The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Oracle Java: vulnerabilities of October 2016

Synthesis of the vulnerability 

An attacker can use several vulnerabilities of Oracle Java.
Vulnerable systems: Debian, Avamar, Fedora, AIX, Domino by IBM, Notes by IBM, IRAD, QRadar SIEM, Tivoli Storage Manager, Tivoli System Automation, WebSphere AS Traditional, IBM WebSphere ESB, WebSphere MQ, Junos Space, SnapManager, Java OpenJDK, openSUSE, openSUSE Leap, Java Oracle, JavaFX, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity of this threat: 3/4.
Number of vulnerabilities in this bulletin: 7.
Creation date: 19/10/2016.
Références of this weakness: 1993440, 1994049, 1994123, 1994478, 1997764, 1999054, 1999395, 1999474, 1999478, 1999479, 1999488, 1999532, 2000212, 2000544, 2000904, 2000988, 2000990, 2001608, 2002331, 2002479, 2002537, 2003145, 2004036, 491108, CERTFR-2016-AVI-349, CERTFR-2017-AVI-012, cpuoct2016, CVE-2016-5542, CVE-2016-5554, CVE-2016-5556, CVE-2016-5568, CVE-2016-5573, CVE-2016-5582, CVE-2016-5597, DLA-704-1, DSA-3707-1, ESA-2016-137, FEDORA-2016-73054cfeeb, JSA10770, NTAP-20161019-0001, openSUSE-SU-2016:2862-1, openSUSE-SU-2016:2900-1, openSUSE-SU-2016:2985-1, openSUSE-SU-2016:2990-1, openSUSE-SU-2016:3088-1, RHSA-2016:2079-01, RHSA-2016:2088-01, RHSA-2016:2089-01, RHSA-2016:2090-01, RHSA-2016:2136-01, RHSA-2016:2137-01, RHSA-2016:2138-01, RHSA-2016:2658-01, RHSA-2016:2659-01, RHSA-2017:0061-01, SUSE-SU-2016:2887-1, SUSE-SU-2016:3010-1, SUSE-SU-2016:3040-1, SUSE-SU-2016:3041-1, SUSE-SU-2016:3043-1, SUSE-SU-2016:3068-1, SUSE-SU-2016:3078-1, USN-3121-1, USN-3130-1, USN-3154-1, VIGILANCE-VUL-20906, ZDI-16-571.

Description of the vulnerability 

Several vulnerabilities were announced in Oracle Java.

An attacker can use a vulnerability via 2D, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-5556]

An attacker can use a vulnerability via AWT, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-5568, ZDI-16-571]

An attacker can use a vulnerability via Hotspot, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-5582]

An attacker can use a vulnerability via Hotspot, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-5573]

An attacker can use a vulnerability via Networking, in order to obtain information. [severity:2/4; CVE-2016-5597]

An attacker can use a vulnerability via JMX, in order to alter information. [severity:2/4; CVE-2016-5554]

An attacker can use a vulnerability via Libraries, in order to alter information. [severity:1/4; CVE-2016-5542]
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This weakness note impacts software or systems such as Debian, Avamar, Fedora, AIX, Domino by IBM, Notes by IBM, IRAD, QRadar SIEM, Tivoli Storage Manager, Tivoli System Automation, WebSphere AS Traditional, IBM WebSphere ESB, WebSphere MQ, Junos Space, SnapManager, Java OpenJDK, openSUSE, openSUSE Leap, Java Oracle, JavaFX, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.

Our Vigil@nce team determined that the severity of this threat note is important.

The trust level is of type confirmed by the editor, with an origin of document.

This bulletin is about 7 vulnerabilities.

An attacker with a expert ability can exploit this computer weakness.

Solutions for this threat 

Oracle Java: version 8u111/8u112.
The version 8u111/8u112 is fixed:
  http://www.oracle.com/technetwork/java/javase/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/8u-relnotes-2225394.html
  http://www.oracle.com/technetwork/java/javase/8all-relnotes-2226344.html

Oracle Java: version 7u121.
The version 7u121 is fixed:
  http://www.oracle.com/technetwork/indexes/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/javase7supportreleasenotes-1601161.html

Oracle Java: version 6u131.
The version 6u131 is fixed:
  http://www.oracle.com/technetwork/indexes/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html

Debian: new openjdk-7 packages.
New packages are available:
  Debian 7: openjdk-7 7u111-2.6.7-2~deb7u1
  Debian 8: openjdk-7 7u111-2.6.7-2~deb8u1

EMC Avamar Data Store, Virtual Edition: solution for JRE.
The solution is indicated in information sources.

