Date: 24 March 2016
References: ESB-2016.0790 ESB-2016.0791 ESB-2016.0863 ESB-2016.1025 ESB-2016.1037 ESB-2016.1468 ESB-2016.1519 ESB-2016.1586
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
Oracle Security Alert for CVE-2016-0636
24 March 2016
AusCERT Security Bulletin Summary
Product: Oracle Java SE
Operating System: Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
CVE Names: CVE-2016-0636
Comment: IMPORTANT: Due to the severity of this vulnerability and the public
disclosure of technical details, Oracle strongly recommends that
customers apply the updates provided by this Security Alert as soon
- --------------------------BEGIN INCLUDED TEXT--------------------
Oracle Security Alert for CVE-2016-0636
This Security Alert addresses CVE-2016-0636, a vulnerability affecting Java SE
running in web browsers on desktops. This vulnerability is not applicable to
Java deployments, typically in servers or standalone desktop applications,
that load and run only trusted code. It also does not affect Oracle
This vulnerability may be remotely exploitable without authentication, i.e.,
may be exploited over a network without the need for a username and password.
To be successfully exploited, an unsuspecting user running an affected release
in a browser will need to visit a malicious web page that leverages this
vulnerability. Successful exploits can impact the availability, integrity, and
confidentiality of the user's system.
Due to the severity of this vulnerability and the public disclosure of
technical details, Oracle strongly recommends that customers apply the updates
provided by this Security Alert as soon as possible.
Supported Products Affected
Oracle Java SE 7 Update 97, and 8 Update 73 and 74 for Windows, Solaris,
Linux, and Mac OS X are affected.
Patch Availability Table and Risk Matrix
Java SE fixes in this Security Alert are cumulative; this latest update
includes all fixes from previous Critical Patch Updates and Security Alerts.
Patch Availability Table
Product Group Risk Matrix Patch Availability and Installation Information
Oracle Java SE Oracle Java SE Risk Matrix Oracle Security Alert for CVE-2016-0636 My Oracle Support Note 2118304.1.
Developers can download the latest release from http://www.oracle.com/technetwork/java/javase/downloads/index.html.
Windows users running Java SE with a browser can download the latest release from http://java.com. or use automatic updates to get the latest release.
Oracle Critical Patch Updates and Security Alerts main page [ Oracle
Technology Network ]
Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions
[ CPU FAQ ]
Risk Matrix definitions [ Risk Matrix Definitions ]
Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS
English text version of risk matrix [ Oracle Technology Network ]
CVRF XML version of the risk matrix [ Oracle Technology Network ]
2016-March-23 Rev 1. Initial Release
Appendix - Oracle Java SE
Oracle Java SE Executive Summary
This Security Alert contains 1 new security fix for Oracle Java SE. This
vulnerability is remotely exploitable without authentication, i.e., may be
exploited over a network without the need for a username and password. The
English text form of this Risk Matrix can be found here.
The CVSS scores below assume that a user running a Java applet or Java Web
Start application has administrator privileges (typical on Windows). When the
user does not run with administrator privileges (typical on Solaris and
Linux), the corresponding CVSS impact scores for Confidentiality, Integrity,
and Availability are "Partial" instead of "Complete", lowering the CVSS Base
Score. For example, a Base Score of 10.0 becomes 7.5.
Oracle Java SE Risk Matrix
CVE# Component Protocol Sub-component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authentication Confidentiality Integrity Availability
CVE-2016-0636 Java SE Multiple Hotspot Yes 9.3 Network Medium None Complete Complete Complete Java SE: 7u97, 8u73, 8u74 See Note 1
1. This vulnerability applies to Java deployments, typically in clients running
sandboxed Java Web Start applications or sandboxed Java applets, that load and
run untrusted code (e.g., code that comes from the internet) and rely on the
Java sandbox for security. This vulnerability does not apply to Java
deployments, typically in servers, that load and run only trusted code (e.g.,
code installed by an administrator).
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to email@example.com
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----