SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Oracle Java SE Vendors:   Oracle, Sun
(CentOS Issues Fix) Oracle Java SE Multiple Flaws Lets Local and Remote Users Gain Elevated Privileges and Remote Users Partially Access Data, Modify Data, and Deny Service
SecurityTracker Alert ID:  1032949
SecurityTracker URL:  http://securitytracker.com/id/1032949
CVE Reference:   CVE-2015-2590, CVE-2015-2601, CVE-2015-2621, CVE-2015-2625, CVE-2015-2628, CVE-2015-2632, CVE-2015-2659, CVE-2015-4731, CVE-2015-4732, CVE-2015-4733, CVE-2015-4748, CVE-2015-4749, CVE-2015-4760   (Links to External Site)
Date:  Jul 16 2015
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Multiple vulnerabilities were reported in Oracle Java SE. A remote user can partially access data on the target system. A remote user can partially modify data on the target system. A remote user can cause partially denial of service conditions on the target system. A local user can obtain elevated privileges on the target system. A remote user can gain elevated privileges.

A remote user can exploit a flaw in the Java SE 2D component to gain elevated privileges [CVE-2015-4760].

A remote user can exploit a flaw in the Java SE and Java SE Embedded CORBA component to gain elevated privileges [CVE-2015-2628].

A remote user can exploit a flaw in the Java SE and Java SE Embedded JMX component to gain elevated privileges [CVE-2015-4731].

A remote user can exploit a flaw in the Java SE and Java SE Embedded Libraries component to gain elevated privileges [CVE-2015-2590].

A remote user can exploit a flaw in the Java SE and Java SE Embedded Libraries component to gain elevated privileges [CVE-2015-4732].

A remote user can exploit a flaw in the Java SE and Java SE Embedded RMI component to gain elevated privileges [CVE-2015-4733].

A remote user can exploit a flaw in the Java SE, JavaFX, and Java SE Embedded 2D component to gain elevated privileges [CVE-2015-2638].

A remote user can exploit a flaw in the Java SE Deployment component to gain elevated privileges [CVE-2015-4736].

A remote user can exploit a flaw in the Java SE, JRockit, Java SE Embedded Security component to gain elevated privileges [CVE-2015-4748].

A local user can exploit a flaw in the Java SE Install component to gain elevated privileges [CVE-2015-2597].

A local user can exploit a flaw in the Java SE Deployment component to gain elevated privileges [CVE-2015-2664].

A remote user can exploit a flaw in the Java SE 2D component to partially access data [CVE-2015-2632].

A remote user can exploit a flaw in the Java SE, JRockit, and Java SE Embedded JCE component to partially access data [CVE-2015-2601].

A remote user can exploit a flaw in the Java SE and Java SE Embedded JCE component to partially access data [CVE-2015-2613].

A remote user can exploit a flaw in the Java SE and Java SE Embedded JMX component to partially access data [CVE-2015-2621].

A remote user can exploit a flaw in the Java SE and Java SE Embedded Security component to cause partial denial of service conditions [CVE-2015-2659].

A remote user can exploit a flaw in the Java SE, JavaFX, and Java SE 2D Embedded component to partially access data [CVE-2015-2619].

A remote user can exploit a flaw in the Java SE, JavaFX, and Java SE Embedded 2D component to partially access data [CVE-2015-2637].

A remote user can exploit a flaw in the Java SE Hotspot component to partially modify data [CVE-2015-2596].

A remote user can exploit a flaw in the Java SE, JRockit, and Java SE Embedded JNDI component to cause partial denial of service conditions [CVE-2015-4749].

A remote user can exploit a flaw in the Java SE Deployment component to partially access and partially modify data [CVE-2015-4729].

A remote user can exploit a flaw in the Java SE, JRockit, and Java SE Embedded SSL/TLS JSSE component to partially access and partially modify data [CVE-2015-4000].

A remote user can exploit a flaw in the Java SE, JRockit, and Java SE Embedded SSL/TLS JSSE component to partially access and partially modify data [CVE-2015-2808].

A remote user can exploit a flaw in the Java SE Install component to partially access data [CVE-2015-2627].

A remote user can exploit a flaw in the Java SE, JRockit, Java SE Embedded SSL/TLS JSSE component to partially access data [CVE-2015-2625].

The following researchers reported these and other Oracle product vulnerabilities:

Adam Willard of Foreground Security; an Anonymous researcher via Beyond Security's SecuriTeam Secure Disclosure Program; Aniway.Anyway via HP's Zero Day Initiative; Arezou Hosseinzad-Amirkhizi of TELUS Security Labs; Benjamin Kunz Mejri of Evolution Security;
Borked of the Google Security Team; CERT/CC; Christiaan Esterhuizen of Trustwave; Christian Schneider; Danny Tsechansky; David Jorm; David Litchfield of Google; Derek Abdine of rapid7.com; Florian Lukavsky of SEC Consult Vulnerability Lab;
Florian Weimer of Red Hat; Hanno Bock; Jacob Smith; Juraj Somorovsky of Ruhr-University Bochum; Jorg Schwenk of Ruhr-University Bochum; Karthikeyan Bhargavan; Kyle Lovett; Martin Rakhmanov of Trustwave; Mateusz Jurczyk of Google Project Zero;
Microsoft Vulnerability Research of Microsoft Corp; Owais Mohammad Khan formerly of KPMG; Recx Ltd.; Richard Birkett of Worldpay; Richard Harrison of E.ON Business Services GmbH; Roberto Suggi Liverani of NATO Communications and Information Agency;
Sandeep Kamble of SecureLayer7; Steven Seeley of HP's Zero Day Initiative; Tibor Jager of Ruhr-University Bochum; Tudor Enache of Help AG; and Vladimir Wolstencroft.

Impact:   A remote user can partially access data on the target system.

A remote user can partially modify data on the target system.

A remote user can cause partially denial of service conditions.

A local user can obtain elevated privileges on the target system.

A remote user can gain elevated privileges on the target system.

Solution:   CentOS has issued a fix for CVE-2015-2590, CVE-2015-2601, CVE-2015-2621, CVE-2015-2625, CVE-2015-2628, CVE-2015-2632, CVE-2015-2659, CVE-2015-4731, CVE-2015-4732, CVE-2015-4733, CVE-2015-4748, CVE-2015-4749, and CVE-2015-4760.

i386:
8e2d79bb2cfc5e9b17ab674af49905b06936dc7fae6d3e64b651f2cb1246ec51 java-1.8.0-openjdk-1.8.0.51-0.b16.el6_6.i686.rpm
88a7e3a6ba9d05fa60b761012621e9f69352a8b963d5db8ea253a871f8e8b304 java-1.8.0-openjdk-demo-1.8.0.51-0.b16.el6_6.i686.rpm
1c823308b50eac59af073eaa416e903aded312cd522f2f320964e2fc652b0b05 java-1.8.0-openjdk-devel-1.8.0.51-0.b16.el6_6.i686.rpm
1fe352d9d3a954db22fec1efe9c86c4adb95312c389b792499e0b2a92c61c013 java-1.8.0-openjdk-headless-1.8.0.51-0.b16.el6_6.i686.rpm
ba6c22fda5f5b7ec278dde4efa4978ad6e71dcbd6e50496f977f50cafc6fb497 java-1.8.0-openjdk-javadoc-1.8.0.51-0.b16.el6_6.noarch.rpm
d52dc4b8ad8495b3b131a67bebc1216ad062052d7e63836b972a07a872845fff java-1.8.0-openjdk-src-1.8.0.51-0.b16.el6_6.i686.rpm

x86_64:
ad216c3a38ffa075ac1e43c9348b7f0d6c85c4c7d9213b48ce50527b813fc70f java-1.8.0-openjdk-1.8.0.51-0.b16.el6_6.x86_64.rpm
4a1332919cd1ae488d7effa9db6d839fa598a9dea4bde9de9d0653e4ac976d59 java-1.8.0-openjdk-demo-1.8.0.51-0.b16.el6_6.x86_64.rpm
7786f19941e33a785a1379a95082ad6335f399234bfa7486a83f10cc83809340 java-1.8.0-openjdk-devel-1.8.0.51-0.b16.el6_6.x86_64.rpm
b552369bfacdbb993cb6eb7c9bffcd3003de1f0db278a01f162b6199b9ff4709 java-1.8.0-openjdk-headless-1.8.0.51-0.b16.el6_6.x86_64.rpm
ba6c22fda5f5b7ec278dde4efa4978ad6e71dcbd6e50496f977f50cafc6fb497 java-1.8.0-openjdk-javadoc-1.8.0.51-0.b16.el6_6.noarch.rpm
15ca5b3ca7a6bbaee523c26369025ccc88c577d54c9bfcd02811f0c715ef9315 java-1.8.0-openjdk-src-1.8.0.51-0.b16.el6_6.x86_64.rpm

