SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Oracle Java SE Vendors:   Oracle, Sun
(CentOS Issues Fix) Oracle Java SE Multiple Flaws Lets Local and Remote Users Gain Elevated Privileges and Remote Users Partially Access Data, Modify Data, and Deny Service
SecurityTracker Alert ID:  1032950
SecurityTracker URL:  http://securitytracker.com/id/1032950
CVE Reference:   CVE-2015-2590, CVE-2015-2601, CVE-2015-2621, CVE-2015-2625, CVE-2015-2628, CVE-2015-2632, CVE-2015-4731, CVE-2015-4732, CVE-2015-4733, CVE-2015-4748, CVE-2015-4749, CVE-2015-4760   (Links to External Site)
Date:  Jul 16 2015
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Multiple vulnerabilities were reported in Oracle Java SE. A remote user can partially access data on the target system. A remote user can partially modify data on the target system. A remote user can cause partially denial of service conditions on the target system. A local user can obtain elevated privileges on the target system. A remote user can gain elevated privileges.

A remote user can exploit a flaw in the Java SE 2D component to gain elevated privileges [CVE-2015-4760].

A remote user can exploit a flaw in the Java SE and Java SE Embedded CORBA component to gain elevated privileges [CVE-2015-2628].

A remote user can exploit a flaw in the Java SE and Java SE Embedded JMX component to gain elevated privileges [CVE-2015-4731].

A remote user can exploit a flaw in the Java SE and Java SE Embedded Libraries component to gain elevated privileges [CVE-2015-2590].

A remote user can exploit a flaw in the Java SE and Java SE Embedded Libraries component to gain elevated privileges [CVE-2015-4732].

A remote user can exploit a flaw in the Java SE and Java SE Embedded RMI component to gain elevated privileges [CVE-2015-4733].

A remote user can exploit a flaw in the Java SE, JavaFX, and Java SE Embedded 2D component to gain elevated privileges [CVE-2015-2638].

A remote user can exploit a flaw in the Java SE Deployment component to gain elevated privileges [CVE-2015-4736].

A remote user can exploit a flaw in the Java SE, JRockit, Java SE Embedded Security component to gain elevated privileges [CVE-2015-4748].

A local user can exploit a flaw in the Java SE Install component to gain elevated privileges [CVE-2015-2597].

A local user can exploit a flaw in the Java SE Deployment component to gain elevated privileges [CVE-2015-2664].

A remote user can exploit a flaw in the Java SE 2D component to partially access data [CVE-2015-2632].

A remote user can exploit a flaw in the Java SE, JRockit, and Java SE Embedded JCE component to partially access data [CVE-2015-2601].

A remote user can exploit a flaw in the Java SE and Java SE Embedded JCE component to partially access data [CVE-2015-2613].

A remote user can exploit a flaw in the Java SE and Java SE Embedded JMX component to partially access data [CVE-2015-2621].

A remote user can exploit a flaw in the Java SE and Java SE Embedded Security component to cause partial denial of service conditions [CVE-2015-2659].

A remote user can exploit a flaw in the Java SE, JavaFX, and Java SE 2D Embedded component to partially access data [CVE-2015-2619].

A remote user can exploit a flaw in the Java SE, JavaFX, and Java SE Embedded 2D component to partially access data [CVE-2015-2637].

A remote user can exploit a flaw in the Java SE Hotspot component to partially modify data [CVE-2015-2596].

A remote user can exploit a flaw in the Java SE, JRockit, and Java SE Embedded JNDI component to cause partial denial of service conditions [CVE-2015-4749].

A remote user can exploit a flaw in the Java SE Deployment component to partially access and partially modify data [CVE-2015-4729].

A remote user can exploit a flaw in the Java SE, JRockit, and Java SE Embedded SSL/TLS JSSE component to partially access and partially modify data [CVE-2015-4000].

A remote user can exploit a flaw in the Java SE, JRockit, and Java SE Embedded SSL/TLS JSSE component to partially access and partially modify data [CVE-2015-2808].

A remote user can exploit a flaw in the Java SE Install component to partially access data [CVE-2015-2627].

A remote user can exploit a flaw in the Java SE, JRockit, Java SE Embedded SSL/TLS JSSE component to partially access data [CVE-2015-2625].

