The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Oracle Java: vulnerabilities of January 2017

Synthesis of the vulnerability 

An attacker can use several vulnerabilities of Oracle Java.
Vulnerable products: Debian, VNX Operating Environment, VNX Series, Fedora, AIX, Domino by IBM, Notes by IBM, IRAD, Security Directory Server, QRadar SIEM, SPSS Statistics, Tivoli Storage Manager, Tivoli System Automation, WebSphere AS Traditional, IBM WebSphere ESB, WebSphere MQ, ePO, SnapManager, Java OpenJDK, openSUSE Leap, Java Oracle, Solaris, RHEL, RSA Authentication Manager, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity of this weakness: 3/4.
Number of vulnerabilities in this bulletin: 17.
Creation date: 18/01/2017.
Références of this bulletin: 1998379, 1998858, 1999054, 1999999, 2000212, 2000304, 2000516, 2000544, 2000602, 2000988, 2000990, 2001608, 2002331, 2002335, 2002336, 2002479, 2002537, 2002966, 2002991, 2003145, 2004036, 2004938, 2007242, bulletinapr2017, CERTFR-2017-AVI-017, cpujan2017, CVE-2016-2183, CVE-2016-5546, CVE-2016-5547, CVE-2016-5548, CVE-2016-5549, CVE-2016-5552, CVE-2016-8328, CVE-2017-3231, CVE-2017-3241, CVE-2017-3252, CVE-2017-3253, CVE-2017-3259, CVE-2017-3260, CVE-2017-3261, CVE-2017-3262, CVE-2017-3272, CVE-2017-3289, DLA-802-1, DLA-821-1, DSA-2019-131, DSA-2020-072, DSA-3782-1, ERPSCAN-17-006, ESA-2017-051, FEDORA-2017-4cb58f0bda, FEDORA-2017-c1252ccd41, ibm10718843, java_jan2017_advisory, NTAP-20170119-0001, openSUSE-SU-2017:0374-1, openSUSE-SU-2017:0513-1, RHSA-2017:0175-01, RHSA-2017:0176-01, RHSA-2017:0177-01, RHSA-2017:0180-01, RHSA-2017:0263-01, RHSA-2017:0269-01, RHSA-2017:0336-01, RHSA-2017:0337-01, RHSA-2017:0338-01, RHSA-2017:0462-01, SB10186, SUSE-SU-2017:0346-1, SUSE-SU-2017:0460-1, SUSE-SU-2017:0490-1, SUSE-SU-2017:1444-1, USN-3179-1, USN-3194-1, USN-3198-1, VIGILANCE-VUL-21606, ZDI-17-056, ZDI-17-057.

Description of the vulnerability 

Several vulnerabilities were announced in Oracle Java.

An attacker can use a vulnerability via Hotspot, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2017-3289, ZDI-17-057]

An attacker can use a vulnerability via Libraries, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2017-3272, ZDI-17-056]

An attacker can use a vulnerability via RMI, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2017-3241]

An attacker can use a vulnerability via AWT, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2017-3260]

An attacker can use a vulnerability via 2D, in order to trigger a denial of service. [severity:3/4; CVE-2017-3253]

An attacker can use a vulnerability via Libraries, in order to alter information. [severity:3/4; CVE-2016-5546]

An attacker can use a vulnerability via Libraries, in order to obtain information. [severity:2/4; CVE-2016-5549]

An attacker can use a vulnerability via Libraries, in order to obtain information. [severity:2/4; CVE-2016-5548]

An attacker can use a vulnerability via JAAS, in order to alter information. [severity:2/4; CVE-2017-3252]

An attacker can use a vulnerability via Java Mission Control, in order to obtain information. [severity:2/4; CVE-2017-3262]

An attacker can use a vulnerability via Libraries, in order to trigger a denial of service. [severity:2/4; CVE-2016-5547]

An attacker can use a vulnerability via Networking, in order to alter information. [severity:2/4; CVE-2016-5552]

An attacker can use a vulnerability via Networking, in order to obtain information. [severity:2/4; CVE-2017-3231]

An attacker can use a vulnerability via Networking, in order to obtain information. [severity:2/4; CVE-2017-3261]

An attacker can use a vulnerability via Deployment, in order to obtain information. [severity:1/4; CVE-2017-3259]

An attacker can use a vulnerability via Java Mission Control, in order to alter information. [severity:1/4; CVE-2016-8328]

An attacker can use a vulnerability via Libraries, in order to obtain information. [severity:1/4; CVE-2016-2183]
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer weakness bulletin impacts software or systems such as Debian, VNX Operating Environment, VNX Series, Fedora, AIX, Domino by IBM, Notes by IBM, IRAD, Security Directory Server, QRadar SIEM, SPSS Statistics, Tivoli Storage Manager, Tivoli System Automation, WebSphere AS Traditional, IBM WebSphere ESB, WebSphere MQ, ePO, SnapManager, Java OpenJDK, openSUSE Leap, Java Oracle, Solaris, RHEL, RSA Authentication Manager, SUSE Linux Enterprise Desktop, SLES, Ubuntu.

