The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Oracle Java: several vulnerabilities of October 2015

Synthesis of the vulnerability 

An attacker can use several vulnerabilities of Oracle Java.
Impacted systems: DCFM Enterprise, FabricOS, Brocade Network Advisor, Brocade vTM, Debian, Fedora, AIX, Domino by IBM, Notes by IBM, IRAD, Security Directory Server, Tivoli Directory Server, Tivoli System Automation, Tivoli Workload Scheduler, WebSphere AS Traditional, WebSphere MQ, JAXP, ePO, SnapManager, Java OpenJDK, openSUSE, openSUSE Leap, Java Oracle, JavaFX, Puppet, RHEL, SAS Add-in for Microsoft Office, SAS Analytics Pro, Base SAS Software, SAS BI Server, SAS Enterprise Guide, SAS Management Console, SAS OLAP Server, SAS SAS/ACCESS, SAS SAS/AF, SAS SAS/CONNECT, SAS SAS/EIS, SAS SAS/ETS, SAS SAS/FSP, SAS SAS/GRAPH, SAS SAS/IML, SAS SAS/OR, SAS SAS/STAT, SAS SAS/Web Report Studio, SUSE Linux Enterprise Desktop, SLES, Ubuntu, Unix (platform) ~ not comprehensive.
Severity of this alert: 3/4.
Number of vulnerabilities in this bulletin: 26.
Creation date: 21/10/2015.
Références of this alert: 1969620, 1971361, 1971479, 1973785, 1974831, 1978806, 1981838, 56203, 9010041, 9010044, BSA-2016-002, BSA-2016-004, CERTFR-2015-AVI-439, cpuoct2015, CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4810, CVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4868, CVE-2015-4871, CVE-2015-4872, CVE-2015-4881, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4901, CVE-2015-4902, CVE-2015-4903, CVE-2015-4906, CVE-2015-4908, CVE-2015-4911, CVE-2015-4916, DSA-3381-1, DSA-3381-2, DSA-3401-1, FEDORA-2015-27cfe187b5, FEDORA-2015-ce54f85a3e, NTAP-20150715-0001, NTAP-20151028-0001, openSUSE-SU-2015:1902-1, openSUSE-SU-2015:1905-1, openSUSE-SU-2015:1906-1, openSUSE-SU-2015:1971-1, openSUSE-SU-2016:0268-1, openSUSE-SU-2016:0270-1, openSUSE-SU-2016:0272-1, openSUSE-SU-2016:0279-1, RHSA-2015:1919-01, RHSA-2015:1920-01, RHSA-2015:1921-01, RHSA-2015:1926-01, RHSA-2015:1927-01, RHSA-2015:1928-01, RHSA-2015:2086-01, RHSA-2015:2506-01, RHSA-2015:2507-01, RHSA-2015:2508-01, RHSA-2015:2509-01, RHSA-2015:2518-01, SB10141, SUSE-SU-2015:1874-2, SUSE-SU-2015:1875-2, SUSE-SU-2015:2166-1, SUSE-SU-2015:2168-1, SUSE-SU-2015:2168-2, SUSE-SU-2015:2182-1, SUSE-SU-2015:2192-1, SUSE-SU-2015:2216-1, SUSE-SU-2015:2268-1, SUSE-SU-2016:0113-1, SUSE-SU-2016:0265-1, SUSE-SU-2016:0269-1, USN-2784-1, USN-2818-1, USN-2827-1, VIGILANCE-VUL-18149.

Description of the vulnerability 

Several vulnerabilities were announced in Oracle Java.

An attacker can use a vulnerability of CORBA, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4835]

An attacker can use a vulnerability of CORBA, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4881]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4843]

An attacker can use a vulnerability of RMI, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4883]

An attacker can use a vulnerability of RMI, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4860]

An attacker can use a vulnerability of Serialization, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4805]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to trigger a denial of service (VIGILANCE-VUL-21214). [severity:3/4; CVE-2015-4844]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4901]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4868]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4868]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:2/4; CVE-2015-4810]

An attacker can use a vulnerability of Libraries, in order to obtain or alter information. [severity:2/4; CVE-2015-4806]

An attacker can use a vulnerability of Libraries, in order to obtain or alter information. [severity:2/4; CVE-2015-4871]

An attacker can use a vulnerability of Deployment, in order to alter information. [severity:2/4; CVE-2015-4902]

An attacker can use a vulnerability of 2D, in order to obtain information. [severity:2/4; CVE-2015-4840]

