The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

computer weakness CVE-2016-3458 CVE-2016-3485 CVE-2016-3498

Oracle Java: vulnerabilities of July 2016

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Oracle Java.
Severity of this bulletin: 3/4.
Number of vulnerabilities in this bulletin: 13.
Creation date: 20/07/2016.
Références of this threat: 1988339, 1988894, 1988978, 1989049, 1989337, 1990031, 1990448, 1991383, 1991909, 1991910, 1991911, 1991913, 1991997, 1995792, 1995799, 2001630, 2007242, 486953, CERTFR-2016-AVI-243, cpujul2016, CVE-2016-3458, CVE-2016-3485, CVE-2016-3498, CVE-2016-3500, CVE-2016-3503, CVE-2016-3508, CVE-2016-3511, CVE-2016-3550, CVE-2016-3552, CVE-2016-3587, CVE-2016-3598, CVE-2016-3606, CVE-2016-3610, DLA-579-1, DSA-3641-1, ESA-2016-099, FEDORA-2016-588e386aaa, FEDORA-2016-c07d18b2a5, FEDORA-2016-c60d35c46c, openSUSE-SU-2016:2050-1, openSUSE-SU-2016:2051-1, openSUSE-SU-2016:2052-1, openSUSE-SU-2016:2058-1, RHSA-2016:1458-01, RHSA-2016:1475-01, RHSA-2016:1476-01, RHSA-2016:1477-01, RHSA-2016:1504-01, RHSA-2016:1587-01, RHSA-2016:1588-01, RHSA-2016:1589-01, RHSA-2016:1776-01, SB10166, SOL05016441, SOL25075696, SUSE-SU-2016:1997-1, SUSE-SU-2016:2012-1, SUSE-SU-2016:2261-1, SUSE-SU-2016:2286-1, SUSE-SU-2016:2347-1, SUSE-SU-2016:2348-1, SUSE-SU-2016:2726-1, USN-3043-1, USN-3062-1, USN-3077-1, VIGILANCE-VUL-20169, ZDI-16-445, ZDI-16-446, ZDI-16-447, ZDI-16-448.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in Oracle Communications.

An attacker can use a vulnerability via Hotspot, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3587, ZDI-16-448]

An attacker can use a vulnerability via Hotspot, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3606, ZDI-16-447]

An attacker can use a vulnerability via Libraries, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3598, ZDI-16-446]

An attacker can use a vulnerability via Libraries, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3610, ZDI-16-445]

An attacker can use a vulnerability via Install, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3552]

An attacker can use a vulnerability via Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3511]

An attacker can use a vulnerability via Install, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3503]

An attacker can use a vulnerability via JavaFX, in order to trigger a denial of service. [severity:2/4; CVE-2016-3498]

An attacker can use a vulnerability via JAXP, in order to trigger a denial of service. [severity:2/4; CVE-2016-3500]

An attacker can use a vulnerability via JAXP, in order to trigger a denial of service. [severity:2/4; CVE-2016-3508]

An attacker can use a vulnerability via CORBA, in order to alter information. [severity:2/4; CVE-2016-3458]

An attacker can use a vulnerability via Hotspot, in order to alter information, or to trigger a denial of service. [severity:2/4; CVE-2016-3550]

An attacker can use a vulnerability via Networking, in order to alter information. [severity:1/4; CVE-2016-3485]
Full Vigil@nce bulletin... (Free trial)

This vulnerability note impacts software or systems such as Debian, VNX Operating Environment, VNX Series, BIG-IP Hardware, TMOS, Fedora, AIX, Domino, Notes, IRAD, SPSS Statistics, Tivoli Storage Manager, Tivoli System Automation, WebSphere AS Traditional, IBM WebSphere ESB, WebSphere MQ, JAXP, ePO, Java OpenJDK, openSUSE, openSUSE Leap, Java Oracle, JavaFX, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.

Our Vigil@nce team determined that the severity of this cybersecurity vulnerability is important.

The trust level is of type confirmed by the editor, with an origin of user account.

This bulletin is about 13 vulnerabilities.

An attacker with a expert ability can exploit this computer threat note.