Our Vigil@nce team determined that the severity of this computer threat announce is important.

The trust level is of type confirmed by the editor, with an origin of intranet client.

This bulletin is about 17 vulnerabilities.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this threat announce.

Solutions for this threat 

Oracle Java: version 8u121.
The version 8u121 is fixed:
  http://www.oracle.com/technetwork/java/javase/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/8u-relnotes-2225394.html
  http://www.oracle.com/technetwork/java/javase/8all-relnotes-2226344.html

Oracle Java: version 7u131.
The version 7u131 is fixed:
  http://www.oracle.com/technetwork/indexes/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/javase7supportreleasenotes-1601161.html

Oracle Java: version 6u141.
The version 6u141 is fixed:
  http://www.oracle.com/technetwork/indexes/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html

Debian: new openjdk-7 packages.
New packages are available:
  Debian 7: openjdk-7 7u121-2.6.8-2~deb7u1
  Debian 8: openjdk-7 7u121-2.6.8-2~deb8u1

Dell EMC VNX2: fixed versions for Java.
Fixed versions are indicated in information sources.

Dell EMC VNXe3200: version 3.1.10.9946299.
The version 3.1.10.9946299 is fixed:
  https://www.dell.com/

Fedora: new java-1.8.0-openjdk-aarch32 packages.
New packages are available:
  Fedora 25: java-1.8.0-openjdk-aarch32 1.8.0.112-3.161109.fc25
  Fedora 24: java-1.8.0-openjdk-aarch32 1.8.0.112-3.161109.fc24

IBM AIX: patch for Java.
A patch location is provided in information sources, One patch for each version of the JDK and for each architecture (32 or 64 bits).

IBM BigFix Compliance Analytics: version 1.9.79.
The version 1.9.79 is fixed.

IBM BigFix Inventory: solution for Java.
The solution is indicated in information sources.

IBM BigFix Remote Control: version 9.1.4.
The version 9.1.4 is fixed:
  http://www-01.ibm.com/
See also the bulletin VIGILANCE-SOL-48754.

IBM Cognos Analytics: version 11.0.7.0.
The version 11.0.7.0 is fixed:
  http://www-01.ibm.com/support/docview.wss?uid=swg24043955

IBM Cognos Business Intelligence: fixed versions.
The following versions are fixed:
  Version 10.2.x: http://www.ibm.com/support/docview.wss?uid=swg24043664
  Version 10.1.1: http://www.ibm.com/support/docview.wss?uid=swg24043663

IBM Domino: solution for Java.
The solution is indicated in information sources.

IBM MQ: patch for Java.
A patch is indicated in information sources.

IBM Notes: solution for Java.
The solution is indicated in information sources.

IBM QRadar SIEM: solution for Java.
The solution is indicated in information sources.

IBM Rational Application Developer for WebSphere: patch for Java.
A patch is available:
  version 9.x: https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm~Rational&product=ibm/Rational/IBM+Rational+Application+Developer+for+WebSphere+Software&release=9.5.0&platform=All&function=fixId&fixids=Rational-RAD-Java8SR4FP1-ifix&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp
  version 8.x: https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm~Rational&product=ibm/Rational/IBM+Rational+Application+Developer+for+WebSphere+Software&release=9.1.0&platform=All&function=fixId&fixids=Rational-RAD-Java7SR10FP1-ifix&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp

IBM Security Directory Server: solution for Java.
The solution is indicated in information sources.

IBM Spectrum Protect Snapshot: patch for Java.
A patch is available:
  Version 4.1.x: http://www.ibm.com/support/docview.wss?uid=swg24043426
  Version 3.2.x: http://www.ibm.com/support/docview.wss?uid=swg24043440

IBM SPSS Statistics: solution for Java Runtime.
The solution is indicated in information sources.

IBM Tivoli Storage Manager: patch for Java.
A patch is indicated in information sources for branches 6.4, 7.1 and 8.1

IBM Tivoli System Automation for Multiplatforms: solution for Java.
The solution is indicated in information sources.

IBM WebSphere Enterprise Service Bus: solution for Java.
The solution is indicated in information sources.

McAfee ePolicy Orchestrator: patch for TLS and Oracle Java.
A patch is indicated in information sources for product versions 5.1.3 to 5.3.2.

