SUSE Linux update for java-1_6_0-ibm
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 11 |
| CVE-ID | CVE-2016-2183 CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 CVE-2017-1289 CVE-2017-3509 CVE-2017-3514 CVE-2017-3533 CVE-2017-3539 CVE-2017-3544 |
| CWE-ID | CWE-327 CWE-125 CWE-20 CWE-611 CWE-200 CWE-264 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software Subscribe |
SUSE Linux Operating systems & Components / Operating system |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 11 vulnerabilities.
1) Information disclosure
EUVDB-ID: #VU370
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2016-2183
CWE-ID:
CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to decrypt transmitted data.
The vulnerability exists due to remote user's ability to control the network and capture long duration 3DES CBC mode encrypted session during which he can see a part of the text. In case of repeated sending the attacker can read the part and reconstruct the whole text.
Successful exploitation of this vulnerability may allow a remote attacker to decode transmitted data. This vulnerability is known as SWEET32.
MitigationUpdate the affected package to version: java-1_6_0-ibm-1.6.0_sr16.45-84.1
Vulnerable software versionsSUSE Linux: 11
External linkshttp://lists.opensuse.org/opensuse-security-announce/2017-05/msg00076.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Denial of service
EUVDB-ID: #VU6663
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-9840
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in zlib due to out-of-bounds pointer arithmetic in inftrees.c. A remote attacker can send a specially crafted document, trick the victim into opening it, and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Update the affected package to version: java-1_6_0-ibm-1.6.0_sr16.45-84.1
Vulnerable software versionsSUSE Linux: 11
External linkshttp://lists.opensuse.org/opensuse-security-announce/2017-05/msg00076.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Denial of service
EUVDB-ID: #VU6664
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-9841
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in zlib due to out-of-bounds pointer arithmetic in inftrees.c. A remote attacker can send a specially crafted document, trick the victim into opening it, and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Update the affected package to version: java-1_6_0-ibm-1.6.0_sr16.45-84.1
Vulnerable software versionsSUSE Linux: 11
External linkshttp://lists.opensuse.org/opensuse-security-announce/2017-05/msg00076.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Denial of service
EUVDB-ID: #VU6665
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-9842
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in zlib due to an undefined left shift of negative number. A remote attacker can send a specially crafted document, trick the victim into opening it, and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Update the affected package to version: java-1_6_0-ibm-1.6.0_sr16.45-84.1
Vulnerable software versionsSUSE Linux: 11
External linkshttp://lists.opensuse.org/opensuse-security-announce/2017-05/msg00076.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Denial of service
EUVDB-ID: #VU6666
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-9843
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in zlib due to big-endian out-of-bounds pointer. A remote attacker can send a specially crafted document, trick the victim into opening it, and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Update the affected package to version: java-1_6_0-ibm-1.6.0_sr16.45-84.1
Vulnerable software versionsSUSE Linux: 11
External linkshttp://lists.opensuse.org/opensuse-security-announce/2017-05/msg00076.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) XML injection
EUVDB-ID: #VU6667
Risk: Low
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-1289
CWE-ID:
CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform XXE attack.
The weakness exists due to improper handling of XML External Entity (XXE) entries when parsing an XML data. A remote attacker can supply a specially crafted XML file to disclose important data or consume memory resources.
Successful exploitation of the vulnerability results in information disclosure.
Update the affected package to version: java-1_6_0-ibm-1.6.0_sr16.45-84.1
Vulnerable software versionsSUSE Linux: 11
External linkshttp://lists.opensuse.org/opensuse-security-announce/2017-05/msg00076.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Security restrictions bypass
EUVDB-ID: #VU6668
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3509
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information on the target system.
The weakness exists due to unknown error. A remote attacker can read and modify arbitrary files.
Update the affected package to version: java-1_6_0-ibm-1.6.0_sr16.45-84.1
Vulnerable software versionsSUSE Linux: 11
External linkshttp://lists.opensuse.org/opensuse-security-announce/2017-05/msg00076.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Remote code execution
EUVDB-ID: #VU6714
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3514
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to unknown error related to the Java SE AWT component. A remote attacker can trick the victim into visiting a specially crafted webpage and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected package to version: java-1_6_0-ibm-1.6.0_sr16.45-84.1
Vulnerable software versionsSUSE Linux: 11
External linkshttp://lists.opensuse.org/opensuse-security-announce/2017-05/msg00076.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Security restrictions bypass
EUVDB-ID: #VU6670
Risk: Low
CVSSv3.1: 5.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3533
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to modify information on the target system.
The weakness exists due to unknown error related to the Java SE, Java SE Embedded, JRockit Networking component. A remote attacker can access and modify arbitrary data.
Update the affected package to version: java-1_6_0-ibm-1.6.0_sr16.45-84.1
Vulnerable software versionsSUSE Linux: 11
External linkshttp://lists.opensuse.org/opensuse-security-announce/2017-05/msg00076.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Security restrictions bypass
EUVDB-ID: #VU6671
Risk: Low
CVSSv3.1: 4.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3539
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to modify information on the target system.
The weakness exists due to unknown error related to the Java SE, Java SE Embedded Security component. A remote attacker can trick the victim into visiting a specially crafted webpage, access and modify arbitrary data.
Update the affected package to version: java-1_6_0-ibm-1.6.0_sr16.45-84.1
Vulnerable software versionsSUSE Linux: 11
External linkshttp://lists.opensuse.org/opensuse-security-announce/2017-05/msg00076.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Security restrictions bypass
EUVDB-ID: #VU6672
Risk: Low
CVSSv3.1: 5.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3544
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to modify information on the target system.
The weakness exists due to unknown error related to the Java SE, Java SE Embedded Networking component. A remote attacker can access and modify arbitrary data.
Update the affected package to version: java-1_6_0-ibm-1.6.0_sr16.45-84.1
Vulnerable software versionsSUSE Linux: 11
External linkshttp://lists.opensuse.org/opensuse-security-announce/2017-05/msg00076.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