The following researchers reported these and other Oracle product vulnerabilities:

Adam Willard of Foreground Security; an Anonymous researcher via Beyond Security's SecuriTeam Secure Disclosure Program; Aniway.Anyway via HP's Zero Day Initiative; Arezou Hosseinzad-Amirkhizi of TELUS Security Labs; Benjamin Kunz Mejri of Evolution Security;
Borked of the Google Security Team; CERT/CC; Christiaan Esterhuizen of Trustwave; Christian Schneider; Danny Tsechansky; David Jorm; David Litchfield of Google; Derek Abdine of rapid7.com; Florian Lukavsky of SEC Consult Vulnerability Lab;
Florian Weimer of Red Hat; Hanno Bock; Jacob Smith; Juraj Somorovsky of Ruhr-University Bochum; Jorg Schwenk of Ruhr-University Bochum; Karthikeyan Bhargavan; Kyle Lovett; Martin Rakhmanov of Trustwave; Mateusz Jurczyk of Google Project Zero;
Microsoft Vulnerability Research of Microsoft Corp; Owais Mohammad Khan formerly of KPMG; Recx Ltd.; Richard Birkett of Worldpay; Richard Harrison of E.ON Business Services GmbH; Roberto Suggi Liverani of NATO Communications and Information Agency;
Sandeep Kamble of SecureLayer7; Steven Seeley of HP's Zero Day Initiative; Tibor Jager of Ruhr-University Bochum; Tudor Enache of Help AG; and Vladimir Wolstencroft.

Impact:   A remote user can partially access data on the target system.

A remote user can partially modify data on the target system.

A remote user can cause partially denial of service conditions.

A local user can obtain elevated privileges on the target system.

A remote user can gain elevated privileges on the target system.

Solution:   CentOS has issued a fix for CVE-2015-2590, CVE-2015-2601, CVE-2015-2621, CVE-2015-2625, CVE-2015-2628, CVE-2015-2632, CVE-2015-4731, CVE-2015-4732, CVE-2015-4733, CVE-2015-4748, CVE-2015-4749, and CVE-2015-4760.

i386:
d71f7f7a602aeb59a3fcd9da99c242f875daed2a0cfe36d62cda2c86be9c1f20 java-1.7.0-openjdk-1.7.0.85-2.6.1.3.el5_11.i386.rpm
83ad29eb9d2fc0389997bb8ef24e568919d54de3aa3847f5645e9fd294fdf898 java-1.7.0-openjdk-demo-1.7.0.85-2.6.1.3.el5_11.i386.rpm
10bbe4b168bee586cb3ab478d244ea52129ddc18d77802aef85585a5cf34351d java-1.7.0-openjdk-devel-1.7.0.85-2.6.1.3.el5_11.i386.rpm
ca5a02b3b3698d573997556bcd1dea8662eb20c9fecce004e33bdf2a10c25aab java-1.7.0-openjdk-javadoc-1.7.0.85-2.6.1.3.el5_11.i386.rpm
1e9db65a427ce260903abad8d19d641a312347a5ac8008403fbf70664e43396e java-1.7.0-openjdk-src-1.7.0.85-2.6.1.3.el5_11.i386.rpm

x86_64:
4c8ff4996bcee35e40b8039e060a4a80ab01a69059fe0d5e2ac3f4e2de4d881c java-1.7.0-openjdk-1.7.0.85-2.6.1.3.el5_11.x86_64.rpm
66eba15a99a63f9f5c94e87a6896eaa30451028a5fe80d0a3b58577c38c02d30 java-1.7.0-openjdk-demo-1.7.0.85-2.6.1.3.el5_11.x86_64.rpm
7a3b0749b1bf46b435210848c171c2947fd3e234e855c49674e7bb950ca2d653 java-1.7.0-openjdk-devel-1.7.0.85-2.6.1.3.el5_11.x86_64.rpm
f9087cfb383365eebfef0de8c926719a65b95bb0bcc10d94dd333b55163bd537 java-1.7.0-openjdk-javadoc-1.7.0.85-2.6.1.3.el5_11.x86_64.rpm
f4f59477bb5c0935e90e53a6400595be099a0065edac84674dc25d460498a04e java-1.7.0-openjdk-src-1.7.0.85-2.6.1.3.el5_11.x86_64.rpm

Source:
dd8aa9c54b915197d6e7db329647ea80a456c2701056c5cc813fa3c3e88f309f java-1.7.0-openjdk-1.7.0.85-2.6.1.3.el5_11.src.rpm

i386:
15db364f4f38236fa62cad3ca12b3f312aea9557334a608aad1ebc58a11e84dd java-1.7.0-openjdk-1.7.0.85-2.6.1.3.el6_6.i686.rpm
468888e10dd1a2b4602dcf0cc0db165bdf6f7bc401fea6108263b7b393258549 java-1.7.0-openjdk-demo-1.7.0.85-2.6.1.3.el6_6.i686.rpm
ffab839b461eaeaaad2134384608a5b26405b1d5e0dc16d67de0aa718c3e132b java-1.7.0-openjdk-devel-1.7.0.85-2.6.1.3.el6_6.i686.rpm
bf26256ce2bfb21426086eb93da0e75552710619a36a513f4354969b20f0c7d0 java-1.7.0-openjdk-javadoc-1.7.0.85-2.6.1.3.el6_6.noarch.rpm
d7edd6d7f7dd2f89f2d4dc8e2ffbc50bbb237e1a611410cbff3aa6fc3f8de08a java-1.7.0-openjdk-src-1.7.0.85-2.6.1.3.el6_6.i686.rpm

