KLA11076
Multiple vulnerabilities in Oracle Java SE
Обновлено: 26/06/2019
Дата обнаружения
19/07/2017
Уровень угрозы
High
Описание

Multiple serious vulnerabilities have been found in Oracle Java SE. Malicious users can exploit these vulnerabilities to gain privileges, read and write accessible data and cause a denial of service.

Below is a complete list of vulnerabilities:

  1. An unspecified vulnerability in the 2D subcomponent of Java SE, Java SE Embedded and JRockit can be exploited remotely via sandboxed Java Web Start applications, sandboxed Java applets or by supplying data to APIs in the specified Component through a web service to cause a denial of service;
  2. An unspecified vulnerability in the Security subcomponent of Java SE can be exploited remotely by convincing a user to run untrusted code to gain privileges;
  3. An unspecified vulnerability in the Hotspot subcomponent of Java SE and Java SE Embedded can be exploited remotely by convincing a user to run untrusted code to gain privileges;
  4. An unspecified vulnerability in the Scripting subcomponent of Java SE can be exploited remotely via sandboxed Java Web Start applications, sandboxed Java applets or by supplying data to APIs in the specified Component through a web service to get read/write access to all Java SE accessible data;
  5. An unspecified vulnerability in the Hotspot subcomponent of Java SE and Java SE Embedded can be exploited remotely by convincing a user to run untrusted code to get write access to some of Java SE, Java SE Embedded accessible data;
  6. Multiple unspecified vulnerabilities in the JavaFX subcomponent of Java SE can be exploited remotely by convincing a user to run untrusted code to gain privileges;
  7. Multiple unspecified vulnerabilities in the Libraries subcomponent of Java SE and Java SE Embedded can be exploited remotely by convincing a user to run untrusted code to gain privileges;
  8. An unspecified vulnerability in the ImageIO subcomponent of Java SE can be exploited remotely by convincing a user to run untrusted code to gain privileges;
  9. Multiple unspecified vulnerabilities in the JAXP subcomponent of Java SE and Java SE Embedded can be exploited remotely by convincing a user to run untrusted code to gain privileges;
  10. An unspecified vulnerability in the RMI subcomponent of Java SE and Java SE Embedded can be exploited remotely supplying data to APIs in the specified Component through a web service to gain privileges;
  11. Multiple unspecified vulnerabilities in the Server subcomponent of Java Advanced Management Console can be exploited remotely via unknown vectors to get read/write access to some of Java Advanced Management Console accessible data and cause a denial of service;
  12. An unspecified vulnerability in the Deployment subcomponent of Java SE can be exploited remotely by convincing a user to run untrusted code to get write access to some of Java SE accessible data;
  13. An unspecified vulnerability in the RMI subcomponent of Java SE and Java SE Embedded can be exploited remotely by convincing a user to run untrusted code to gain privileges;
  14. An unspecified vulnerability in the Serialization subcomponent of Java SE, Java SE Embedded and JRockit can be exploited remotely via sandboxed Java Web Start applications, sandboxed Java applets or by supplying data to APIs in the specified Component through a web service to cause a denial of service;
  15. An unspecified vulnerability in the Serialization subcomponent of Java SE, Java SE Embedded and JRockit can be exploited remotely by convincing a user to run untrusted code to cause a denial of service;
  16. An unspecified vulnerability in the AWT subcomponent of Java SE can be exploited remotely by convincing a user to run untrusted code to gain privileges;
  17. Multiple unspecified vulnerabilities in the JCE subcomponent of Java SE, Java SE Embedded, JRockit can be exploited remotely via sandboxed Java Web Start applications, sandboxed Java applets or by supplying data to APIs in the specified Component through a web service to get read access to all Java SE, Java SE Embedded, JRockit accessible data;
  18. An unspecified vulnerability in the Security subcomponent of Java SE, Java SE Embedded, JRockit can be exploited remotely via sandboxed Java Web Start applications, sandboxed Java applets or by supplying data to APIs in the specified Component through a web service to gain privileges;
  19. An unspecified vulnerability in the Server subcomponent of Java Advanced Management Console can be exploited remotely via unknown vectors to get read access to some of Java Advanced Management Console accessible data;
  20. An unspecified vulnerability in the Deployment subcomponent of Java SE can be exploited locally via unknown vectors to gain privileges;
  21. Multiple unspecified vulnerabilities in the Security subcomponent of Java SE, Java SE Embedded, JRockit can be exploited remotely via sandboxed Java Web Start applications, sandboxed Java applets or by supplying data to APIs in the specified Component through a web service to get read access to all Java SE, Java SE Embedded, JRockit accessible data;
  22. An unspecified vulnerability in the Security subcomponent of Java SE and Java SE Embedded can be exploited remotely by convincing a user to run untrusted code to get read access to some of Java SE and Java SE Embedded accessible data;
  23. An unspecified vulnerability in the JAX-WS subcomponent of Java SE, Java SE Embedded, JRockit can be exploited remotely via sandboxed Java Web Start applications, sandboxed Java applets or by supplying data to APIs in the specified Component through a web service to get read access to some of Java SE and Java SE Embedded accessible data and cause a denial of service;

Technical details

Vulnerability (20) applies to deployment of Java where the Java Auto Update is enabled.

NB: Not every vulnerability already have CVSS rating so cumulative CVSS rating can be not representative.

Пораженные продукты

Oracle Java SE 6u151
Oracle Java SE 7u141
Oracle Java SE 8u131
Oracle Java SE Embedded 8u131
Oracle JRockit R28.3.14
Oracle Java Advanced Management Console 2.6

Решение

Update to the latest version
Get Java SE

Первичный источник обнаружения
Oracle Critical Patch Update - July 2017
Оказываемое влияние
?
DoS 
[?]

WLF 
[?]

PE 
[?]

RLF 
[?]
Связанные продукты
Oracle Java JRE 1.7.x
Oracle Java JDK 1.7.x
Oracle Java JDK 1.8.x
Oracle Java JRE 1.8.x
Oracle JRockit
CVE-IDS