Solutions for this threat

Oracle Java: version 8u101/8u102.
The version 8u101/8u102 is fixed:
  http://www.oracle.com/technetwork/java/javase/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/8u-relnotes-2225394.html
  http://www.oracle.com/technetwork/java/javase/8all-relnotes-2226344.html

Oracle Java: version 7u111.
The version 7u111 is fixed:
  http://www.oracle.com/technetwork/indexes/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/javase7supportreleasenotes-1601161.html

Oracle Java: version 6u121.
The version 6u121 is fixed:
  http://www.oracle.com/technetwork/indexes/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html

Debian: new openjdk-7 packages.
New packages are available:
  Debian 7: openjdk-7 7u111-2.6.7-1~deb7u1
  Debian 8: openjdk-7 7u111-2.6.7-1~deb8u1

EMC VNX1: solution for Oracle Java SE.
The solution is indicated in information sources.

F5 BIG-IP: solution for Java.
The solution is indicated in information sources.

Fedora 24: new java-1.8.0-openjdk-aarch32 packages.
New packages are available:
  Fedora 24: java-1.8.0-openjdk-aarch32 1.8.0.102-1.160812.fc24

Fedora: new java-1.8.0-openjdk packages.
New packages are available:
  Fedora 23: java-1.8.0-openjdk 1.8.0.101-1.b14.fc23
  Fedora 24: java-1.8.0-openjdk 1.8.0.101-1.b14.fc24

IBM AIX: patch for Java.
A patch is indicated in information sources.

IBM BigFix Compliance Analytics: version 1.9.
The version 1.9 is fixed.

IBM BigFix Inventory: version 9.2.5.0.
The version 9.2.5.0 is fixed.

IBM Cognos Analytics: version 11.0.7.0.
The version 11.0.7.0 is fixed:
  http://www-01.ibm.com/support/docview.wss?uid=swg24043955

IBM MQ: fixed versions for Java.
Fixed versions are indicated in information sources.

IBM Notes, Domino: solution for Java.
The solution is indicated in information sources.

IBM Rational Application Developer: patch for Java.
A patch is indicated in information sources.

IBM SPSS Statistics: patch for Java.
A patch is indicated in information sources, with one link for each version of IBM SPSS Statistics and for each platform.

IBM Tivoli Storage Manager: patch for Java.
A patch is available:
  TSM 7.1: http://www.ibm.com/support/docview.wss?uid=swg24042520
  TSM 6.4: http://www.ibm.com/support/docview.wss?uid=swg24041370
  TSM 6.3: http://www.ibm.com/support/docview.wss?uid=swg24037601

IBM Tivoli System Automation Application Manager: solution for WebSphere AS.
The solution is indicated in information sources.

McAfee ePolicy Orchestrator: solution for Java.
The solution is indicated in information sources.

openSUSE Leap 42.1: new java-1_8_0-openjdk packages.
New packages are available:
  openSUSE Leap 42.1: java-1_8_0-openjdk 1.8.0.101-15.1

openSUSE: new java-1_7_0-openjdk packages.
New packages are available:
  openSUSE 13.1: java-1_7_0-openjdk 1.7.0.111-24.39.1
  openSUSE 13.2: java-1_7_0-openjdk 1.7.0.111-25.1
  openSUSE Leap 42.1: java-1_7_0-openjdk 1.7.0.111-34.1

RHEL 5: new java-1.7.0-ibm packages.
New packages are available:
  RHEL 5: java-1.7.0-ibm 1.7.0.9.50-1jpp.1.el5_11

RHEL 6, 7: new java-1.7.1-ibm packages.
New packages are available:
  RHEL 6: java-1.7.1-ibm 1.7.1.3.50-1jpp.1.el6_8
  RHEL 7: java-1.7.1-ibm 1.7.1.3.50-1jpp.1.el7_2

RHEL 6, 7: new java-1.8.0-ibm packages.
New packages are available:
  RHEL 6: java-1.8.0-ibm 1.8.0.3.10-1jpp.2.el6_8
  RHEL 7: java-1.8.0-ibm 1.8.0.3.10-1jpp.2.el7_2

RHEL: new java-1.6.0-openjdk packages.
New packages are available:
  RHEL 5: java-1.6.0-openjdk 1.6.0.40-1.13.12.4.el5_11
  RHEL 6: java-1.6.0-openjdk 1.6.0.40-1.13.12.6.el6_8
  RHEL 7: java-1.6.0-openjdk 1.6.0.40-1.13.12.5.el7_2

