SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Oracle Java SE Vendors:   Oracle, Sun
(CentOS Issues Fix) Oracle Java SE Multiple Flaws Lets Local and Remote Users Gain Elevated Privileges and Remote Users Partially Access Data, Modify Data, and Deny Service
SecurityTracker Alert ID:  1033146
SecurityTracker URL:  http://securitytracker.com/id/1033146
CVE Reference:   CVE-2015-2590, CVE-2015-2601, CVE-2015-2621, CVE-2015-2625, CVE-2015-2628, CVE-2015-2632, CVE-2015-4731, CVE-2015-4732, CVE-2015-4733, CVE-2015-4748, CVE-2015-4749, CVE-2015-4760   (Links to External Site)
Date:  Jul 31 2015
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Multiple vulnerabilities were reported in Oracle Java SE. A remote user can partially access data on the target system. A remote user can partially modify data on the target system. A remote user can cause partially denial of service conditions on the target system. A local user can obtain elevated privileges on the target system. A remote user can gain elevated privileges.

A remote user can exploit a flaw in the Java SE 2D component to gain elevated privileges [CVE-2015-4760].

A remote user can exploit a flaw in the Java SE and Java SE Embedded CORBA component to gain elevated privileges [CVE-2015-2628].

A remote user can exploit a flaw in the Java SE and Java SE Embedded JMX component to gain elevated privileges [CVE-2015-4731].

A remote user can exploit a flaw in the Java SE and Java SE Embedded Libraries component to gain elevated privileges [CVE-2015-2590].

A remote user can exploit a flaw in the Java SE and Java SE Embedded Libraries component to gain elevated privileges [CVE-2015-4732].

A remote user can exploit a flaw in the Java SE and Java SE Embedded RMI component to gain elevated privileges [CVE-2015-4733].

A remote user can exploit a flaw in the Java SE, JavaFX, and Java SE Embedded 2D component to gain elevated privileges [CVE-2015-2638].

A remote user can exploit a flaw in the Java SE Deployment component to gain elevated privileges [CVE-2015-4736].

A remote user can exploit a flaw in the Java SE, JRockit, Java SE Embedded Security component to gain elevated privileges [CVE-2015-4748].

A local user can exploit a flaw in the Java SE Install component to gain elevated privileges [CVE-2015-2597].

A local user can exploit a flaw in the Java SE Deployment component to gain elevated privileges [CVE-2015-2664].

A remote user can exploit a flaw in the Java SE 2D component to partially access data [CVE-2015-2632].

A remote user can exploit a flaw in the Java SE, JRockit, and Java SE Embedded JCE component to partially access data [CVE-2015-2601].

A remote user can exploit a flaw in the Java SE and Java SE Embedded JCE component to partially access data [CVE-2015-2613].

A remote user can exploit a flaw in the Java SE and Java SE Embedded JMX component to partially access data [CVE-2015-2621].

A remote user can exploit a flaw in the Java SE and Java SE Embedded Security component to cause partial denial of service conditions [CVE-2015-2659].

A remote user can exploit a flaw in the Java SE, JavaFX, and Java SE 2D Embedded component to partially access data [CVE-2015-2619].

A remote user can exploit a flaw in the Java SE, JavaFX, and Java SE Embedded 2D component to partially access data [CVE-2015-2637].

A remote user can exploit a flaw in the Java SE Hotspot component to partially modify data [CVE-2015-2596].

A remote user can exploit a flaw in the Java SE, JRockit, and Java SE Embedded JNDI component to cause partial denial of service conditions [CVE-2015-4749].

A remote user can exploit a flaw in the Java SE Deployment component to partially access and partially modify data [CVE-2015-4729].

A remote user can exploit a flaw in the Java SE, JRockit, and Java SE Embedded SSL/TLS JSSE component to partially access and partially modify data [CVE-2015-4000].

A remote user can exploit a flaw in the Java SE, JRockit, and Java SE Embedded SSL/TLS JSSE component to partially access and partially modify data [CVE-2015-2808].

A remote user can exploit a flaw in the Java SE Install component to partially access data [CVE-2015-2627].

