The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of Oracle Java: several vulnerabilities of January 2015

Synthesis of the vulnerability

Several vulnerabilities of Oracle Java were announced in January 2015.
Severity of this weakness: 3/4.
Number of vulnerabilities in this bulletin: 19.
Creation date: 21/01/2015.
Références of this bulletin: 1698239, 1699051, 1700706, 1701485, 7045736, c04517481, c04580241, c04583581, CERTFR-2015-AVI-034, CERTFR-2016-AVI-303, cpujan2015, CTX216642, CVE-2014-3566, CVE-2014-6549, CVE-2014-6585, CVE-2014-6587, CVE-2014-6591, CVE-2014-6593, CVE-2014-6601, CVE-2015-0383, CVE-2015-0395, CVE-2015-0400, CVE-2015-0403, CVE-2015-0406, CVE-2015-0407, CVE-2015-0408, CVE-2015-0410, CVE-2015-0412, CVE-2015-0413, CVE-2015-0421, CVE-2015-0437, DSA-3144-1, DSA-3147-1, FEDORA-2015-0983, FEDORA-2015-1075, FEDORA-2015-1150, FEDORA-2015-8251, FEDORA-2015-8264, HPSBUX03219, HPSBUX03273, HPSBUX03281, MDVSA-2015:033, MDVSA-2015:198, openSUSE-SU-2015:0190-1, RHSA-2015:0067-01, RHSA-2015:0068-01, RHSA-2015:0069-01, RHSA-2015:0079-01, RHSA-2015:0080-01, RHSA-2015:0085-01, RHSA-2015:0086-01, RHSA-2015:0133-01, RHSA-2015:0134-01, RHSA-2015:0135-01, RHSA-2015:0136-01, RHSA-2015:0263-01, RHSA-2015:0264-01, SB10104, SSRT101859, SSRT101951, SSRT101968, SUSE-SU-2015:0336-1, SUSE-SU-2015:0503-1, USN-2486-1, USN-2487-1, VIGILANCE-VUL-16014, VMSA-2015-0003, VMSA-2015-0003.1, VMSA-2015-0003.10, VMSA-2015-0003.11, VMSA-2015-0003.12, VMSA-2015-0003.13, VMSA-2015-0003.14, VMSA-2015-0003.15, VMSA-2015-0003.2, VMSA-2015-0003.3, VMSA-2015-0003.4, VMSA-2015-0003.5, VMSA-2015-0003.6, VMSA-2015-0003.8, VMSA-2015-0003.9.

Description of the vulnerability

Several vulnerabilities were announced in Oracle Java.

An attacker can use a vulnerability of Hotspot, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-6601]

An attacker can use a vulnerability of JAX-WS, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0412]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-6549]

An attacker can use a vulnerability of RMI, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0408]

An attacker can use a vulnerability of Hotspot, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0395]

An attacker can use a vulnerability of Hotspot, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0437]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0403]

An attacker can use a vulnerability of Install, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0421]

An attacker can use a vulnerability of Deployment, in order to obtain information, or to trigger a denial of service. [severity:2/4; CVE-2015-0406]

An attacker can use a vulnerability of Hotspot, in order to alter information, or to trigger a denial of service. [severity:2/4; CVE-2015-0383]

An attacker can use a vulnerability of Libraries, in order to obtain information. [severity:2/4; CVE-2015-0400]

An attacker can use a vulnerability of Swing, in order to obtain information. [severity:2/4; CVE-2015-0407]

An attacker can use a vulnerability of Security, in order to trigger a denial of service. [severity:2/4; CVE-2015-0410]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to trigger a denial of service. [severity:2/4; CVE-2014-6587]

An attacker can use a vulnerability of JSSE, in order to obtain information. [severity:2/4; CVE-2014-3566]

An attacker can use a vulnerability of JSSE, in order to obtain or alter information (VIGILANCE-VUL-16300). [severity:2/4; CVE-2014-6593]

An attacker can use a vulnerability of 2D, in order to obtain information (VIGILANCE-VUL-17559). [severity:1/4; CVE-2014-6585]

