Oracle Java SE 7 < Update 201 / 8 < Update 192 / 11 < 11.01 Multiple Vulnerabilities

medium Nessus Network Monitor Plugin ID 700393

Synopsis

The remote host is missing a critical Oracle Java SE patch update.

Description

The version of Oracle Java SE installed on the remote host is prior to 7 Update 201, 8 Update 192, or 11.01, and is therefore affected by multiple vulnerabilities :

- An issue exists in 'libjpeg 9a'. The 'alloc_sarray' function in 'jmemmgr.c' allows remote attackers to cause a denial of service via a crafted file. (CVE-2018-11212)
- An issue exists that allows an unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. (CVE-2019-2422, CVE-2019-2449)
- An issue exists that allows an unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. (CVE-2019-2426)

Solution

Upgrade to Java 11.01 or later. If version 11.x cannot be obtained, versions 1.7.0_201 and 1.8.0_192 have also been patched for this vulnerability.

See Also

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

https://www.tenable.com/blog/oracle-s-january-critical-patch-update-addresses-nearly-300-fixes

Plugin Details

Severity: Medium

ID: 700393

Family: Web Clients

Published: 1/17/2019

Updated: 3/6/2019

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 6.2

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:oracle:java_se

Patch Publication Date: 1/15/2019

Vulnerability Publication Date: 1/15/2019

Reference Information

CVE: CVE-2018-11212, CVE-2019-2422, CVE-2019-2426, CVE-2019-2449

BID: 106583, 106590, 106596, 106597