tagline: Confidence in the Connected World
CIS Logo
HomeResourcesAdvisoriesVulnerability in Oracle Java SE Could Allow for Remote Code Execution

Vulnerability in Oracle Java SE Could Allow for Remote Code Execution

MS-ISAC ADVISORY NUMBER:

2016-053

DATE(S) ISSUED:

03/24/2016

OVERVIEW:

A vulnerability in Oracle Java SE for desktop web browsers could allow for remote code execution. This vulnerability does not affect Java deployments, such as those in servers or standalone applications that run only trusted code nor does it affect Oracle server-based software. Successful exploitation of this vulnerability may allow for remote code execution in the context of the current application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

THREAT INTELLIGENCE:

Technical details of the vulnerability have been publicly disclosed. There are no reports that this vulnerability is being used in the wild at this time.

SYSTEMS AFFECTED:

  • Oracle Java SE 7 Update 97
  • Oracle Java SE 8 Update 73 and 74

RISK:

Goverment:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
HIGH

TECHNICAL SUMMARY:

Oracle Java SE is vulnerable to a remote code execution vulnerability due to a flaw in its "Hotspot" sub-component. This vulnerability can be exploited when a user running an unpatched version of Java SE visits a malicious web page.

Successful exploitation of this vulnerability may allow for remote code execution in the context of the current application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Multiple memory corruption could allow for execution of arbitrary code with kernel privileges (CVE-2016-1733, CVE-2016-1734, CVE-2016-1735, CVE-2016-1736, CVE-2016-1743, CVE-2016-1744, CVE-2016-1746, CVE-2016-1747, CVE-2016-1748, CVE-2016-1749, CVE-2016-1754, CVE-2016-1755, CVE-2016-1759, CVE-2016-1741, CVE-2016-1717, CVE-2016-1719, CVE-2016-1720, CVE-2016-1721, CVE-2016-1722)
Out-of-bounds read issue could allow the attacker to be able to determine kernel memory layout (CVE-2016-1732, CVE-2016-1758 )
Multiple vulnerabilities in processing various file types can lead to arbitrary code execution(CVE-2015-8126, CVE-2015-8472 ,CVE-2016-1737, CVE-2016-1740, CVE-2014-9495, CVE-2015-0973, CVE-2016-1767, CVE-2016-1768, CVE-2016-1769, CVE-2015-8126, CVE-2016-1775, CVE-2015-1819, CVE-2015-5312, CVE-2015-7499, CVE-2015-7500, CVE-2015-7942, CVE-2015-8035, CVE-2015-8242, CVE-2016-1761, CVE-2016-1762, CVE-2015-7995, CVE-2016-1740)
A code signing verification issue could allow for execution of arbitrary code in the application's context (CVE-2016-1738)
Successful exploitation of these vulnerabilities could result in but not limited to information disclosure, access restricted ports on arbitrary servers, give an attacker the ability determine kernel memory layout, or allow for arbitrary code to be run within the context of the user or kernel.

RECOMENDATIONS:

We recommend the following actions be taken:

Install the updates provided by Oracle immediately after appropriate testing..
Remind users not to visit websites or follow links provided by unknown or untrusted sources.
Limit application and user access to only what is required.
Do not open email attachments from unknown or untrusted sources.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Protect Your Systems from Cyber Threats Like This

CIS Controls That Help Avoid This Issue Arrow CIS Control 4: Continuous Vulnerability Assessment and Remediation Arrow CIS Control 7: Email and Web Browser Protections Arrow CIS Control 18: Application Software Security CIS Benchmarks and Other Tools for Related Technology Arrow Oracle Database Arrow Oracle Linux Arrow Oracle MySQL Arrow Oracle Solaris

Information Hub: Advisories