Fedora 24: new java-1.8.0-openjdk-aarch32 packages.
New packages are available:
  Fedora 24: java-1.8.0-openjdk-aarch32 1.8.0.102-7.160812.fc24

IBM AIX: patch for Java.
A patch is indicated in information sources, with one link for each JRE version and platform.

IBM BigFix Remote Control: version 9.1.4.
The version 9.1.4 is fixed:
  http://www-01.ibm.com/
See also the bulletin VIGILANCE-SOL-48754.

IBM Cognos Business Intelligence: fixed versions.
The following versions are fixed:
  Version 10.2.x: http://www.ibm.com/support/docview.wss?uid=swg24043664
  Version 10.1.1: http://www.ibm.com/support/docview.wss?uid=swg24043663

IBM Domino: fixed versions for Java.
Fixed versions are indicated in information sources.

IBM Notes: solution for Java.
The solution is indicated in information sources.

IBM QRadar SIEM: version 7.2.8 Patch 4.
The version 7.2.8 Patch 4 is fixed:
  https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.2.0&platform=Linux&function=fixId&fixids=7.2.8-QRADAR-QRSIEM-20170224202650&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc

IBM Rational Application Developer for WebSphere: patch for Java.
A patch is available:
  version 9.x: https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm~Rational&product=ibm/Rational/IBM+Rational+Application+Developer+for+WebSphere+Software&release=9.5.0&platform=All&function=fixId&fixids=Rational-RAD-Java8SR4FP1-ifix&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp
  version 8.x: https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm~Rational&product=ibm/Rational/IBM+Rational+Application+Developer+for+WebSphere+Software&release=9.1.0&platform=All&function=fixId&fixids=Rational-RAD-Java7SR10FP1-ifix&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp

IBM Spectrum Protect Snapshot: patch for Java.
A patch is available:
  Version 4.1.x: http://www.ibm.com/support/docview.wss?uid=swg24043426
  Version 3.2.x: http://www.ibm.com/support/docview.wss?uid=swg24043440

IBM Tivoli Storage Manager: patch for Java.
A patch is indicated in information sources for branches 6.4, 7.1 and 8.1

IBM Tivoli System Automation Application Manager: solution for Java.
The solution is indicated in information sources.

IBM WebSphere MQ: solution for Java.
The solution is indicated in information sources.

Junos Space: version 16.1R1.
The version 16.1R1 is fixed:
  https://www.juniper.net/

NetApp SnapManager: solution for Java.
The solution is indicated in information sources.

openSUSE 13.1: new java-1_7_0-openjdk packages.
New packages are available:
  openSUSE 13.1: java-1_7_0-openjdk 1.7.0.121-24.42.1

openSUSE 13.2: new java-1_7_0-openjdk packages.
New packages are available:
  openSUSE 13.2: java-1_7_0-openjdk 1.7.0.121-28.2

openSUSE 13.2: new java-1_8_0-openjdk packages.
New packages are available:
  openSUSE 13.2: java-1_8_0-openjdk 1.8.0.111-33.1

openSUSE Leap: new java-1_7_0-openjdk packages.
New packages are available:
  openSUSE Leap 42.2: java-1_7_0-openjdk 1.7.0.121-37.2
  openSUSE Leap 42.1: java-1_7_0-openjdk 1.7.0.121-37.2

openSUSE Leap: new java-1_8_0-openjdk packages.
New packages are available:
  openSUSE Leap 42.1: java-1_8_0-openjdk 1.8.0.111-18.1
  openSUSE Leap 42.2: java-1_8_0-openjdk 1.8.0.111-3.1

RHEL 5, 6: new java-1.6.0-ibm packages.
New packages are available:
  RHEL 5: java-1.6.0-ibm 1.6.0.16.35-1jpp.1.el5_11
  RHEL 6: java-1.6.0-ibm 1.6.0.16.35-1jpp.1.el6_8

RHEL: new java-1.6.0-openjdk packages.
New packages are available:
  RHEL 5: java-1.6.0-openjdk 1.6.0.41-1.13.13.1.el5_11
  RHEL 6: java-1.6.0-openjdk 1.6.0.41-1.13.13.1.el6_8
  RHEL 7: java-1.6.0-openjdk 1.6.0.41-1.13.13.1.el7_3

RHEL: new java-1.6.0-sun packages.
New packages are available:
  RHEL 5: java-1.6.0-sun 1.6.0.131-1jpp.1.el5_11
  RHEL 6: java-1.6.0-sun 1.6.0.131-1jpp.1.el6_8
  RHEL 7: java-1.6.0-sun 1.6.0.131-1jpp.1.el7

RHEL: new java-1.7.0-ibm packages.
New packages are available:
  RHEL 5: java-1.7.0-ibm 1.7.0.9.60-1jpp.1.el5_11