RHEL: new java-1.6.0-sun packages.
New packages are available:
  RHEL 5: java-1.6.0-sun 1.6.0.121-1jpp.1.el5_11
  RHEL 6: java-1.6.0-sun 1.6.0.121-1jpp.1.el6_8
  RHEL 7: java-1.6.0-sun 1.6.0.121-1jpp.1.el7

RHEL: new java-1.7.0-openjdk packages.
New packages are available:
  RHEL 5: java-1.7.0-openjdk 1.7.0.111-2.6.7.1.el5_11
  RHEL 6: java-1.7.0-openjdk 1.7.0.111-2.6.7.2.el6_8
  RHEL 7: java-1.7.0-openjdk 1.7.0.111-2.6.7.2.el7_2

RHEL: new java-1.7.0-oracle packages.
New packages are available:
  RHEL 5: java-1.7.0-oracle 1.7.0.111-1jpp.1.el5_11
  RHEL 6: java-1.7.0-oracle 1.7.0.111-1jpp.1.el6_8
  RHEL 7: java-1.7.0-oracle 1.7.0.111-1jpp.1.el7

RHEL: new java-1.8.0-openjdk packages.
New packages are available:
  RHEL 6: java-1.8.0-openjdk 1.8.0.101-3.b13.el6_8
  RHEL 7: java-1.8.0-openjdk 1.8.0.101-3.b13.el7_2

RHEL: new java-1.8.0-oracle packages.
New packages are available:
  RHEL 6: java-1.8.0-oracle 1.8.0.101-1jpp.1.el6_8
  RHEL 7: java-1.8.0-oracle 1.8.0.101-1jpp.1.el7

SUSE LE 11: new java-1_6_0-ibm packages.
New packages are available:
  SUSE LE 11 SP3: java-1_6_0-ibm 1.6.0_sr16.30-75.1
  SUSE LE 11 SP2: java-1_6_0-ibm 1.6.0_sr16.30-75.1

SUSE LE 11 SP2/3: new java-1_7_0-ibm packages.
New packages are available:
  SUSE LE 11 SP2: java-1_7_0-ibm 1.7.0_sr9.50-55.1
  SUSE LE 11 SP3: java-1_7_0-ibm 1.7.0_sr9.50-55.1

SUSE LE 12: new java-1_7_0-openjdk packages.
New packages are available:
  SUSE LE 12 SP1: java-1_7_0-openjdk 1.7.0.111-33.1

SUSE LE 12: new java-1_8_0-ibm packages.
New packages are available:
  SUSE LE 12 SP1: java-1_8_0-ibm 1.8.0_sr3.10-15.1

SUSE LE 12: new java-1_8_0-openjdk packages.
New packages are available:
  SUSE LE 12 SP1: java-1_8_0-openjdk 1.8.0.101-14.3

SUSE LE: new java-1_7_1-ibm packages.
New packages are available:
  SUSE LE 11 SP4: java-1_7_1-ibm 1.7.1_sr3.50-16.1
  SUSE LE 12 SP1: java-1_7_1-ibm 1.7.1_sr3.50-28.2

Ubuntu 12.04: new openjdk-6-jre packages.
New packages are available:
  Ubuntu 12.04 LTS: icedtea-6-jre-cacao 6b40-1.13.12-0ubuntu0.12.04.1

Ubuntu 14.04: new openjdk-7 packages.
New packages are available:
  Ubuntu 14.04 LTS: openjdk-7-jre 7u111-2.6.7-0ubuntu0.14.04.3

Ubuntu 16.04: new openjdk-8 packages.
New packages are available:
  Ubuntu 16.04 LTS: openjdk-8 8u91-b14-3ubuntu1~16.04.1

WebSphere AS: solution for Java.
The solution is indicated in information sources.

WebSphere Enterprise Service Bus: solution for Java.
The solution is indicated in information sources.
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a computers vulnerabilities database. Each administrator can customize the list of products for which he wants to receive vulnerability alerts. The Vigil@nce vulnerability database contains several thousand vulnerabilities. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.