An attacker can use a vulnerability of 2D, in order to obtain information. [severity:1/4; CVE-2014-6591]

An attacker can use a vulnerability of Serviceability, in order to alter information. [severity:1/4; CVE-2015-0413]
Full Vigil@nce bulletin... (Free trial)

This threat alert impacts software or systems such as Debian, Fedora, HP-UX, AIX, IRAD, Tivoli System Automation, Tivoli Workload Scheduler, WebSphere MQ, ePO, Java OpenJDK, openSUSE, Java Oracle, JavaFX, Solaris, Puppet, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu, vCenter Server, VMware vSphere.

Our Vigil@nce team determined that the severity of this computer vulnerability bulletin is important.

The trust level is of type confirmed by the editor, with an origin of document.

This bulletin is about 19 vulnerabilities.

An attacker with a expert ability can exploit this weakness note.

Solutions for this threat

Oracle Java: version 8u31.
The version 8u31 is fixed:
  http://www.oracle.com/technetwork/java/javase/downloads/index.html

Oracle Java: version 7u75.
The version 7u75 is fixed:
  http://www.oracle.com/technetwork/java/javase/downloads/index.html

Oracle Java: version 6u91.
The version 6u91 is fixed:
  http://www.oracle.com/technetwork/indexes/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html

Oracle Java: version 5.0u81.
The version 5.0u81 is fixed:
  http://www.oracle.com/technetwork/indexes/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/overview-137139.html

AIX: solution for Java.
The solution is indicated in information sources.

Citrix NetScaler: fixed versions for LOM Firmware.
Fixed versions are indicated in information sources.

Debian: new openjdk-6 packages.
New packages are available:
  Debian 7: openjdk-6 6b34-1.13.6-1~deb7u1

Debian: new openjdk-7 packages.
New packages are available:
  Debian 7: openjdk-7 7u75-2.5.4-1~deb7u1

Fedora 20: new java-1.7.0-openjdk packages.
New packages are available:
  Fedora 20: java-1.7.0-openjdk 1.7.0.75-2.5.4.2.fc20

Fedora: new java-1.8.0-openjdk packages.
New packages are available:
  Fedora 20: java-1.8.0-openjdk 1.8.0.45-38.b14.fc20
  Fedora 21: java-1.8.0-openjdk 1.8.0.45-38.b14.fc21

HP-UX: Java versions 6.0.25, 7.0.11 and 8.0.01.
Java versions 6.0.25, 7.0.11 and 8.0.01 are fixed:
   http://www.hp.com/java

IBM Rational Application Developer: solution for IBM Java SDK.
The solution is indicated in information sources.

IBM Rational Application Developer: version 9.0.1.2.
The version 9.0.1.2 is fixed:
  http://www.ibm.com/support/docview.wss?uid=swg24039952

IBM Tivoli System Automation: solution for Java.
The solution is indicated in information sources.

Mandriva: new java-1.7.0-openjdk packages.
New packages are available:
  Mandriva BS1: java-1.7.0-openjdk 1.7.0.65-2.5.4.1.mbs1

Mandriva: new java-1.8.0-openjdk packages.
New packages are available:
  Mandriva BS2: java-1.8.0-openjdk 1.8.0.40-5.b25.1.mbs2

McAfee ePO: solution for Oracle JRE.
The solution is indicated in information sources.

openSUSE 13.2: new java-1_7_0-openjdk packages.
New packages are available:
  openSUSE 13.2: java-1_7_0-openjdk 1.7.0.75-4.1

Puppet Enterprise: version 3.7.2.
The version 3.7.2 is fixed:
  http://puppetlabs.com/

Red Hat Satellite 5: new java-1.6.0-ibm packages.
New packages are available:
  RHEL 5: java-1.6.0-ibm 1.6.0.16.3-1jpp.1.el5
  RHEL 6: java-1.6.0-ibm 1.6.0.16.3-1jpp.1.el6

