Security Alert (A17-10-06): Multiple Vulnerabilities in Oracle Java and Oracle Products (October 2017)


 

Published on: 18 October 2017

  
  

Description:

Oracle has released Critical Patch Update (CPU) Advisory with collections of patches for multiple security vulnerabilities found in Java SE and various Oracle products.

There are 22 vulnerabilities identified in Java affecting multiple sub-components including 2D, Deployment, Hotspot, Javadoc, JAXP, JAX-WS, Libraries, Networking, RMI, Security, Serialization, Server, Smart Card IO and Util(zlib). 20 of them could be remotely exploited without authentication and 4 of them could affect deployment of Java and Java Advanced Management Console.

For vulnerabilities identified in other Oracle products, they can be exploited by physical access or remotely through various protocols including HTTP, HTTPS, Kerberos, MySQL Protocol, NTP and Oracle Net over a network.

There are multiple attack vectors. For Java, an attacker could entice a user to open a specially crafted web page containing un-trusted Java applet or Java Web Start application with malicious content, or to launch executables using the Java launcher. For other Oracle products, a remote attacker could send specially crafted network packets to the affected system to exploit the vulnerabilities.

 

Affected Systems:

  • Oracle Java SE
  • Database
  • Oracle Linux and Virtualization
  • Oracle MySQL Product Suite
  • Oracle and Sun Systems Products Suite
  • Fusion Applications and Middleware

A complete list of the affected products can be found at:

http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

 

Impact:

Depending on the vulnerability exploited, a successful attack could lead to denial of services, data tampering, information disclosure or compromise of a vulnerable system.

 

Recommendation:

Patches for affected systems are available. Users of the affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

For Oracle Java SE products, please refer to the following link:

  • Java Platform SE 8 (JDK and JRE 8 Update 152)
    http://www.oracle.com/technetwork/java/javase/downloads/index.html

For other Oracle products, please refer to the section "Patch Availability Table and Risk Matrices" of corresponding security advisory at the vendor’s website:

http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

Users may contact their product support vendors for the fixes and assistance.

 

More Information:

http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.oracle.com/technetwork/java/javase/documentation/8u-relnotes-2225394.html
https://www.hkcert.org/my_url/en/alert/17101801
https://www.us-cert.gov/ncas/current-activity/2017/10/17/Oracle-Releases-Security-Bulletin
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2808
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5254
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7501
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7940
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0635
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0714
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1181
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2183
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2834
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6814
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7431
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8735
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9841
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10165
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3167
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3588
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3731
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3733
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5662
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5664
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10026
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10033
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10034
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10037
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10051
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10055
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10060
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10099
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10152
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10154
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10155
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10163
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10165
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10166
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10167
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10190
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10194
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10203
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10227
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10259
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10260
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10261
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10265
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10268
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10270
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10271
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10274 (to CVE-2017-10277)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10279
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10281
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10283 (to CVE-2017-10286)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10292 (to CVE-2017-10296)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10309
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10311
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10313
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10314
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10320
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10321
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10334
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10336
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10341
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10342
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10345 (to CVE-2017-10350)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10352
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10355
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10356
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10357
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10360
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10365
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10369
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10378 (to CVE-2017-10380)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10384 (to CVE-2017-10386)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10388
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10391 (to CVE-2017-10393)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10400
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10407
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10408
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10424
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10428

 



Tag: Fusion , Java , MySQL , Oracle , Oracle Database , Oracle Linux , Sun Systems
Tags