The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Oracle Java: several vulnerabilities of October 2014

Synthesis of the vulnerability 

Several vulnerabilities of Oracle Java were announced in October 2014.
Vulnerable systems: Debian, Fedora, HP-UX, AIX, IRAD, Tivoli Workload Scheduler, WebSphere MQ, ePO, Java OpenJDK, Java Oracle, JavaFX, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu, Unix (platform) ~ not comprehensive.
Severity of this threat: 3/4.
Number of vulnerabilities in this bulletin: 25.
Creation date: 15/10/2014.
Références of this weakness: 1699051, 1700706, 7045736, 74387, c04517477, CERTFR-2014-AVI-429, cpuoct2014, CVE-2014-4288, CVE-2014-6456, CVE-2014-6457, CVE-2014-6458, CVE-2014-6466, CVE-2014-6468, CVE-2014-6476, CVE-2014-6485, CVE-2014-6492, CVE-2014-6493, CVE-2014-6502, CVE-2014-6503, CVE-2014-6504, CVE-2014-6506, CVE-2014-6511, CVE-2014-6512, CVE-2014-6513, CVE-2014-6515, CVE-2014-6517, CVE-2014-6519, CVE-2014-6527, CVE-2014-6531, CVE-2014-6532, CVE-2014-6558, CVE-2014-6562, DSA-3077-1, DSA-3080-1, FEDORA-2014-13021, FEDORA-2014-13027, FEDORA-2014-13049, FEDORA-2014-13075, HPSBUX03218, MDVSA-2014:209, RHSA-2014:1620-01, RHSA-2014:1633-01, RHSA-2014:1634-01, RHSA-2014:1636-01, RHSA-2014:1657-01, RHSA-2014:1658-01, RHSA-2014:1876-01, RHSA-2014:1877-01, RHSA-2014:1880-01, RHSA-2014:1881-01, RHSA-2014:1882-01, SB10092, SSRT101770, SUSE-SU-2014:1422-1, SUSE-SU-2014:1526-1, SUSE-SU-2014:1526-2, SUSE-SU-2014:1549-1, USN-2386-1, USN-2388-1, USN-2388-2, VIGILANCE-VUL-15482, ZDI-14-382.

Description of the vulnerability 

Several vulnerabilities were announced in Oracle Fusion.

An attacker can use a vulnerability of AWT, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-6513]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-6532]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-6503]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-6456]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-6562]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-6485]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-6492]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-6493]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-4288]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-6466, ZDI-14-382]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-6458]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-6468]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to trigger a denial of service. [severity:2/4; CVE-2014-6506]

An attacker can use a vulnerability of 2D, in order to obtain information. [severity:2/4; CVE-2014-6511]

An attacker can use a vulnerability of Deployment, in order to alter information. [severity:2/4; CVE-2014-6476]

An attacker can use a vulnerability of Deployment, in order to alter information. [severity:2/4; CVE-2014-6515]

An attacker can use a vulnerability of Hotspot, in order to obtain information. [severity:2/4; CVE-2014-6504]

An attacker can use a vulnerability of Hotspot, in order to alter information. [severity:2/4; CVE-2014-6519]

An attacker can use a vulnerability of JAXP, in order to obtain information. [severity:2/4; CVE-2014-6517]

An attacker can use a vulnerability of Libraries, in order to obtain information. [severity:2/4; CVE-2014-6531]

An attacker can use a vulnerability of Libraries, in order to alter information. [severity:2/4; CVE-2014-6512]

An attacker can use a vulnerability of JSSE, in order to obtain or alter information. [severity:2/4; CVE-2014-6457]

An attacker can use a vulnerability of Deployment, in order to alter information. [severity:1/4; CVE-2014-6527]

An attacker can use a vulnerability of Libraries, in order to alter information. [severity:1/4; CVE-2014-6502]

An attacker can use a vulnerability of Security, in order to alter information. [severity:1/4; CVE-2014-6558]
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer threat alert impacts software or systems such as Debian, Fedora, HP-UX, AIX, IRAD, Tivoli Workload Scheduler, WebSphere MQ, ePO, Java OpenJDK, Java Oracle, JavaFX, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu, Unix (platform) ~ not comprehensive.

Our Vigil@nce team determined that the severity of this weakness announce is important.

The trust level is of type confirmed by the editor, with an origin of document.

This bulletin is about 25 vulnerabilities.

An attacker with a expert ability can exploit this computer weakness bulletin.

Solutions for this threat 

Oracle Java: version 8u25.
The version 8u25 is fixed:
  http://www.oracle.com/technetwork/java/javase/downloads/index.html

Oracle Java: version 7u71.
The version 7u71 is fixed:
  http://www.oracle.com/technetwork/java/javase/downloads/index.html

Oracle Java: version 6u85.
The version 6u85 is fixed:
  http://www.oracle.com/technetwork/indexes/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html

Oracle Java: version 5.0u75.
The version 5.0u75 is fixed:
  http://www.oracle.com/technetwork/indexes/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/overview-137139.html

IcedTea: version 2.5.3.
The version 2.5.3 is fixed:
  http://icedtea.classpath.org/download/source/icedtea-2.5.3.tar.gz

IcedTea: version 1.13.5.
The version 1.13.5 is fixed:
  http://icedtea.classpath.org/download/source/icedtea6-1.13.5.tar.gz

AIX: fixed versions for Java.
Fixed versions are indicated in information sources.