An attacker can use a vulnerability of CORBA, in order to trigger a denial of service. [severity:2/4; CVE-2015-4882]

An attacker can use a vulnerability of JAXP, in order to obtain information. [severity:2/4; CVE-2015-4842]

An attacker can use a vulnerability of JGSS, in order to obtain information. [severity:2/4; CVE-2015-4734]

An attacker can use a vulnerability of RMI, in order to obtain information. [severity:2/4; CVE-2015-4903]

An attacker can use a vulnerability of JAXP, in order to trigger a denial of service. [severity:2/4; CVE-2015-4803]

An attacker can use a vulnerability of JAXP, in order to trigger a denial of service. [severity:2/4; CVE-2015-4893]

An attacker can use a vulnerability of JAXP, in order to trigger a denial of service. [severity:2/4; CVE-2015-4911]

An attacker can use a vulnerability of Security, in order to alter information. [severity:2/4; CVE-2015-4872]

An attacker can use a vulnerability of JavaFX, in order to obtain information. [severity:2/4; CVE-2015-4906]

An attacker can use a vulnerability of JavaFX, in order to obtain information. [severity:2/4; CVE-2015-4916]

An attacker can use a vulnerability of JavaFX, in order to obtain information. [severity:2/4; CVE-2015-4908]
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This security weakness impacts software or systems such as DCFM Enterprise, FabricOS, Brocade Network Advisor, Brocade vTM, Debian, Fedora, AIX, Domino by IBM, Notes by IBM, IRAD, Security Directory Server, Tivoli Directory Server, Tivoli System Automation, Tivoli Workload Scheduler, WebSphere AS Traditional, WebSphere MQ, JAXP, ePO, SnapManager, Java OpenJDK, openSUSE, openSUSE Leap, Java Oracle, JavaFX, Puppet, RHEL, SAS Add-in for Microsoft Office, SAS Analytics Pro, Base SAS Software, SAS BI Server, SAS Enterprise Guide, SAS Management Console, SAS OLAP Server, SAS SAS/ACCESS, SAS SAS/AF, SAS SAS/CONNECT, SAS SAS/EIS, SAS SAS/ETS, SAS SAS/FSP, SAS SAS/GRAPH, SAS SAS/IML, SAS SAS/OR, SAS SAS/STAT, SAS SAS/Web Report Studio, SUSE Linux Enterprise Desktop, SLES, Ubuntu, Unix (platform) ~ not comprehensive.

Our Vigil@nce team determined that the severity of this threat bulletin is important.

The trust level is of type confirmed by the editor, with an origin of document.

This bulletin is about 26 vulnerabilities.

An attacker with a expert ability can exploit this threat.

Solutions for this threat 

Oracle Java, OpenJDK: version 8u65.
The version 8u65 is fixed:
  http://www.oracle.com/technetwork/java/javase/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/8u-relnotes-2225394.html

Oracle Java, OpenJDK: version 7u91.
The version 7u91 is fixed:
  http://www.oracle.com/technetwork/indexes/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/7u-relnotes-515228.html

Oracle Java, OpenJDK: version 6u105.
The version 6u105 is fixed:
  http://www.oracle.com/technetwork/indexes/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html

AIX: fixed versions for Java.
Fixed versions are indicated in information sources.

Brocade: solution.
The solution is indicated in information sources.

Brocade: solution for multiple vulnerabilities (04/04/2016).
The following versions fix several vulnerabilities (but not CVE-2016-0705):
  Brocade Network Advisor : install version 12.4.2 or 14.0.1.
  Brocade vTM : install version 9.9r1 or 10.3r1.
The detailled solution is indicated in information sources.

Debian: new openjdk-7 packages (02/11/2015).
New packages are available:
  Debian 7: openjdk-7 7u85-2.6.1-6~deb7u1
  Debian 8: openjdk-7 7u85-2.6.1-6~deb8u1

Debian: new openjdk-7 packages (23/11/2015).
New packages are available:
  Debian 7: openjdk-7 7u91-2.6.3-1~deb7u1
  Debian 8: openjdk-7 7u91-2.6.3-1~deb8u1

Fedora: new java-1.8.0-openjdk packages.
New packages are available:
  Fedora 21: java-1.8.0-openjdk 1.8.0.65-3.b17.fc21
  Fedora 22: java-1.8.0-openjdk 1.8.0.65-3.b17.fc22

IBM Domino, Notes: solution for Java.
The solution is indicated in information sources.

IBM Rational Application Developer for WebSphere: patch for IBM Java SDK.
A patch is indicated in information sources.

