Oracle Java SE 6 < Update 151 / 7 < Update 141 / 8 < Update 131 Multiple Vulnerabilities

high Nessus Network Monitor Plugin ID 700090

Synopsis

The remote host is missing a critical Oracle Java SE patch update.

Description

The version of Oracle Java SE installed on the remote host is prior to 6 Update 151, 7 Update 141, or 8 Update 131, and is therefore affected by multiple vulnerabilities :

- An unspecified flaw exists in the Networking subcomponent that allows an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2017-3509)
- An unspecified flaw exists in the JCE subcomponent that allows a local attacker to gain elevated privileges. This vulnerability does not affect Java SE version 6. (CVE-2017-3511)
- An unspecified flaw exists in the AWT subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. This vulnerability does not affect Java SE version 6. (CVE-2017-3512)
- An unspecified flaw exists in the AWT subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-3514)
- An unspecified flaw exists in the JAXP subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2017-3526)
- Multiple unspecified flaws exist in the Networking subcomponent that allow an unauthenticated, remote attacker to gain update, insert, or delete access to unauthorized data. (CVE-2017-3533, CVE-2017-3544)
- An unspecified flaw exists in the Security subcomponent that allows an unauthenticated, remote attacker to gain update, insert, or delete access to unauthorized data. (CVE-2017-3539)

Solution

Upgrade to Java 1.8.0_131 or later. If version 1.8.x cannot be obtained, versions 1.7.0_141 and 1.6.0_151 have also been patched for this vulnerability.

See Also

http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixJAVA

http://www.oracle.com/technetwork/java/javase/8u131-relnotes-3565278.html

http://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.h

http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html

http://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/3681811.xml

Plugin Details

Severity: High

ID: 700090

Family: Web Clients

Published: 5/10/2017

Updated: 3/6/2019

Nessus ID: 99588, 99589

Risk Information

VPR

Risk Factor: High

Score: 7.3

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.5

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:oracle:java_se

Patch Publication Date: 4/18/2017

Vulnerability Publication Date: 4/18/2017

Reference Information

CVE: CVE-2017-3509, CVE-2017-3511, CVE-2017-3512, CVE-2017-3514, CVE-2017-3526, CVE-2017-3533, CVE-2017-3539, CVE-2017-3544

BID: 97727, 97729, 97731, 97733, 97737, 97740, 97745, 97752