RHEL 5, 6: new java-1.5.0-ibm packages.
New packages are available:
  RHEL 5: java-1.5.0-ibm 1.5.0.16.9-1jpp.1.el5
  RHEL 6: java-1.5.0-ibm 1.5.0.16.9-1jpp.1.el6_6

RHEL 5, 6: new java-1.6.0-ibm packages.
New packages are available:
  RHEL 5: java-1.6.0-ibm 1.6.0.16.3-1jpp.1.el5

RHEL 5: new java-1.7.0-ibm packages.
New packages are available:
  RHEL 5: java-1.7.0-ibm 1.7.0.8.10-1jpp.4.el5

RHEL 6.6: new java-1.8.0-openjdk packages.
New packages are available:
  RHEL 6: java-1.8.0-openjdk 1.8.0.31-1.b13.el6_6

RHEL 6, 7: new java-1.7.1-ibm packages.
New packages are available:
  RHEL 6: java-1.7.1-ibm 1.7.1.2.10-1jpp.3.el6_6
  RHEL 7: java-1.7.1-ibm 1.7.1.2.10-1jpp.3.el7_0

RHEL 6: new java-1.8.0-oracle packages.
New packages are available:
  RHEL 6: java-1.8.0-oracle 1.8.0.31-1jpp.1.el6

RHEL: new java-1.6.0-openjdk packages.
New packages are available:
  RHEL 5: java-1.6.0-openjdk 1.6.0.34-1.13.6.1.el5_11
  RHEL 6: java-1.6.0-openjdk 1.6.0.34-1.13.6.1.el6_6
  RHEL 7: java-1.6.0-openjdk 1.6.0.34-1.13.6.1.el7_0

RHEL: new java-1.6.0-sun packages.
New packages are available:
  RHEL 5: java-1.6.0-sun 1.6.0.91-1jpp.1.el5_11
  RHEL 6: java-1.6.0-sun 1.6.0.91-1jpp.1.el6
  RHEL 7: java-1.6.0-sun 1.6.0.91-1jpp.1.el7

RHEL: new java-1.7.0-openjdk packages.
New packages are available:
  RHEL 5: java-1.7.0-openjdk 1.7.0.75-2.5.4.0.el5_11
  RHEL 6: java-1.7.0-openjdk 1.7.0.75-2.5.4.0.el6_6
  RHEL 7: java-1.7.0-openjdk 1.7.0.75-2.5.4.2.el7_0

RHEL: new java-1.7.0-oracle packages.
New packages are available:
  RHEL 5: java-1.7.0-oracle 1.7.0.75-1jpp.1.el5_11
  RHEL 6: java-1.7.0-oracle 1.7.0.75-1jpp.1.el6
  RHEL 7: java-1.7.0-oracle 1.7.0.75-1jpp.2.el7

Solaris: patch for Third Party software.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

SUSE LE: new java-1_7_0-openjdk packages.
New packages are available:
  SUSE LE 11: java-1_7_0-openjdk 1.7.0.75-0.7.1
  SUSE LE 12: java-1_7_0-openjdk 1.7.0.75-11.3

Tivoli Workload Scheduler: solution for OpenSSL and Java.
The solution is indicated in information sources.

Ubuntu: new openjdk-6-jre packages.
New packages are available:
  Ubuntu 12.04 LTS: openjdk-6-jre 6b34-1.13.6-1ubuntu0.12.04.1
  Ubuntu 10.04 LTS: openjdk-6-jre 6b34-1.13.6-1ubuntu0.10.04.1

Ubuntu: new openjdk-7-jre packages.
New packages are available:
  Ubuntu 14.10: openjdk-7-jre 7u75-2.5.4-1~utopic1
  Ubuntu 14.04 LTS: openjdk-7-jre 7u75-2.5.4-1~trusty1

VMware: solution for Java.
The solution is indicated in information sources.

WebSphere MQ: solution.
The solution is indicated in information sources.
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a computer vulnerability database and alert. The Vigil@nce vulnerability database contains several thousand vulnerabilities.