Source:
f899cad6739a5813cf04f02fe416743b441cfa8ac00a5d2dfd8c8e2f9924614e java-1.8.0-openjdk-1.8.0.51-0.b16.el6_6.src.rpm

x86_64:
11cb5562dd5dff45d15211e6df0f6425f89a3a7a1b16777c4a7d7be82482e822 java-1.8.0-openjdk-1.8.0.51-1.b16.el7_1.x86_64.rpm
dfcd4d4f7574f46de70c4e9dc907550cacf7ee8a94a9345e413c24e06b70f23c java-1.8.0-openjdk-accessibility-1.8.0.51-1.b16.el7_1.x86_64.rpm
6ae353ebb9050b2f1b603c7c5eaf9dbb34c163cd6e5f190633e8eab18fe66a2b java-1.8.0-openjdk-demo-1.8.0.51-1.b16.el7_1.x86_64.rpm
ec55767fe364cf285231dee8668c06553931dad16a93258301d3e1f1371a254a java-1.8.0-openjdk-devel-1.8.0.51-1.b16.el7_1.x86_64.rpm
5c87830f2456f8292dddc222b3811212b5a0ee74b3dcf50aaf2520674f302afb java-1.8.0-openjdk-headless-1.8.0.51-1.b16.el7_1.x86_64.rpm
61f06cc19c9e3e1fd44904a27e6e9389b33b7ff43087a4495232756ead44ce44 java-1.8.0-openjdk-javadoc-1.8.0.51-1.b16.el7_1.noarch.rpm
6950d5538b25a0776f98797b070b7009e4c5eac2fdbc38685d76f2781fc3c1eb java-1.8.0-openjdk-src-1.8.0.51-1.b16.el7_1.x86_64.rpm

Source:
2a9159e357ebd2648ce22f759a7a890eea6e5dc0c624ab1fe23505673f1fc844 java-1.8.0-openjdk-1.8.0.51-1.b16.el7_1.src.rpm

Vendor URL:  www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html (Links to External Site)
Cause:   Not specified
Underlying OS:  Linux (CentOS)
Underlying OS Comments:  6, 7

Message History:   This archive entry is a follow-up to the message listed below.
Jul 15 2015 Oracle Java SE Multiple Flaws Lets Local and Remote Users Gain Elevated Privileges and Remote Users Partially Access Data, Modify Data, and Deny Service



 Source Message Contents

Subject:  [CentOS-announce] CESA-2015:1228 Important CentOS 6 java-1.8.0-openjdk Security Update


CentOS Errata and Security Advisory 2015:1228 Important

Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1228.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
8e2d79bb2cfc5e9b17ab674af49905b06936dc7fae6d3e64b651f2cb1246ec51  java-1.8.0-openjdk-1.8.0.51-0.b16.el6_6.i686.rpm
88a7e3a6ba9d05fa60b761012621e9f69352a8b963d5db8ea253a871f8e8b304  java-1.8.0-openjdk-demo-1.8.0.51-0.b16.el6_6.i686.rpm
1c823308b50eac59af073eaa416e903aded312cd522f2f320964e2fc652b0b05  java-1.8.0-openjdk-devel-1.8.0.51-0.b16.el6_6.i686.rpm
1fe352d9d3a954db22fec1efe9c86c4adb95312c389b792499e0b2a92c61c013  java-1.8.0-openjdk-headless-1.8.0.51-0.b16.el6_6.i686.rpm
ba6c22fda5f5b7ec278dde4efa4978ad6e71dcbd6e50496f977f50cafc6fb497  java-1.8.0-openjdk-javadoc-1.8.0.51-0.b16.el6_6.noarch.rpm
d52dc4b8ad8495b3b131a67bebc1216ad062052d7e63836b972a07a872845fff  java-1.8.0-openjdk-src-1.8.0.51-0.b16.el6_6.i686.rpm

x86_64:
ad216c3a38ffa075ac1e43c9348b7f0d6c85c4c7d9213b48ce50527b813fc70f  java-1.8.0-openjdk-1.8.0.51-0.b16.el6_6.x86_64.rpm
4a1332919cd1ae488d7effa9db6d839fa598a9dea4bde9de9d0653e4ac976d59  java-1.8.0-openjdk-demo-1.8.0.51-0.b16.el6_6.x86_64.rpm
7786f19941e33a785a1379a95082ad6335f399234bfa7486a83f10cc83809340  java-1.8.0-openjdk-devel-1.8.0.51-0.b16.el6_6.x86_64.rpm
b552369bfacdbb993cb6eb7c9bffcd3003de1f0db278a01f162b6199b9ff4709  java-1.8.0-openjdk-headless-1.8.0.51-0.b16.el6_6.x86_64.rpm
ba6c22fda5f5b7ec278dde4efa4978ad6e71dcbd6e50496f977f50cafc6fb497  java-1.8.0-openjdk-javadoc-1.8.0.51-0.b16.el6_6.noarch.rpm
15ca5b3ca7a6bbaee523c26369025ccc88c577d54c9bfcd02811f0c715ef9315  java-1.8.0-openjdk-src-1.8.0.51-0.b16.el6_6.x86_64.rpm

Source:
f899cad6739a5813cf04f02fe416743b441cfa8ac00a5d2dfd8c8e2f9924614e  java-1.8.0-openjdk-1.8.0.51-0.b16.el6_6.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC