6b35-1.13.7-1ubuntu0.10.04.2

Ubuntu: new openjdk-7 packages.
New packages are available:
  Ubuntu 14.10: openjdk-7 7u79-2.5.5-0ubuntu0.14.10.2
  Ubuntu 14.04 LTS: openjdk-7 7u79-2.5.5-0ubuntu0.14.04.2

WebSphere AS: patch for Java.
Some patches ae available in information sources, to be chosen according to the version of WebSphere AS.
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a system vulnerability bulletin. The Vigil@nce vulnerability database contains several thousand vulnerabilities. Each administrator can customize the list of products for which he wants to receive vulnerability alerts. The technology watch team tracks security threats targeting the computer system.