RHEL: new java-1.7.0-openjdk packages.
New packages are available:
  RHEL 5: java-1.7.0-openjdk 1.7.0.121-2.6.8.1.el5_11
  RHEL 6: java-1.7.0-openjdk 1.7.0.121-2.6.8.1.el6_8
  RHEL 7: java-1.7.0-openjdk 1.7.0.121-2.6.8.0.el7_3

RHEL: new java-1.7.0-oracle packages.
New packages are available:
  RHEL 5: java-1.7.0-oracle 1.7.0.121-1jpp.1.el5_11
  RHEL 6: java-1.7.0-oracle 1.7.0.121-1jpp.1.el6_8
  RHEL 7: java-1.7.0-oracle 1.7.0.121-1jpp.1.el7

RHEL: new java-1.7.1-ibm packages.
New packages are available:
  RHEL 6: java-1.7.1-ibm 1.7.1.3.60-1jpp.1.el6_8
  RHEL 7: java-1.7.1-ibm 1.7.1.3.60-1jpp.1.el7_2

RHEL: new java-1.8.0-ibm packages.
New packages are available:
  RHEL 6: java-1.8.0-ibm 1.8.0.3.20-1jpp.1.el6_8
  RHEL 7: java-1.8.0-ibm 1.8.0.3.20-1jpp.1.el7_2

RHEL: new java-1.8.0-openjdk packages.
New packages are available:
  RHEL 6: java-1.8.0-openjdk 1.8.0.111-0.b15.el6_8
  RHEL 7: java-1.8.0-openjdk 1.8.0.111-1.b15.el7_2

RHEL: new java-1.8.0-oracle packages.
New packages are available:
  RHEL 6: java-1.8.0-oracle 1.8.0.111-1jpp.4.el6_8
  RHEL 7: java-1.8.0-oracle 1.8.0.111-1jpp.4.el7

SUSE LE 11: new java-1_7_0-ibm packages.
New packages are available:
  SUSE LE 11 SP2: java-1_7_0-ibm 1.7.0_sr9.60-58.2
  SUSE LE 11 SP3: java-1_7_0-ibm 1.7.0_sr9.60-58.2

SUSE LE 12: new java-1_8_0-ibm packages.
New packages are available:
  SUSE LE 12 SP1: java-1_8_0-ibm 1.8.0_sr3.21-20.1
  SUSE LE 12 SP2: java-1_8_0-ibm 1.8.0_sr3.21-20.1

SUSE LE 12: new java-1_8_0-openjdk packages.
New packages are available:
  SUSE LE 12 SP1: java-1_8_0-openjdk 1.8.0.111-17.1
  SUSE LE 12 SP2: java-1_8_0-openjdk 1.8.0.111-17.1

SUSE LE: new java-1_6_0-ibm packages.
New packages are available:
  SUSE LE 11 SP2: java-1_6_0-ibm 1.6.0_sr16.35-78.2
  SUSE LE 11 SP3: java-1_6_0-ibm 1.6.0_sr16.35-78.2
  SUSE LE 12 RTM-SP2: java-1_6_0-ibm 1.6.0_sr16.35-43.2

SUSE LE: new java-1_7_1-ibm packages.
New packages are available:
  SUSE LE 11 SP4: java-1_7_1-ibm 1.7.1_sr3.60-19.2
  SUSE LE 12 RTM: java-1_7_1-ibm 1.7.1_sr3.60-31.2
  SUSE LE 12 SP1: java-1_7_1-ibm 1.7.1_sr3.60-31.2
  SUSE LE 12 SP2: java-1_7_1-ibm 1.7.1_sr3.60-31.2

Ubuntu 12.04: new openjdk-6-jre packages.
New packages are available:
  Ubuntu 12.04 LTS: openjdk-6-jre 6b40-1.13.12-0ubuntu0.12.04.2

Ubuntu 14.04: new openjdk-7-jre packages.
New packages are available:
  Ubuntu 14.04 LTS: openjdk-7-jre 7u121-2.6.8-1ubuntu0.14.04.1

Ubuntu: new openjdk-8-jdk packages.
New packages are available:
  Ubuntu 16.10: openjdk-8-jdk 8u111-b14-2ubuntu0.16.10.2
  Ubuntu 16.04 LTS: openjdk-8-jdk 8u111-b14-2ubuntu0.16.04.2

WebSphere AS: solution for Java.
The solution is indicated in information sources.

WebSphere Enterprise Service Bus: solution for WebSphere AS.
The solution is indicated in VIGILANCE-SOL-49181.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides application vulnerability bulletins. The technology watch team tracks security threats targeting the computer system.