A remote user can exploit a flaw in the Java SE, JRockit, Java SE Embedded SSL/TLS JSSE component to partially access data [CVE-2015-2625].

The following researchers reported these and other Oracle product vulnerabilities:

Adam Willard of Foreground Security; an Anonymous researcher via Beyond Security's SecuriTeam Secure Disclosure Program; Aniway.Anyway via HP's Zero Day Initiative; Arezou Hosseinzad-Amirkhizi of TELUS Security Labs; Benjamin Kunz Mejri of Evolution Security;
Borked of the Google Security Team; CERT/CC; Christiaan Esterhuizen of Trustwave; Christian Schneider; Danny Tsechansky; David Jorm; David Litchfield of Google; Derek Abdine of rapid7.com; Florian Lukavsky of SEC Consult Vulnerability Lab;
Florian Weimer of Red Hat; Hanno Bock; Jacob Smith; Juraj Somorovsky of Ruhr-University Bochum; Jorg Schwenk of Ruhr-University Bochum; Karthikeyan Bhargavan; Kyle Lovett; Martin Rakhmanov of Trustwave; Mateusz Jurczyk of Google Project Zero;
Microsoft Vulnerability Research of Microsoft Corp; Owais Mohammad Khan formerly of KPMG; Recx Ltd.; Richard Birkett of Worldpay; Richard Harrison of E.ON Business Services GmbH; Roberto Suggi Liverani of NATO Communications and Information Agency;
Sandeep Kamble of SecureLayer7; Steven Seeley of HP's Zero Day Initiative; Tibor Jager of Ruhr-University Bochum; Tudor Enache of Help AG; and Vladimir Wolstencroft.

Impact:   A remote user can partially access data on the target system.

A remote user can partially modify data on the target system.

A remote user can cause partially denial of service conditions.

A local user can obtain elevated privileges on the target system.

A remote user can gain elevated privileges on the target system.

Solution:   CentOS has issued a fix for CVE-2015-2590, CVE-2015-2601, CVE-2015-2621, CVE-2015-2625, CVE-2015-2628, CVE-2015-2632, CVE-2015-4731, CVE-2015-4732, CVE-2015-4733, CVE-2015-4748, CVE-2015-4749, and CVE-2015-4760 for java-1.6.0-openjdk.

i386:
11a2635ffab652c45c63ac6aa128866507d5aa53d04ad7030b839f31c6a5f4df java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el5_11.i386.rpm
7597882cfdaf40f21aca2a6af73aedd1ac1bce73e18a316d6db23d56a40f44c6 java-1.6.0-openjdk-demo-1.6.0.36-1.13.8.1.el5_11.i386.rpm
a6ceae2f7957675fb06d209fe703019069257c1c31a48a7abf09b8933858077a java-1.6.0-openjdk-devel-1.6.0.36-1.13.8.1.el5_11.i386.rpm
94ec650562cec44847914ce52fb88a83937a8646ac58093aacbb89cc44200580 java-1.6.0-openjdk-javadoc-1.6.0.36-1.13.8.1.el5_11.i386.rpm
b44c48cbff3a0eb0fc713ff4bd5624cce7aa5abafa54bdd2994026f57c3542d4 java-1.6.0-openjdk-src-1.6.0.36-1.13.8.1.el5_11.i386.rpm

x86_64:
9d896fe3912a3feef0f0806d8ba0231beec02ecaaff0dd3062228c694a94acab java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el5_11.x86_64.rpm
e5e5f98447cde6cf42dec41b2012ce03a2c4da60d149b2172f7bc594d3aeeb28 java-1.6.0-openjdk-demo-1.6.0.36-1.13.8.1.el5_11.x86_64.rpm
91996692b0932c47d3d3f37707bfd3d5e119d9bf091940d810b650cbb0984ce3 java-1.6.0-openjdk-devel-1.6.0.36-1.13.8.1.el5_11.x86_64.rpm
1f4028f6cf0ea019a8d032e1860060e71939facfce1497574b2b4420829377ee java-1.6.0-openjdk-javadoc-1.6.0.36-1.13.8.1.el5_11.x86_64.rpm
105b064767a936c604222364891240945104958b0af6fdc013dbc474aa489b66 java-1.6.0-openjdk-src-1.6.0.36-1.13.8.1.el5_11.x86_64.rpm