IBM Security Directory Server: fixed versions for Java.
Fixed versions are indicated in information sources.

IBM Tivoli System Automation: patch for IBM Java.
The applicable patch according to the installed version is indicated in information sources.

IBM Tivoli Workload Scheduler: patch for Java.
A patch is indicated in information sources.

IBM WebSphere MQ: patch for Java.
A patch is indicated in information sources.

IcedTea: version 1.13.9.
The version 1.13.9 is fixed:
  http://icedtea.classpath.org/download/source/icedtea6-1.13.9.tar.gz

IcedTea: version 2.6.3.
The version 2.6.3 is fixed:
  http://icedtea.classpath.org/download/source/icedtea-2.6.3.tar.gz

McAfee ePO: patch for Java.
A patch is available:
  EPO5xHF1102635.zip

NetApp SnapManager: patch for Oracle Java.
A patch is available:
  SnapManager for Oracle: http://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=959904
  SnapManager for SAP: http://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=959905

NetApp SnapManager: solution for Java.
The solution is indicated in information sources.

openSUSE 13.1: new java-1_7_0-openjdk packages.
New packages are available:
  openSUSE 13.1: java-1_7_0-openjdk 1.7.0.91-24.24.1

openSUSE 13.2, Leap: new java-1_7_0-openjdk packages.
New packages are available:
  openSUSE 13.2: java-1_7_0-openjdk 1.7.0.91-13.1
  openSUSE Leap 42.1: java-1_7_0-openjdk 1.7.0.91-22.1

openSUSE 13.2: new java-1_8_0-openjdk packages.
New packages are available:
  openSUSE 13.2: java-1_8_0-openjdk 1.8.0.65-18.1

openSUSE 13: new java-1_7_0-openjdk packages.
New packages are available:
  openSUSE 13.1: java-1_7_0-openjdk 1.7.0.95-24.27.1
  openSUSE 13.2: java-1_7_0-openjdk 1.7.0.95-16.1

openSUSE Leap 42.1: new java-1_7_0-openjdk packages.
New packages are available:
  openSUSE Leap 42.1: java-1_7_0-openjdk 1.7.0.95-25.1

openSUSE Leap 42.1: new java-1_8_0-openjdk packages.
New packages are available:
  openSUSE Leap 42.1: java-1_8_0-openjdk 1.8.0.72-6.1

Puppet Enterprise: version 2015.2.3.
The version 2015.2.3 is fixed:
  https://puppetlabs.com/

Puppet Enterprise: version 3.8.3.
The version 3.8.3 is fixed:
  https://puppetlabs.com/

RHEL 6, 7: new java-1.8.0-openjdk packages.
New packages are available:
  RHEL 6: java-1.8.0-openjdk 1.8.0.65-0.b17.el6_7
  RHEL 7: java-1.8.0-openjdk 1.8.0.65-2.b17.el7_1

RHEL: new java-1.5.0-ibm packages.
New packages are available:
  RHEL 5: java-1.5.0-ibm 1.5.0.16.14-1jpp.1.el5
  RHEL 6: java-1.5.0-ibm 1.5.0.16.14-1jpp.1.el6_7

RHEL: new java-1.6.0-openjdk packages.
New packages are available:
  RHEL 5: java-1.6.0-openjdk 1.6.0.37-1.13.9.4.el5_11
  RHEL 6: java-1.6.0-openjdk 1.6.0.37-1.13.9.4.el6_7
  RHEL 7: java-1.6.0-openjdk 1.6.0.37-1.13.9.4.el7_1

RHEL: new java-1.6.0-sun packages.
New packages are available:
  RHEL 5: java-1.6.0-sun 1.6.0.105-1jpp.2.el5_11
  RHEL 6: java-1.6.0-sun 1.6.0.105-1jpp.2.el6_7
  RHEL 7: java-1.6.0-sun 1.6.0.105-1jpp.2.el7_1

RHEL: new java-1.7.0-openjdk packages.
New packages are available:
  RHEL 5: java-1.7.0-openjdk 1.7.0.91-2.6.2.1.el5_11
  RHEL 6: java-1.7.0-openjdk 1.7.0.91-2.6.2.2.el6_7
  RHEL 7: java-1.7.0-openjdk 1.7.0.91-2.6.2.1.el7_1

RHEL: new java-1.7.0-oracle packages.
New packages are available:
  RHEL 5: java-1.7.0-oracle 1.7.0.91-1jpp.1.el5_11
  RHEL 6: java-1.7.0-oracle 1.7.0.91-1jpp.1.el6_7
  RHEL 7: java-1.7.0-oracle 1.7.0.91-1jpp.1.el7_1

RHEL: new java-1.8.0-oracle packages.
New packages are available:
  RHEL 6: java-1.8.0-oracle 1.8.0.65-1jpp.3.el6_7
  RHEL 6: java-1.8.0-oracle 1.8.0.65-1jpp.3.el6_7

RHEL: new java-1.x.0-ibm packages.
New packages are available:
  RHEL 5: java-1.6.0-ibm 1.6.0.16.15-1jpp.1.el5, java-1.7.0-ibm 1.7.0.9.20-1jpp.1.el5
  RHEL 6: java-1.6.0-ibm 1.6.0.16.15-1jpp.1.el6_7, java-1.7.1-ibm 1.7.1.3.20-1jpp.1.el6_7
  RHEL 7: java-1.7.1-ibm 1.7.1.3.20-1jpp.1.el7, java-1.8.0-ibm 1.8.0.2.0-1jpp.1.el7

SAS: patch for Java 2015/10.
A patch is indicated in information sources.

SUSE LE 10: new java-1_6_0-ibm packages.
New packages are available:
  SUSE LE 10 SP4: java-1_6_0-ibm 1.6.0_sr16.15-0.16.1

SUSE LE 11: new java-1_6_0-ibm packages (02/12/2015).
New packages are available:
  SUSE LE 11 SP2: java-1_6_0-ibm 1.6.0_sr16.15-46.1
  SUSE LE 11 SP3: java-1_6_0-ibm 1.6.0_sr16.15-46.1

SUSE LE 11: new java-1_7_0-ibm packages.
New packages are available:
  SUSE LE 11 SP2: java-1_7_0-ibm 1.7.0_sr9.20-42.1
  SUSE LE 11 SP3: java-1_7_0-ibm 1.7.0_sr9.20-42.1

SUSE LE 12: new java-1_7_1-ibm packages.
New packages are available:
  SUSE LE 12 RTM: java-1_7_1-ibm 1.7.1_sr3.20-17.1

SUSE LE 12 SP1: new java-1_7_1-ibm packages.
New packages are available:
  SUSE LE 12 SP1: java-1_7_1-ibm 1.7.1_sr3.20-18.1

SUSE LE 12 SP1: new java-1_8_0-ibm packages.
New packages are available:
  SUSE LE 12 SP1: java-1_8_0-ibm 1.8.0_sr2.0-4.1

SUSE LE: new java-1_7_0-openjdk packages (03/11/2015).
New packages are available:
  SUSE LE 11 SP3: java-1_7_0-openjdk 1.7.0.91-0.14.2
  SUSE LE 11 SP4: java-1_7_0-openjdk 1.7.0.91-0.14.2
  SUSE LE 12 RTM: java-1_7_0-openjdk 1.7.0.91-21.2

SUSE LE: new java-1_7_0-openjdk packages (28/01/2016).
New packages are available:
  SUSE LE 12 SP1: java-1_7_0-openjdk 1.7.0.95-24.2
  SUSE LE 12 RTM: java-1_7_0-openjdk 1.7.0.95-24.2
  SUSE LE 11 SP4: java-1_7_0-openjdk 1.7.0.95-0.17.2
  SUSE LE 11 SP3: java-1_7_0-openjdk 1.7.0.95-0.17.2

Ubuntu 12.04: new openjdk-6-jre packages.
New packages are available:
  Ubuntu 12.04 LTS: icedtea-6-jre 6b37-1.13.9-1ubuntu0.12.04.1

Ubuntu: new openjdk-7-jre packages (26/11/2015).
New packages are available:
  Ubuntu 15.10: openjdk-7-jre 7u91-2.6.3-0ubuntu0.15.10.1
  Ubuntu 15.04: openjdk-7-jre 7u91-2.6.3-0ubuntu0.15.04.1
  Ubuntu 14.04 LTS: openjdk-7-jre 7u91-2.6.3-0ubuntu0.14.04.1

Ubuntu: new openjdk-7-jre packages (28/10/2015).
New packages are available:
  Ubuntu 15.10: openjdk-7-jre 7u85-2.6.1-5ubuntu0.15.10.1
  Ubuntu 15.04: openjdk-7-jre 7u85-2.6.1-5ubuntu0.15.04.1
  Ubuntu 14.04 LTS: openjdk-7-jre 7u85-2.6.1-5ubuntu0.14.04.1

WebSphere AS: fixed versions for Java.
Fixed versions are indicated in information sources.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a networks vulnerabilities workaround. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.