KLA11178 Multiple vulnerabilities in Oracle Java SE, Java SE Embedded and JRockit

Multiple serious vulnerabilities have been found in Oracle Java SE. Malicious users can exploit these vulnerabilities possibly possibly to cause denial of service, to gain privileges and to obtain sensitive information.

Below is a complete list of vulnerabilities:

1. An unspecified vulnerability in the Java SE Deployment component can be exploited remotely possibly to gain privileges;
2. An unspecified vulnerability in the Java SE, Java SE Embedded, JRockit JNDI component can be exploited remotely possibly to gain privileges;
3. An unspecified vulnerability in the Java SE Installer component can be exploited locally possibly to gain privileges;
4. An unspecified vulnerability in the Java SE, Java SE Embedded, JRockit JMX component can be exploited remotely possibly to loss of integrity and obtain sensitive information;
5. An unspecified vulnerability in the Java SE, Java SE Embedded JGSS component can be exploited remotely possibly to obtain sensitive information;
6. An unspecified vulnerability in the Java SE, Java SE Embedded Hotspot component can be exploited remotely possibly to loss of integrity;
7. An unspecified vulnerability in the Java SE, Java SE Embedded AWT component can be exploited remotely possibly to loss of integrity;
8. An unspecified vulnerability in the Java SE, Java SE Embedded, JRockit JCE component can be exploited remotely possibly to obtain sensitive information;
9. An unspecified vulnerability in the Java SE, Java SE Embedded, JRockit JGSS component can be exploited remotely possibly to loss of integrity;
10. An unspecified vulnerability in the Java SE, Java SE Embedded, JRockit Libraries component can be exploited remotely possibly to cause denial of service;
11. An unspecified vulnerability in the Java SE, JRockit Serialization component can be exploited remotely possibly to cause denial of service;
12. An unspecified vulnerability in the Java SE, Java SE Embedded, JRockit JNDI component can be exploited remotely possibly to loss of integrity and cause denial of service;
13. An unspecified vulnerability in the Java SE JavaFX component can be exploited remotely possibly to obtain sensitive information;
14. An unspecified vulnerability in the Java SE, Java SE Embedded I18n component can be exploited locally possibly to obtain sensitive information, loss of integrity and cause denial of service;
15. An unspecified vulnerability in the Java SE, Java SE Embedded AWT component can be exploited remotely possibly to cause denial of service;
16. An unspecified vulnerability in the Java SE, Java SE Embedded, JRockit JNDI component can be exploited remotely possibly to cause denial of service;
17. An unspecified vulnerability in the Java SE, Java SE Embedded, JRockit LDAP component can be exploited remotely possibly to obtain sensitive information;
18. An unspecified vulnerability in the Java SE, Java SE Embedded, JRockit Libraries component can be exploited remotely possibly to cause denial of service;
19. An unspecified vulnerability in the Java Advanced Management Console Server component can be exploited remotely possibly to obtain sensitive information;
20. An unspecified vulnerability in the Java SE, Java SE Embedded, JRockit Libraries component can be exploited remotely possibly to obtain sensitive information.

Original advisories

Oracle Critical Patch Update Advisory – January 2018

Related products

Oracle-Java-JRE-1.7.x

Oracle-Java-JRE-1.8.x

Oracle-JRockit

CVE list

CVE-2018-2641 warning

CVE-2018-2581 warning

CVE-2018-2634 warning

CVE-2018-2639 high

CVE-2018-2582 warning

CVE-2018-2602 warning

CVE-2018-2603 warning

CVE-2018-2678 warning

CVE-2018-2657 warning

CVE-2018-2633 high

CVE-2018-2588 warning

CVE-2018-2627 warning

CVE-2018-2637 high

CVE-2018-2618 warning

CVE-2018-2675 warning

CVE-2018-2677 warning

CVE-2018-2629 warning

CVE-2018-2599 high

CVE-2018-2638 high

CVE-2018-2663 warning

CVE-2018-2579 warning

Solution

Update to the latest version

Oracle software downloads

Impacts

• OSI

Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.

• DoS

Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.

• SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

• PE

Privilege escalation. Exploitation of vulnerabilities with this impact can lead to performing by abuser actions, which are normally disallowed for current role.

• RLF

Read Local Files. Exploitation of vulnerabilities with this impact can lead to reading some inaccessible files. Files that can be read depends on conсrete program errors.

• LoI

Loss of integrity. Exploitation of vulnerabilities with this impact can lead to partial system fault or system components connection disruption.

Affected Products

• Java SE 6 version 6u171 and earlierJava SE 7 version 7u161 and earlierJava SE 8 version 8u152 and earlierJava SE 9 version 9.0.1 and earlierJava SE Embedded version 8u151 and earlierJRockit version R28.3.16 and earlierJava Advanced Management Console version 2.8 and earlier