x86_64:
aa036b5c5d119a553879e63bcc95bd1403b90de174eb251d19fa7cabf7efa647 java-1.7.0-openjdk-1.7.0.85-2.6.1.3.el6_6.x86_64.rpm
88b2b864efdc9dc680380bcea8720afab4d48b127a81862c31ade55722ee8a6a java-1.7.0-openjdk-demo-1.7.0.85-2.6.1.3.el6_6.x86_64.rpm
9193f496849846ee9f0438c38f9e0bbd39409888eb71e55e7b03defb18791815 java-1.7.0-openjdk-devel-1.7.0.85-2.6.1.3.el6_6.x86_64.rpm
bf26256ce2bfb21426086eb93da0e75552710619a36a513f4354969b20f0c7d0 java-1.7.0-openjdk-javadoc-1.7.0.85-2.6.1.3.el6_6.noarch.rpm
58365ad7bae32c174dc623c65bf2010daa0c17cbe4376ed5c39339d3e681cfc5 java-1.7.0-openjdk-src-1.7.0.85-2.6.1.3.el6_6.x86_64.rpm

Source:
9f24caa4ce10a141b407aa280f60832d034c4dee26e800da40aa1e7275e67f14 java-1.7.0-openjdk-1.7.0.85-2.6.1.3.el6_6.src.rpm

Vendor URL:  www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html (Links to External Site)
Cause:   Not specified
Underlying OS:  Linux (CentOS)
Underlying OS Comments:  5, 6

Message History:   This archive entry is a follow-up to the message listed below.
Jul 15 2015 Oracle Java SE Multiple Flaws Lets Local and Remote Users Gain Elevated Privileges and Remote Users Partially Access Data, Modify Data, and Deny Service



 Source Message Contents

Subject:  [CentOS-announce] CESA-2015:1229 Critical CentOS 6 java-1.7.0-openjdk Security Update


CentOS Errata and Security Advisory 2015:1229 Critical

Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1229.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
15db364f4f38236fa62cad3ca12b3f312aea9557334a608aad1ebc58a11e84dd  java-1.7.0-openjdk-1.7.0.85-2.6.1.3.el6_6.i686.rpm
468888e10dd1a2b4602dcf0cc0db165bdf6f7bc401fea6108263b7b393258549  java-1.7.0-openjdk-demo-1.7.0.85-2.6.1.3.el6_6.i686.rpm
ffab839b461eaeaaad2134384608a5b26405b1d5e0dc16d67de0aa718c3e132b  java-1.7.0-openjdk-devel-1.7.0.85-2.6.1.3.el6_6.i686.rpm
bf26256ce2bfb21426086eb93da0e75552710619a36a513f4354969b20f0c7d0  java-1.7.0-openjdk-javadoc-1.7.0.85-2.6.1.3.el6_6.noarch.rpm
d7edd6d7f7dd2f89f2d4dc8e2ffbc50bbb237e1a611410cbff3aa6fc3f8de08a  java-1.7.0-openjdk-src-1.7.0.85-2.6.1.3.el6_6.i686.rpm

x86_64:
aa036b5c5d119a553879e63bcc95bd1403b90de174eb251d19fa7cabf7efa647  java-1.7.0-openjdk-1.7.0.85-2.6.1.3.el6_6.x86_64.rpm
88b2b864efdc9dc680380bcea8720afab4d48b127a81862c31ade55722ee8a6a  java-1.7.0-openjdk-demo-1.7.0.85-2.6.1.3.el6_6.x86_64.rpm
9193f496849846ee9f0438c38f9e0bbd39409888eb71e55e7b03defb18791815  java-1.7.0-openjdk-devel-1.7.0.85-2.6.1.3.el6_6.x86_64.rpm
bf26256ce2bfb21426086eb93da0e75552710619a36a513f4354969b20f0c7d0  java-1.7.0-openjdk-javadoc-1.7.0.85-2.6.1.3.el6_6.noarch.rpm
58365ad7bae32c174dc623c65bf2010daa0c17cbe4376ed5c39339d3e681cfc5  java-1.7.0-openjdk-src-1.7.0.85-2.6.1.3.el6_6.x86_64.rpm

Source:
9f24caa4ce10a141b407aa280f60832d034c4dee26e800da40aa1e7275e67f14  java-1.7.0-openjdk-1.7.0.85-2.6.1.3.el6_6.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC