CERT-In Advisory
CIAD-2011-0058
Multiple Vulnerabilities in Oracle Java Development Kit and Java Runtime Environment and JRockit
Original Issue Date: November 02, 2011
Severity Rating: High
Systems Affected
- JDK and JRE 7
- JDK and JRE 6 Update 27 and earlier
- JDK and JRE 5.0 Update 31 and earlier
- SDK and JRE 1.4.2_33 and earlier
- JavaFX 2.0
- JRockit R28.1.4 and earlier (JDK and JRE 6 and 5.0)
Overview
Multiple vulnerabilities have been reported in Oracle Java Development Kit and Java Runtime Environment, which can be exploited by remote attacker to bypass certain security restrictions, manipulate certain data, disclose potentially sensitive information, execute an arbitrary code and cause Denial of Service condition or potentially compromise a vulnerable system.
Description
1. Oracle Java SE and Java for Business Networking sub-component Vulnerabilities
(
CVE-2011-3547
CVE-2011-3552
)
These vulnerabilities are caused due to unspecified vulnerabilities in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier. A remote unauthenticated attacker could exploit these vulnerabilities via vectors related Network component to affect confidentiality, integrity, and availability.
2. Oracle Java Runtime Environment Vulnerabilities
(
CVE-2011-3554
CVE-2011-3555
)
One unspecified vulnerability exists in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier and another unspecified vulnerability exists in the Oracle Java SE JDK and JRE, and 7 .The exploitation of these vulnerabilities allow remote untrusted Java Web Start applications and untrusted Java applets to affect integrity and availability via unknown vectors.
3. Vulnerability in Scripting sub-component of Oracle Java SE and Java for Business
(
CVE-2011-3544
)
An unspecified vulnerability exists in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier which allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Scripting.
4. Vulnerabilities in Deployment sub-component of Oracle Java SE and Java for Business
(
CVE-2011-3516
CVE-2011-3546
CVE-2011-3561
)
Two Unspecified vulnerabilities exist in the Deployment sub-component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, and JavaFX 2.0 and one Unspecified vulnerability exists in the Deployment sub-component in Oracle Java SE JDK and JRE 6 Update 27 and earlier which allows remote unauthenticated attackers to affect confidentiality, integrity, and availability via unknown vectors.
5. Vulnerabilities in AWT sub-component of Oracle Java SE and Java for Business
(
CVE-2011-3550
CVE-2011-3548
)
An unspecified vulnerability exists in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier and another unspecified vulnerability exists in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier.The exploitation of both of these vulnerabilities allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability, related to AWT.
6. Vulnerabilities in RMI sub-component of Oracle Java SE and Java for Business
(
CVE-2011-3556
CVE-2011-3557
)
Two unspecified vulnerabilities exist in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, 1.4.2_33 and earlier, and JRockit R28.1.4 and earlier which allows remote attackers to affect confidentiality, integrity, and availability, related to RMI
7. Vulnerability in sound sub-component of Oracle Java SE and Java for Business
(
CVE-2011-3545
)
An unspecified vulnerability exists in the Java Runtime Environment component in Oracle Java SE JDK and JRE 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier, and JRockit R28.1.4 and earlier. The exploitation of this vulnerability allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Sound.
8. Vulnerability in swing sub-component of Oracle Java SE and Java for Business
(
CVE-2011-3549
)
An unspecified vulnerability exist in the swing sub-component in in the Java Runtime Environment component in Oracle Java SE JDK and JRE 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier which allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to swing.
9. Vulnerability in Deserialization sub-component of Oracle Java SE and Java for Business
(
CVE-2011-3521
)
An unspecified vulnerability exists in the Java Runtime Environment component in Oracle Java SE JDK and JRE, 7, 6 Update 27 and earlier, and 5.0 Update 31 earlier which allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deserialization.
10. Vulnerability in 2D sub-component of Oracle Java SE and Java for Business
(
CVE-2011-3551
)
An Unspecified vulnerability exists in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, and JRockit R28.1.4 and earlier which allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to 2D.
11. Vulnerability in JSSE sub-component of Oracle Java SE and Java for Business
(
CVE-2011-3389
)
Unspecified vulnerability exists in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality and integrity, related to JSSE.
12. Vulnerability in HotSpot sub-component of Oracle Java SE and Java for Business
(
CVE-2011-3558
)
An Unspecified vulnerability exists in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, and JRockit R28.1.4 and earlier which allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to HotSpot.
13. Vulnerability in JAXWS sub-component of Oracle Java SE and Java for Business
(
CVE-2011-3553
)
Unspecified vulnerability exists in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, and JRockit R28.1.4 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality and integrity, related to JAXWS.
Solution
Apply patches as mentioned in Vendor Advisory
http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html
Vendor Information
Oracle
http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html
http://blogs.oracle.com/security/entry/october_2011_critical_patch_updates
References
Oracle
http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html
http://blogs.oracle.com/security/entry/october_2011_critical_patch_updates
Security Tracker
http://securitytracker.com/id/1026215
http://securitytracker.com/id/1026216
http://securitytracker.com/id/1026218
http://securitytracker.com/id/1026219
http://securitytracker.com/id/1026229
Security Focus
http://www.securityfocus.com/bid/50237
http://www.securityfocus.com/bid/50223
http://www.securityfocus.com/bid/50220
http://www.securityfocus.com/bid/50226
http://www.securityfocus.com/bid/50239
http://www.securityfocus.com/bid/50223
http://www.securityfocus.com/bid/50250
http://www.securityfocus.com/bid/50229
http://www.securityfocus.com/bid/50246
http://www.securityfocus.com/bid/46398
http://www.securityfocus.com/bid/50242
http://www.securityfocus.com/bid/50211
http://www.securityfocus.com/bid/50224
http://www.securityfocus.com/bid/50218
http://www.securityfocus.com/bid/50215
http://www.securityfocus.com/bid/49778
http://www.securityfocus.com/bid/50248
http://www.securityfocus.com/bid/50234
http://www.securityfocus.com/bid/50243
http://www.securityfocus.com/bid/50236
http://www.securityfocus.com/bid/50216
http://www.securityfocus.com/bid/50231
CVE Name
CVE-2011-3547
CVE-2011-3552
CVE-2011-3554
CVE-2011-3555
CVE-2011-3544
CVE-2011-3516
CVE-2011-3546
CVE-2011-3561
CVE-2011-3550
CVE-2011-3548
CVE-2011-3556
CVE-2011-3556
CVE-2011-3557
CVE-2011-3545
CVE-2011-3549
CVE-2011-3551
CVE-2011-3389
CVE-2011-3558
CVE-2011-3553
CVE-2011-3521
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|