SB2017070506 - Gentoo update for IcedTea

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2017070506

SB2017070506 - Gentoo update for IcedTea

Published: July 5, 2017

Security Bulletin ID SB2017070506
Severity
High
Patch available
YES
Number of vulnerabilities 22
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 36% Medium 14% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 22 secuirty vulnerabilities.


1) Information disclosure (CVE-ID: CVE-2016-2183)

The vulnerability allows a remote attacker to decrypt transmitted data.

The vulnerability exists due to remote user's ability to control the network and capture long duration 3DES CBC mode encrypted session during which he can see a part of the text. In case of repeated sending the attacker can read the part and reconstruct the whole text.

Successful exploitation of this vulnerability may allow a remote attacker to decode transmitted data. This vulnerability is known as SWEET32.


2) Modification of information (CVE-ID: CVE-2016-5546)

The vulnerability allows a remote unauthenticated attacker to modify information.

The weakness exists due to unknown error in Oracle Java SE Java SE Embedded and Jrockit related to the Libraries component. A remote attacker can modify arbitrary data on the system.

3) Denial of service (CVE-ID: CVE-2016-5547)

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists due to unknown error in Oracle Java SE Java SE Embedded and Jrockit related to the Libraries component. A remote attacker can cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

4) Information disclosure (CVE-ID: CVE-2016-5548)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information.

The weakness exists due to unknown error in Oracle Java SE and Java SE Embedded related to the Libraries component. A remote attacker can trick the victim into visiting a specially crafted webpage and read important files on the target system.

Successful exploitation of the vulnerability results in information disclosure.

5) Information disclosure (CVE-ID: CVE-2016-5549)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information.

The weakness exists due to unknown error in Oracle Java SE and Java SE Embedded related to the Libraries component. A remote attacker can trick the victim into visiting a specially crafted webpage and read important files on the target system.

Successful exploitation of the vulnerability results in information disclosure.

6) Modification of information (CVE-ID: CVE-2016-5552)

The vulnerability allows a remote unauthenticated attacker to modify information.

The weakness exists due to unknown error in Oracle Java SE Java SE Embedded and Jrockit related to the Networking component. A remote attacker can modify arbitrary data on the system.

7) Information disclosure (CVE-ID: CVE-2017-3231)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information.

The weakness exists due to unknown error in Oracle Java SE and Java SE Embedded related to the Networking component. A remote attacker can trick the victim into visiting a specially crafted webpage read arbitrary files on the target system.

Successful exploitation of the vulnerability results in information disclosure.

8) Remote code execution (CVE-ID: CVE-2017-3241)

The vulnerability allows a remote unauthenticated attacker to execute arbitrary code.

The weakness exists due to unknown error in Oracle Java SE Java SE Embedded and Jrockit related to the RMI component. A remote attacker can execute arbitrary code with privileges of the current user and compromise vulnerable system.

9) Modification of information (CVE-ID: CVE-2017-3252)

The vulnerability allows a remote authenticated attacker to modify information.

The weakness exists due to unknown error in Oracle Java SE Java SE Embedded and Jrockit related to the JAAS component. A remote attacker can trick the victim into visiting a specially crafted webpage and modify arbitrary data on the system.

10) Denial of service (CVE-ID: CVE-2017-3253)

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists due to unknown error in Oracle Java SE Java SE Embedded and Jrockit related to the 2D component. A remote attacker can cause the system to crash.

Successful exploitation of the vulnerability results in denial of service.

11) Remote code execution (CVE-ID: CVE-2017-3260)

The vulnerability allows a remote unauthenticated attacker to execute arbitrary code.

The weakness exists due to unknown error in Oracle Java SE related to the AWT component. A remote attacker can trick the victim into visiting a specially crafted webpage, execute arbitrary code with privileges of the current user and compromise vulnerable system.

12) Information disclosure (CVE-ID: CVE-2017-3261)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information.

The weakness exists due to unknown error in Oracle Java SE and Java SE Embedded related to the Networking component. A remote attacker can trick the victim into visiting a specially crafted webpage and read arbitrary files on the target system.

Successful exploitation of the vulnerability results in information disclosure.

13) Remote code execution (CVE-ID: CVE-2017-3272)

The vulnerability allows a remote unauthenticated attacker to execute arbitrary code.

The weakness exists due to unknown error in Oracle Java SE and Java SE Embedded related to the Libraries component. A remote attacker can trick the victim into visiting a specially crafted webpage, execute arbitrary code with privileges of the current user and compromise vulnerable system.

14) Remote code execution (CVE-ID: CVE-2017-3289)

The vulnerability allows a remote unauthenticated attacker to execute arbitrary code.

The weakness exists due to unknown error in Oracle Java SE and Java SE Embedded related to the Hotspot component. A remote attacker can trick the victim into opening a specially crafted webpage, execute arbitrary code with privileges of the current user and compromise vulnerable system.

15) Security restrictions bypass (CVE-ID: CVE-2017-3509)

The vulnerability allows a remote attacker to gain access to potentially sensitive information on the target system.

The weakness exists due to unknown error. A remote attacker can read and modify arbitrary files.


16) Remote code execution (CVE-ID: CVE-2017-3511)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to unknown error related to the Java SE, Java SE Embedded, JRockit JCE component. A remote attacker can trick the victim into visiting a specially crafted webpage and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in system compromise.

17) Remote code execution (CVE-ID: CVE-2017-3512)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to unknown error related to the Java SE AWT component. A remote attacker can trick the victim into visiting a specially crafted webpage and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in system compromise.

18) Remote code execution (CVE-ID: CVE-2017-3514)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to unknown error related to the Java SE AWT component. A remote attacker can trick the victim into visiting a specially crafted webpage and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in system compromise.

19) Denial of service (CVE-ID: CVE-2017-3526)

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted webpage and cause the system to crash.

Successful exploitation of the vulnerability results in denial of service.

20) Security restrictions bypass (CVE-ID: CVE-2017-3533)

The vulnerability allows a remote attacker to modify information on the target system.

The weakness exists due to unknown error related to the Java SE, Java SE Embedded, JRockit Networking component. A remote attacker can access and modify arbitrary data.


21) Security restrictions bypass (CVE-ID: CVE-2017-3539)

The vulnerability allows a remote attacker to modify information on the target system.

The weakness exists due to unknown error related to the Java SE, Java SE Embedded Security component. A remote attacker can trick the victim into visiting a specially crafted webpage, access and modify arbitrary data.

22) Security restrictions bypass (CVE-ID: CVE-2017-3544)

The vulnerability allows a remote attacker to modify information on the target system.

The weakness exists due to unknown error related to the Java SE, Java SE Embedded Networking component. A remote attacker can access and modify arbitrary data.


Remediation

Install update from vendor's website.

References