The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of Oracle Java: several vulnerabilities of July 2015

Synthesis of the vulnerability

Several vulnerabilities of Oracle Java were announced in July 2015.
Severity of this announce: 3/4.
Number of vulnerabilities in this bulletin: 25.
Creation date: 15/07/2015.
Références of this computer vulnerability: 1963330, 1963331, 1963812, 1964236, 1966040, 1966536, 1967222, 1967498, 1967893, 1968485, 1972455, 206954, 9010041, 9010044, BSA-2016-002, CERTFR-2015-ALE-007, CERTFR-2015-AVI-305, CERTFR-2016-AVI-128, cpujul2015, CVE-2015-2590, CVE-2015-2596, CVE-2015-2597, CVE-2015-2601, CVE-2015-2613, CVE-2015-2619, CVE-2015-2621, CVE-2015-2625, CVE-2015-2627, CVE-2015-2628, CVE-2015-2632, CVE-2015-2637, CVE-2015-2638, CVE-2015-2659, CVE-2015-2664, CVE-2015-2808, CVE-2015-4000, CVE-2015-4729, CVE-2015-4731, CVE-2015-4732, CVE-2015-4733, CVE-2015-4736, CVE-2015-4748, CVE-2015-4749, CVE-2015-4760, DSA-3316-1, DSA-3339-1, ESA-2015-134, FEDORA-2015-11859, FEDORA-2015-11860, JSA10727, NTAP-20150715-0001, NTAP-20151028-0001, openSUSE-SU-2015:1288-1, openSUSE-SU-2015:1289-1, RHSA-2015:1228-01, RHSA-2015:1229-01, RHSA-2015:1230-01, RHSA-2015:1241-01, RHSA-2015:1242-01, RHSA-2015:1243-01, RHSA-2015:1485-01, RHSA-2015:1486-01, RHSA-2015:1488-01, RHSA-2015:1526-01, RHSA-2015:1544-01, SB10139, SOL17079, SOL17169, SOL17170, SOL17171, SOL17173, SUSE-SU-2015:1319-1, SUSE-SU-2015:1320-1, SUSE-SU-2015:1329-1, SUSE-SU-2015:1331-1, SUSE-SU-2015:1345-1, SUSE-SU-2015:1375-1, SUSE-SU-2015:1509-1, SUSE-SU-2015:2166-1, SUSE-SU-2015:2192-1, USN-2696-1, USN-2706-1, VIGILANCE-VUL-17371.

Description of the vulnerability

Several vulnerabilities were announced in Oracle Java.

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to trigger a denial of service (VIGILANCE-VUL-17558). [severity:3/4; CVE-2015-4760]

An attacker can use a vulnerability of CORBA, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-2628]

An attacker can use a vulnerability of JMX, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4731]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-2590]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4732]

An attacker can use a vulnerability of RMI, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4733]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-2638]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4736]

An attacker can use a vulnerability of Security, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4748]

An attacker can use a vulnerability of Install, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-2597]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-2664]

An attacker can use a vulnerability of 2D, in order to obtain information. [severity:2/4; CVE-2015-2632]

An attacker can use a vulnerability of JCE, in order to obtain information. [severity:2/4; CVE-2015-2601]

An attacker can use a vulnerability of JCE, in order to obtain information (VIGILANCE-VUL-18168). [severity:2/4; CVE-2015-2613]

An attacker can use a vulnerability of JMX, in order to obtain information. [severity:2/4; CVE-2015-2621]

An attacker can use a vulnerability of Security, in order to trigger a denial of service. [severity:2/4; CVE-2015-2659]

An attacker can use a vulnerability of 2D, in order to obtain information. [severity:2/4; CVE-2015-2619]

An attacker can bypass security features in 2D, in order to obtain sensitive information. [severity:2/4; CVE-2015-2637]

An attacker can use a vulnerability of Hotspot, in order to alter information. [severity:2/4; CVE-2015-2596]

An attacker can use a vulnerability of JNDI, in order to trigger a denial of service. [severity:2/4; CVE-2015-4749]

An attacker can use a vulnerability of Deployment, in order to obtain or alter information. [severity:2/4; CVE-2015-4729]

An attacker can use a vulnerability of JSSE, in order to obtain or alter information. [severity:2/4; CVE-2015-4000]

An attacker can use a vulnerability of JSSE, in order to obtain or alter information. [severity:2/4; CVE-2015-2808]

An attacker can use a vulnerability of Install, in order to obtain information. [severity:1/4; CVE-2015-2627]

An attacker can use a vulnerability of JSSE, in order to obtain information. [severity:1/4; CVE-2015-2625]
Full Vigil@nce bulletin... (Free trial)

This computer vulnerability alert impacts software or systems such as DCFM Enterprise, FabricOS, Brocade Network Advisor, Brocade vTM, Debian, Avamar, BIG-IP Hardware, TMOS, Fedora, AIX, DB2 UDB, Domino, Notes, IRAD, SPSS Data Collection, SPSS Modeler, SPSS Statistics, Tivoli Storage Manager, Tivoli System Automation, WebSphere MQ, Junos Space, ePO, SnapManager, Java OpenJDK, openSUSE, Java Oracle, JavaFX, Puppet, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.

