Vulnerability in Oracle Java SE Could Allow for Remote Code Execution
MS-ISAC ADVISORY NUMBER:2016-053
A vulnerability in Oracle Java SE for desktop web browsers could allow for remote code execution. This vulnerability does not affect Java deployments, such as those in servers or standalone applications that run only trusted code nor does it affect Oracle server-based software. Successful exploitation of this vulnerability may allow for remote code execution in the context of the current application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Technical details of the vulnerability have been publicly disclosed. There are no reports that this vulnerability is being used in the wild at this time.
- Oracle Java SE 7 Update 97
- Oracle Java SE 8 Update 73 and 74
- Large and medium government entities: HIGH
- Small government entities: HIGH
- Large and medium business entities: HIGH
- Small business entities: HIGH
Oracle Java SE is vulnerable to a remote code execution vulnerability due to a flaw in its "Hotspot" sub-component. This vulnerability can be exploited when a user running an unpatched version of Java SE visits a malicious web page.
Successful exploitation of this vulnerability may allow for remote code execution in the context of the current application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Multiple memory corruption could allow for execution of arbitrary code with kernel privileges (CVE-2016-1733, CVE-2016-1734, CVE-2016-1735, CVE-2016-1736, CVE-2016-1743, CVE-2016-1744, CVE-2016-1746, CVE-2016-1747, CVE-2016-1748, CVE-2016-1749, CVE-2016-1754, CVE-2016-1755, CVE-2016-1759, CVE-2016-1741, CVE-2016-1717, CVE-2016-1719, CVE-2016-1720, CVE-2016-1721, CVE-2016-1722)
Out-of-bounds read issue could allow the attacker to be able to determine kernel memory layout (CVE-2016-1732, CVE-2016-1758 )
Multiple vulnerabilities in processing various file types can lead to arbitrary code execution(CVE-2015-8126, CVE-2015-8472 ,CVE-2016-1737, CVE-2016-1740, CVE-2014-9495, CVE-2015-0973, CVE-2016-1767, CVE-2016-1768, CVE-2016-1769, CVE-2015-8126, CVE-2016-1775, CVE-2015-1819, CVE-2015-5312, CVE-2015-7499, CVE-2015-7500, CVE-2015-7942, CVE-2015-8035, CVE-2015-8242, CVE-2016-1761, CVE-2016-1762, CVE-2015-7995, CVE-2016-1740)
A code signing verification issue could allow for execution of arbitrary code in the application's context (CVE-2016-1738)
Successful exploitation of these vulnerabilities could result in but not limited to information disclosure, access restricted ports on arbitrary servers, give an attacker the ability determine kernel memory layout, or allow for arbitrary code to be run within the context of the user or kernel.
We recommend the following actions be taken:
Install the updates provided by Oracle immediately after appropriate testing..
Remind users not to visit websites or follow links provided by unknown or untrusted sources.
Limit application and user access to only what is required.
Do not open email attachments from unknown or untrusted sources.