Oracle Java SE 6 < Update 141 / 7 < Update 131 / 8 < Update 121 Multiple Vulnerabilities

The version of Oracle Java SE installed on the remote host is prior to 6 Update 141, 7 Update 131, or 8 Update 121 and is affected by multiple vulnerabilities :

• A flaw exists in the ‘ECDSASignature’ class of the Libraries subcomponent. The issue is triggered when handling signatures from DER input. This may allow a remote attacker to cause a signature in an incorrect format to be accepted. (CVE-2016-5546)
• An unspecified flaw exists related to the Libraries subcomponent. This may allow a remote attacker to cause a denial of service. No further details have been provided by the vendor. (CVE-2016-5547)
• An unspecified flaw exists related to the Libraries subcomponent. This may allow a context-dependent attacker to gain access to sensitive information. No further details have been provided by the vendor. (CVE-2016-5548, CVE-2016-5549)
• An unspecified flaw exists related to the Networking subcomponent. This may allow a remote attacker to have an impact on integrity. No further details have been provided by the vendor. (CVE-2016-5552)
• A flaw exists in the Install New Software and Update features in the Mission Control subcomponent that may allow a man-in-the-middle attacker to intercept and manipulate JAR files, potentially resulting in the installation of malicious content. (CVE-2016-8328)
• An unspecified flaw exists related to the Networking subcomponent. This may allow a context-dependent attacker to gain access to sensitive information. No further details have been provided by the vendor. (CVE-2017-3231)
• A flaw exists in the RMI registry and DCG (Distributed Garbage Collector) implementation that is triggered as certain input is not properly sanitized before being deserialized. This may allow a remote attacker to potentially execute arbitrary code outside of intended sandbox restrictions. (CVE-2017-3241)
• An unspecified flaw exists related to the JAAS subcomponent. This may allow a context-dependent attacker to have an impact on integrity. No further details have been provided by the vendor. (CVE-2017-3252)
• A flaw exists in the ‘PNGImageReader::readMetadata()’ function in ‘imageio/plugins/png/PNGImageReader.java’ that is triggered when handling ‘zTXt’ and ‘iTXt’ image chunks. With a specially crafted PNG image, a remote attacker can exhaust available memory resources. (CVE-2017-3253)
• An unspecified flaw exists related to the Deployment subcomponent. This may allow a remote attacker to gain access to sensitive information. No further details have been provided by the vendor. (CVE-2017-3259)
• An unspecified flaw exists related to the Networking subcomponent. This may allow a context-dependent attacker to gain access to sensitive information. No further details have been provided by the vendor. (CVE-2017-3261)
• An unspecified flaw exists related to the Java Mission Control subcomponent. This may allow a remote attacker to gain access to sensitive information. No further details have been provided by the vendor. (CVE-2017-3262)
• A flaw exists related to improper restrictions on protected field members for the atomic field updaters in the ‘java.util.concurrent.atomic’ package. This may allow a context-dependent attacker to potentially execute arbitrary code outside of intended sandbox restrictions. (CVE-2017-3272)
• A flaw exists in the Hotspot subcomponent related to insecure class construction when handling exception stack frames. This may allow a context-dependent attacker to potentially execute arbitrary code outside of intended sandbox restrictions. (CVE-2017-3289)