NetApp: solution for Java.
The solution is indicated in information sources.

openSUSE Leap: new java-1_7_0-openjdk packages.
New packages are available:
  openSUSE Leap 42.1: java-1_7_0-openjdk 1.7.0.131-40.1
  openSUSE Leap 42.2: java-1_7_0-openjdk 1.7.0.131-40.1

openSUSE Leap: new java-1_8_0-openjdk packages.
New packages are available:
  openSUSE Leap 42.1: java-1_8_0-openjdk 1.8.0.121-21.4
  openSUSE Leap 42.2: java-1_8_0-openjdk 1.8.0.121-6.4

Oracle Solaris: patch for third party software of April 2017 v1.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

RHEL 5: new java-1.7.0-ibm packages.
New packages are available:
  RHEL 5: java-1.7.0-ibm 1.7.0.10.1-1jpp.1.el5_11

RHEL: new java-1.6.0-ibm packages.
New packages are available:
  RHEL 5: java-1.6.0-ibm 1.6.0.16.41-1jpp.1.el5_11
  RHEL 6: java-1.6.0-ibm 1.6.0.16.41-1jpp.1.el6_8

RHEL: new java-1.6.0-sun packages.
New packages are available:
  RHEL 5: java-1.6.0-sun 1.6.0.141-1jpp.1.el5_11
  RHEL 6: java-1.6.0-sun 1.6.0.141-1jpp.1.el6_8
  RHEL 7: java-1.6.0-sun 1.6.0.141-1jpp.1.el7_3

RHEL: new java-1.7.0-openjdk packages.
New packages are available:
  RHEL 5: java-1.7.0-openjdk 1.7.0.131-2.6.9.0.el5_11
  RHEL 6: java-1.7.0-openjdk 1.7.0.131-2.6.9.0.el6_8
  RHEL 7: java-1.7.0-openjdk 1.7.0.131-2.6.9.0.el7_3

RHEL: new java-1.7.0-oracle packages.
New packages are available:
  RHEL 5: java-1.7.0-oracle 1.7.0.131-1jpp.1.el5_11
  RHEL 6: java-1.7.0-oracle 1.7.0.131-1jpp.1.el6_8
  RHEL 7: java-1.7.0-oracle 1.7.0.131-1jpp.1.el7_3

RHEL: new java-1.7.1-ibm packages.
New packages are available:
  RHEL 6: java-1.7.1-ibm 1.7.1.4.1-1jpp.1.el6_8
  RHEL 7: java-1.7.1-ibm 1.7.1.4.1-1jpp.2.el7

RHEL: new java-1.8.0-ibm packages.
New packages are available:
  RHEL 6: java-1.8.0-ibm 1.8.0.4.1-1jpp.1.el6_8
  RHEL 7: java-1.8.0-ibm 1.8.0.4.1-1jpp.2.el7

RHEL: new java-1.8.0-openjdk packages.
New packages are available:
  RHEL 6: java-1.8.0-openjdk 1.8.0.121-0.b13.el6_8
  RHEL 7: java-1.8.0-openjdk 1.8.0.121-0.b13.el7_3

RHEL: new java-1.8.0-oracle packages.
New packages are available:
  RHEL 6: java-1.8.0-oracle 1.8.0.121-1jpp.1.el6_8
  RHEL 7: java-1.8.0-oracle 1.8.0.121-1jpp.1.el7_3

RSA Authentication Manager: patch for Java.
A patch is indicated in information sources.

SUSE LE 12: new java-1_7_0-openjdk packages.
New packages are available:
  SUSE LE 12 RTM: java-1_7_0-openjdk 1.7.0.131-39.1
  SUSE LE 12 SP1: java-1_7_0-openjdk 1.7.0.131-39.1
  SUSE LE 12 SP2: java-1_7_0-openjdk 1.7.0.131-39.1

SUSE LE 12: new java-1_8_0-ibm packages.
New packages are available:
  SUSE LE 12 SP1: java-1_8_0-ibm 1.8.0_sr4.0-23.1
  SUSE LE 12 SP2: java-1_8_0-ibm 1.8.0_sr4.0-23.1

SUSE LE 12: new java-1_8_0-openjdk packages.
New packages are available:
  SUSE LE 12 SP1: java-1_8_0-openjdk 1.8.0.121-20.1
  SUSE LE 12 SP2: java-1_8_0-openjdk 1.8.0.121-20.1

SUSE LE: new java-1_6_0-ibm packages.
New packages are available:
  SUSE LE 11 SP3: java-1_6_0-ibm 1.6.0_sr16.45-84.1

Ubuntu: new openjdk-6 packages.
New packages are available:
  Ubuntu 12.04 LTS: openjdk-6 6b41-1.13.13-0ubuntu0.12.04.1

Ubuntu: new openjdk-7 packages.
New packages are available:
  Ubuntu 14.04 LTS: openjdk-7 7u121-2.6.8-1ubuntu0.14.04.3

Ubuntu: new openjdk-8 packages.
New packages are available:
  Ubuntu 16.10: openjdk-8-jdk 8u121-b13-0ubuntu1.16.10.2, openjdk-8-jre 8u121-b13-0ubuntu1.16.10.2
  Ubuntu 16.04 LTS: openjdk-8-jdk 8u121-b13-0ubuntu1.16.04.2, openjdk-8-jre 8u121-b13-0ubuntu1.16.04.2

WebSphere AS: solution for Java.
The solution is indicated in information sources.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides an applications vulnerabilities database. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.