Our Vigil@nce team determined that the severity of this computer threat alert is important.

The trust level is of type confirmed by the editor, with an origin of document.

This bulletin is about 25 vulnerabilities.

An attacker with a expert ability can exploit this security vulnerability.

Solutions for this threat

Oracle Java, OpenJDK: version 8u51.
The version 8u51 is fixed:
  http://www.oracle.com/technetwork/java/javase/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/8u-relnotes-2225394.html

Oracle Java, OpenJDK: version 7u85.
The version 7u85 is fixed:
  http://www.oracle.com/technetwork/indexes/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/7u-relnotes-515228.html

Oracle Java, OpenJDK: version 6u101.
The version 6u101 is fixed:
  http://www.oracle.com/technetwork/indexes/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html

AIX: fixed versions for IBM SDK Java.
Fixed versions are indicated in information sources.

Brocade: solution.
The solution is indicated in information sources.

Debian: new openjdk-6 packages.
New packages are available:
  Debian 7: openjdk-6 6b36-1.13.8-1~deb7u1

Debian: new openjdk-7 packages (27/07/2015).
New packages are available:
  Debian 7: openjdk-7 7u79-2.5.6-1~deb7u1
  Debian 8: openjdk-7 7u79-2.5.6-1~deb8u1

EMC Avamar: solution for Java JRE 1.7.
The solution is indicated in information sources.

F5 BIG-IP: fixed versions for Java SE.
Fixed versions are indicated in information sources.

F5 BIG-IP: fixed versions for Java SE CVE-2015-4736.
Fixed versions are indicated in information sources.

F5 BIG-IP: fixed versions for OpenJDK CVE-2015-2628.
Fixed versions are indicated in information sources.

F5 BIG-IP: fixed versions for OpenJDK CVE-2015-4760.
Fixed versions are indicated in information sources.

Fedora: new java-1.8.0-openjdk packages.
New packages are available:
  Fedora 21: java-1.8.0-openjdk 1.8.0.51-4.b16.fc21
  Fedora 22: java-1.8.0-openjdk 1.8.0.51-4.b16.fc22

IBM DB2: solution for IBM Java SDK.
The solution is indicated in information sources.

IBM Domino, Notes: solution for IBM SDK Java.
The solution is indicated in information sources.

IBM Rational Application Developer for WebSphere: patch for IBM Java SDK.
A patch is indicated in information sources.

IBM Rational Application Developer for WebSphere: solution for IBM Java SDK.
The solution is indicated in information sources.

IBM SPSS Data Collection: patch for Java.
A patch is indicated in information sources.

IBM SPSS Modeler: patch for IBM Java SDK.
A patch is indicated in information sources.

IBM SPSS Statistics: patch for Java.
A patch is indicated in information sources.

IBM Tivoli Storage Manager for Virtual Environments: patch for IBM Java.
A patch is indicated in information sources.

IBM Tivoli System Automation: solution for Java.
The solution is indicated in information sources.

IBM WebSphere MQ: solution for Java.
The solution is indicated in information sources.

Junos Space: version 15.1R3.
The version 15.1R3 is fixed:
  https://www.juniper.net/

Junos Space: version 15.2R1.
The version 15.2R1 is fixed:
  https://www.juniper.net/

McAfee ePO: versions 5.1.3 and 5.3.1.
Versions 5.1.3 and 5.3.1 are fixed:
  http://www.mcafee.com/us/downloads/downloads.aspx

NetApp SnapManager: patch for Oracle Java.
A patch is available:
  SnapManager for Oracle: http://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=959904
  SnapManager for SAP: http://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=959905

openSUSE: new java-1_x_0-openjdk packages.
New packages are available:
  openSUSE 13.1: java-1_7_0-openjdk 1.7.0.85-24.21.1
  openSUSE 13.2: java-1_7_0-openjdk 1.7.0.85-10.2, java-1_8_0-openjdk 1.8.0.51-12.1

Puppet Enterprise: version 2015.2.0.
The version 2015.2.0 is fixed:
  https://puppetlabs.com/

RHEL: new java-1.6.0-sun packages.
New packages are available:
  RHEL 5: java-1.6.0-sun 1.6.0.101-1jpp.1.el5_11
  RHEL 6: java-1.6.0-sun 1.6.0.101-1jpp.1.el6_6
  RHEL 7: java-1.6.0-sun 1.6.0.101-1jpp.1.el7_1

RHEL: new java-1.x.0-openjdk packages.
New packages are available:
  RHEL 5: java-1.6.0-openjdk 1.6.0.36-1.13.8.1.el5_11, java-1.7.0-openjdk 1.7.0.85-2.6.1.3.el5_11
  RHEL 6: java-1.6.0-openjdk 1.6.0.36-1.13.8.1.el6_7, java-1.7.0-openjdk 1.7.0.85-2.6.1.3.el6_6, java-1.8.0-openjdk 1.8.0.51-0.b16.el6_6
  RHEL 7: java-1.6.0-openjdk 1.6.0.36-1.13.8.1.el7_1, java-1.7.0-openjdk 1.7.0.85-2.6.1.2.el7_1, java-1.8.0-openjdk 1.8.0.51-1.b16.el7_1

RHEL: new java-1.x.0-oracle packages.
New packages are available:
  RHEL 5: java-1.7.0-oracle 1.7.0.85-1jpp.1.el5_11
  RHEL 6: java-1.7.0-oracle 1.7.0.85-1jpp.2.el6_6, java-1.8.0-oracle 1.8.0.51-1jpp.2.el6_6
  RHEL 7: java-1.7.0-oracle 1.7.0.85-1jpp.2.el7_1, java-1.8.0-oracle 1.8.0.51-1jpp.2.el7_1

RHEL: new java-1.x.x-ibm packages.
New packages are available:
  RHEL 5: java-1.5.0-ibm 1.5.0.16.13-1jpp.3.el5, java-1.6.0-ibm 1.6.0.16.7-1jpp.1.el5, java-1.7.0-ibm 1.7.0.9.10-1jpp.2.el5
  RHEL 6: java-1.5.0-ibm 1.5.0.16.13-1jpp.3.el6_7, java-1.6.0-ibm 1.6.0.16.7-1jpp.1.el6_7, java-1.7.1-ibm 1.7.1.3.10-1jpp.3.el6_7
  RHEL 7: java-1.7.1-ibm 1.7.1.3.10-1jpp.1.el7_1

SUSE LE 11: new java-1_6_0-ibm packages (02/12/2015).
New packages are available:
  SUSE LE 11 SP2: java-1_6_0-ibm 1.6.0_sr16.15-46.1
  SUSE LE 11 SP3: java-1_6_0-ibm 1.6.0_sr16.15-46.1

SUSE LE 11: new java-1_6_0-ibm packages (08/09/2015).
New packages are available:
  SUSE LE 11 SP1: java-1_6_0-ibm 1.6.0_sr16.7-10.1
  SUSE LE 11 SP2: java-1_6_0-ibm 1.6.0_sr16.7-10.1
  SUSE LE 11 SP3: java-1_6_0-ibm 1.6.0_sr16.7-10.1

SUSE LE 11: new java-1_7_0-ibm packages.
New packages are available:
  SUSE LE 11 SP3: java-1_7_0-ibm 1.7.0_sr9.10-9.1
  SUSE LE 11 SP2: java-1_7_0-ibm 1.7.0_sr9.10-9.1

SUSE LE 12: new java-1_6_0-ibm packages.
New packages are available:
  SUSE LE 12 RTM: java-1_6_0-ibm 1.6.0_sr16.7-22.2

SUSE LE: new java-1_7_0-openjdk packages.
New packages are available:
  SUSE LE 11: java-1_7_0-openjdk 1.7.0.85-0.11.2
  SUSE LE 12: java-1_7_0-openjdk 1.7.0.85-18.2

SUSE LE: new java-1_7_1-ibm packages.
New packages are available:
  SUSE LE 11 SP4: java-1_7_1-ibm 1.7.1_sr3.10-3.1
  SUSE LE 12 RTM: java-1_7_1-ibm 1.7.1_sr3.10-14.1

Ubuntu: new openjdk-6 packages.
New packages are available:
  Ubuntu 12.04 LTS: icedtea-6 6b36-1.13.8-0ubuntu1~12.04, openjdk-6 6b36-1.13.8-0ubuntu1~12.04

Ubuntu: new openjdk packages.
New packages are available:
  Ubuntu 15.04: openjdk 7u79-2.5.6-0ubuntu1.15.04.1
  Ubuntu 14.04 LTS: openjdk 7u79-2.5.6-0ubuntu1.14.04.1
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides software vulnerabilities announces. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.