Debian: new openjdk-6 packages.
New packages are available:
  Debian 7: openjdk-6 6b33-1.13.5-2~deb7u1

Debian: new openjdk-7 packages.
New packages are available:
  Debian 7: openjdk-7 7u71-2.5.3-2~deb7u1

Fedora: new java-1.7.0-openjdk packages.
New packages are available:
  Fedora 19: java-1.7.0-openjdk 1.7.0.71-2.5.3.0.fc19
  Fedora 20: java-1.7.0-openjdk 1.7.0.71-2.5.3.0.fc20

Fedora: new java-1.8.0-openjdk packages.
New packages are available:
  Fedora 19: java-1.8.0-openjdk 1.8.0.25-0.b18.fc19
  Fedora 20: java-1.8.0-openjdk 1.8.0.25-0.b18.fc20

HP-UX: Java version 1.7.0.11.00.
The version 1.7.0.11.00 is fixed:
  http://www.hp.com/java

IBM Rational Application Developer: version 9.0.1.2.
The version 9.0.1.2 is fixed:
  http://www.ibm.com/support/docview.wss?uid=swg24039952

Mandriva: new java-1.7.0-openjdk packages.
New packages are available:
  Mandriva BS1: java-1.7.0-openjdk 1.7.0.65-2.5.3.1.mbs1

McAfee ePO: fixed versions for Java.
Fixed versions are indicated in information sources.

McAfee ePO: version 4.6.9.
The version 4.6.9 is fixed.

RHEL 5: new java-1.7.0-openjdk packages.
New packages are available:
  RHEL 5: java-1.7.0-openjdk 1.7.0.71-2.5.3.1.el5_11

RHEL 6, 7: new java-1.7.0-openjdk packages.
New packages are available:
  RHEL 6: java-1.7.0-openjdk 1.7.0.71-2.5.3.1.el6
  RHEL 7: java-1.7.0-openjdk 1.7.0.71-2.5.3.1.el7_0

RHEL 6: new java-1.8.0-openjdk packages.
New packages are available:
  RHEL 6: java-1.8.0-openjdk 1.8.0.25-1.b17.el6

RHEL: new java-1.5.0-ibm packages.
New packages are available:
  RHEL 5: java-1.5.0-ibm 1.5.0.16.8-1jpp.1.el5
  RHEL 6: java-1.5.0-ibm 1.5.0.16.8-1jpp.1.el6_6

RHEL: new java-1.6.0-ibm packages.
New packages are available:
  RHEL 5: java-1.6.0-ibm 1.6.0.16.2-1jpp.1.el5
  RHEL 6: java-1.6.0-ibm 1.6.0.16.2-1jpp.1.el6_6

RHEL: new java-1.6.0-openjdk packages.
New packages are available:
  RHEL 5: java-1.6.0-openjdk 1.6.0.33-1.13.5.0.el5_11
  RHEL 6: java-1.6.0-openjdk 1.6.0.33-1.13.5.0.el6_6
  RHEL 7: java-1.6.0-openjdk 1.6.0.33-1.13.5.0.el7_0

RHEL: new java-1.6.0-sun packages.
New packages are available:
  RHEL 5: java-1.6.0-sun 1.6.0.85-1jpp.3.el5_11
  RHEL 6: java-1.6.0-sun 1.6.0.85-1jpp.2.el6
  RHEL 7: java-1.6.0-sun 1.6.0.85-1jpp.2.el7

RHEL: new java-1.7.0-ibm packages.
New packages are available:
  RHEL 5: java-1.7.0-ibm 1.7.0.8.0-1jpp.1.el5
  RHEL 6: java-1.7.0-ibm 1.7.0.8.0-1jpp.1.el6_6

RHEL: new java-1.7.0-oracle packages.
New packages are available:
  RHEL 5: java-1.7.0-oracle 1.7.0.72-1jpp.4.el5_11
  RHEL 6: java-1.7.0-oracle 1.7.0.72-1jpp.2.el6
  RHEL 7: java-1.7.0-oracle 1.7.0.72-1jpp.2.el7

RHEL: new java-1.7.1-ibm packages.
New packages are available:
  RHEL 6: java-1.7.1-ibm 1.7.1.2.0-1jpp.3.el6_6

SUSE LE 11: new java-1_x_0-ibm packages.
New packages are available:
  SUSE LE 11: java-1_6_0-ibm 1.6.0_sr16.2-0.3.1, java-1_7_0-ibm 1.7.0_sr8.0-0.5.1
  SUSE LE 12: java-1_7_1-ibm 1.7.1_sr2.0-4.1

SUSE LE 12: new java-1_7_0-openjdk packages.
New packages are available:
  SUSE LE 12: java-1_7_0-openjdk 1.7.0.71-6.2

SUSE Manager 1.7 for SLE 11: new java-1_6_0-ibm packages.
New packages are available:
  SUSE LE 11: java-1_6_0-ibm 1.6.0_sr16.2-0.3.1

Tivoli Workload Scheduler: solution for OpenSSL and Java.
The solution is indicated in information sources.

Ubuntu: new openjdk-6-jre packages.
New packages are available:
  Ubuntu 12.04 LTS: openjdk-6-jre 6b33-1.13.5-1ubuntu0.12.04
  Ubuntu 10.04 LTS: openjdk-6-jre 6b33-1.13.5-1ubuntu0.10.04

Ubuntu: new OpenJDK 7 packages.
New packages are available:
  Ubuntu 14.04 LTS: openjdk-7-jre 7u71-2.5.3-0ubuntu0.14.04.1, icedtea-7-jre-jamvm 7u71-2.5.3-0ubuntu0.14.04.1
  Ubuntu 14.10: openjdk-7-jre 7u71-2.5.3-0ubuntu1, icedtea-7-jre-jamvm 7u71-2.5.3-0ubuntu1

WebSphere MQ: solution.
The solution is indicated in information sources.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computer security alert. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.