copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2016.0789 - ALERT [Win][Linux][Solaris][OSX] Oracle Java SE: Execute arbitrary code/commands - Remote with user interaction

Date: 24 March 2016
References: ESB-2016.0790  ESB-2016.0791  ESB-2016.0863  ESB-2016.1025  ESB-2016.1037  ESB-2016.1468  ESB-2016.1519  ESB-2016.1586  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.0789
                  Oracle Security Alert for CVE-2016-0636
                               24 March 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Oracle Java SE
Publisher:         Oracle
Operating System:  Windows
                   Solaris
                   Linux variants
                   OS X
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-0636  

Original Bulletin: 
   http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0636-2949497.html

Comment: IMPORTANT: Due to the severity of this vulnerability and the public
         disclosure of technical details, Oracle strongly recommends that 
         customers apply the updates provided by this Security Alert as soon
         as possible.

- --------------------------BEGIN INCLUDED TEXT--------------------

Oracle Security Alert for CVE-2016-0636

Description

This Security Alert addresses CVE-2016-0636, a vulnerability affecting Java SE
running in web browsers on desktops. This vulnerability is not applicable to 
Java deployments, typically in servers or standalone desktop applications, 
that load and run only trusted code. It also does not affect Oracle 
server-based software.

This vulnerability may be remotely exploitable without authentication, i.e., 
may be exploited over a network without the need for a username and password.
To be successfully exploited, an unsuspecting user running an affected release
in a browser will need to visit a malicious web page that leverages this 
vulnerability. Successful exploits can impact the availability, integrity, and
confidentiality of the user's system.

Due to the severity of this vulnerability and the public disclosure of 
technical details, Oracle strongly recommends that customers apply the updates
provided by this Security Alert as soon as possible.

Supported Products Affected

Oracle Java SE 7 Update 97, and 8 Update 73 and 74 for Windows, Solaris, 
Linux, and Mac OS X are affected.

Patch Availability Table and Risk Matrix

Java SE fixes in this Security Alert are cumulative; this latest update 
includes all fixes from previous Critical Patch Updates and Security Alerts.

Patch Availability Table

Product Group 		Risk Matrix 			Patch Availability and Installation Information

Oracle Java SE 		Oracle Java SE Risk Matrix	Oracle Security Alert for CVE-2016-0636 My Oracle Support Note 2118304.1.

							Developers can download the latest release from http://www.oracle.com/technetwork/java/javase/downloads/index.html.

							Windows users running Java SE with a browser can download the latest release from http://java.com. or use automatic updates to get the latest release.

References

Oracle Critical Patch Updates and Security Alerts main page [ Oracle 
Technology Network ]

Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions
[ CPU FAQ ]

Risk Matrix definitions [ Risk Matrix Definitions ]

Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS 
Scoring ]

English text version of risk matrix [ Oracle Technology Network ]

CVRF XML version of the risk matrix [ Oracle Technology Network ]

Modification History

Date 			Comments

2016-March-23 Rev 1. 	Initial Release

Appendix - Oracle Java SE

Oracle Java SE Executive Summary

This Security Alert contains 1 new security fix for Oracle Java SE. This 
vulnerability is remotely exploitable without authentication, i.e., may be 
exploited over a network without the need for a username and password. The 
English text form of this Risk Matrix can be found here.

The CVSS scores below assume that a user running a Java applet or Java Web 
Start application has administrator privileges (typical on Windows). When the
user does not run with administrator privileges (typical on Solaris and 
Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, 
and Availability are "Partial" instead of "Complete", lowering the CVSS Base 
Score. For example, a Base Score of 10.0 becomes 7.5.

Oracle Java SE Risk Matrix

CVE# 		Component 	Protocol 	Sub-component 	Remote Exploit without Auth.? 	CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) 									Supported Versions Affected 	Notes 
												
												Base Score 	Access Vector 	Access Complexity 	Authentication 	Confidentiality Integrity 	Availability	

CVE-2016-0636 	Java SE 	Multiple 	Hotspot 	Yes 				9.3 		Network 	Medium 			None 		Complete 	Complete 	Complete 	Java SE: 7u97, 8u73, 8u74 	See Note 1
	
Notes:

1. This vulnerability applies to Java deployments, typically in clients running 
sandboxed Java Web Start applications or sandboxed Java applets, that load and
run untrusted code (e.g., code that comes from the internet) and rely on the 
Java sandbox for security. This vulnerability does not apply to Java 
deployments, typically in servers, that load and run only trusted code (e.g.,
code installed by an administrator).

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVvOBQ36ZAP0PgtI9AQJeZw/+JCuLFH9yDdKXUQMmQUNJhUh8GE4KQI3s
+UvXAvCIjwRPqd+Pij9LivaZGTPE8HyCZZj4ksdw/BjY4a1/UnHIJ1habUjPuz+q
CUDsTKx66m5d5/jSLXCrzLPN6rxgQqk8S0m6x6JAfcaUwD2/hXhGLAafLO+La389
JhPGVPzpN5aLNutpzT4IVbbbMOeD/XJrt4TNNq01vbTq49rx5yWOr6kF+Ovk4Dzf
9sqKAOMl8JwBBXImu7506TC375+fIpYxD9Id3Umgj2XNdn+ZSwH+CjP9+xfsjc1b
CEDa8rklF9cmzfmn3KDZCW7BjkbnFl7y7TxkNB3V4ICRVWPcmod0i8sh/FE80Fe/
R8MHQrt+nU6OJsaYyd50HLMDkEAoi+Hdyp6InVupQU2WJoSUCn8lwKdPPx8qfnRF
Unim0b2B366GvyZhbU+UWkA9wCh2cSOfIw5JwE0JLoXoxEXAo+85wHZmBDhNjdXN
Nx+fZg7BCiim5OoI/Swo8KPH8TjMrKEMntMaYMwekP2DUOoA3AxJG9FAxrulJ2bN
ErQyRw8WK7lMPlMG2T3bvGxrttyEGzWiDCiZTDnjUKmgk+75DM/aJkZM2DtALtVa
eI40E/KogtpXeHFLAV1oTjsK8HsRGhXHWKuPtclX1SsPjGX8IHpBldpeeeM4ZjFG
pw6EPr3iXvw=
=pAJD
-----END PGP SIGNATURE-----