Source:
a1823e46d30a1db8e7631e2a912f863f3bad7442db82f9d323dca26dc7cfa9d0 java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el5_11.src.rpm

x86_64:
5e91f94700cc94a8422277dcca5146e2f54a33547397d0b467e52e916ded811a java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm
3e22027833fc703705aa7bbc9cb395733f2098320dc6538cd59bba7015d94745 java-1.6.0-openjdk-demo-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm
7a3a1b5b8bcaf615fa3797b9c76660a11e6ecd8b43670a4da00d610fe7c32b1d java-1.6.0-openjdk-devel-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm
a2753379c1c1e628a155cd2af93a1c44ef7a44d164ce39fdddef0c51dbb53ad6 java-1.6.0-openjdk-javadoc-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm
a263d9da3f58f534699e226540180c7874fa38e7a60782a161902c1091e41eb8 java-1.6.0-openjdk-src-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm

Source:
41b960e8e0cd7a4acd59a1750fcd2129c95a69a68e92d898ee613e1ae000fef8 java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el7_1.src.rpm

Vendor URL:  www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html (Links to External Site)
Cause:   Not specified
Underlying OS:  Linux (CentOS)
Underlying OS Comments:  5, 7

Message History:   This archive entry is a follow-up to the message listed below.
Jul 15 2015 Oracle Java SE Multiple Flaws Lets Local and Remote Users Gain Elevated Privileges and Remote Users Partially Access Data, Modify Data, and Deny Service



 Source Message Contents

Subject:  [CentOS-announce] CESA-2015:1526 Important CentOS 5 java-1.6.0-openjdk Security Update


CentOS Errata and Security Advisory 2015:1526 Important

Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1526.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
11a2635ffab652c45c63ac6aa128866507d5aa53d04ad7030b839f31c6a5f4df  java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el5_11.i386.rpm
7597882cfdaf40f21aca2a6af73aedd1ac1bce73e18a316d6db23d56a40f44c6  java-1.6.0-openjdk-demo-1.6.0.36-1.13.8.1.el5_11.i386.rpm
a6ceae2f7957675fb06d209fe703019069257c1c31a48a7abf09b8933858077a  java-1.6.0-openjdk-devel-1.6.0.36-1.13.8.1.el5_11.i386.rpm
94ec650562cec44847914ce52fb88a83937a8646ac58093aacbb89cc44200580  java-1.6.0-openjdk-javadoc-1.6.0.36-1.13.8.1.el5_11.i386.rpm
b44c48cbff3a0eb0fc713ff4bd5624cce7aa5abafa54bdd2994026f57c3542d4  java-1.6.0-openjdk-src-1.6.0.36-1.13.8.1.el5_11.i386.rpm

x86_64:
9d896fe3912a3feef0f0806d8ba0231beec02ecaaff0dd3062228c694a94acab  java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el5_11.x86_64.rpm
e5e5f98447cde6cf42dec41b2012ce03a2c4da60d149b2172f7bc594d3aeeb28  java-1.6.0-openjdk-demo-1.6.0.36-1.13.8.1.el5_11.x86_64.rpm
91996692b0932c47d3d3f37707bfd3d5e119d9bf091940d810b650cbb0984ce3  java-1.6.0-openjdk-devel-1.6.0.36-1.13.8.1.el5_11.x86_64.rpm
1f4028f6cf0ea019a8d032e1860060e71939facfce1497574b2b4420829377ee  java-1.6.0-openjdk-javadoc-1.6.0.36-1.13.8.1.el5_11.x86_64.rpm
105b064767a936c604222364891240945104958b0af6fdc013dbc474aa489b66  java-1.6.0-openjdk-src-1.6.0.36-1.13.8.1.el5_11.x86_64.rpm

Source:
a1823e46d30a1db8e7631e2a912f863f3bad7442db82f9d323dca26dc7cfa9d0  java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el5_11.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC