SUSE Linux update for java-1
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 14 |
| CVE-ID | CVE-2016-2183 CVE-2016-5546 CVE-2016-5547 CVE-2016-5548 CVE-2016-5549 CVE-2016-5552 CVE-2017-3231 CVE-2017-3241 CVE-2017-3252 CVE-2017-3253 CVE-2017-3260 CVE-2017-3261 CVE-2017-3272 CVE-2017-3289 |
| CWE-ID | CWE-327 CWE-20 CWE-200 CWE-264 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #8 is available. |
| Vulnerable software |
SUSE Linux Operating systems & Components / Operating system |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 14 vulnerabilities.
1) Information disclosure
EUVDB-ID: #VU370
Risk: Low
CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2016-2183
CWE-ID:
CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to decrypt transmitted data.
The vulnerability exists due to remote user's ability to control the network and capture long duration 3DES CBC mode encrypted session during which he can see a part of the text. In case of repeated sending the attacker can read the part and reconstruct the whole text.
Successful exploitation of this vulnerability may allow a remote attacker to decode transmitted data. This vulnerability is known as SWEET32.
MitigationUpdate the affected packages.
SUSE Linux: 12
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-01/msg00068.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Modification of information
EUVDB-ID: #VU7325
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2016-5546
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to modify information.
The weakness exists due to unknown error in Oracle Java SE Java SE Embedded and Jrockit related to the Libraries component. A remote attacker can modify arbitrary data on the system.
Update the affected packages.
SUSE Linux: 12
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-01/msg00068.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Denial of service
EUVDB-ID: #VU7326
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-5547
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.
The weakness exists due to unknown error in Oracle Java SE Java SE Embedded and Jrockit related to the Libraries component. A remote attacker can cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Update the affected packages.
SUSE Linux: 12
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-01/msg00068.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Information disclosure
EUVDB-ID: #VU7327
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-5548
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information.
The weakness exists due to unknown error in Oracle Java SE and Java SE Embedded related to the Libraries component. A remote attacker can trick the victim into visiting a specially crafted webpage and read important files on the target system.
Successful exploitation of the vulnerability results in information disclosure.
Update the affected packages.
SUSE Linux: 12
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-01/msg00068.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Information disclosure
EUVDB-ID: #VU7328
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-5549
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information.
The weakness exists due to unknown error in Oracle Java SE and Java SE Embedded related to the Libraries component. A remote attacker can trick the victim into visiting a specially crafted webpage and read important files on the target system.
Successful exploitation of the vulnerability results in information disclosure.
Update the affected packages.
SUSE Linux: 12
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-01/msg00068.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Modification of information
EUVDB-ID: #VU7329
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-5552
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to modify information.
The weakness exists due to unknown error in Oracle Java SE Java SE Embedded and Jrockit related to the Networking component. A remote attacker can modify arbitrary data on the system.
Update the affected packages.
SUSE Linux: 12
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-01/msg00068.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Information disclosure
EUVDB-ID: #VU7330
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3231
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information.
The weakness exists due to unknown error in Oracle Java SE and Java SE Embedded related to the Networking component. A remote attacker can trick the victim into visiting a specially crafted webpage read arbitrary files on the target system.
Successful exploitation of the vulnerability results in information disclosure.
Update the affected packages.
SUSE Linux: 12
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-01/msg00068.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Remote code execution
EUVDB-ID: #VU7331
Risk: High
CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2017-3241
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: Yes
DescriptionThe vulnerability allows a remote unauthenticated attacker to execute arbitrary code.
The weakness exists due to unknown error in Oracle Java SE Java SE Embedded and Jrockit related to the RMI component. A remote attacker can execute arbitrary code with privileges of the current user and compromise vulnerable system.
Update the affected packages.
SUSE Linux: 12
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-01/msg00068.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
9) Modification of information
EUVDB-ID: #VU7332
Risk: Medium
CVSSv4.0: 4.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2017-3252
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to modify information.
The weakness exists due to unknown error in Oracle Java SE Java SE Embedded and Jrockit related to the JAAS component. A remote attacker can trick the victim into visiting a specially crafted webpage and modify arbitrary data on the system.
Update the affected packages.
SUSE Linux: 12
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-01/msg00068.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Denial of service
EUVDB-ID: #VU7333
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2017-3253
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.
The weakness exists due to unknown error in Oracle Java SE Java SE Embedded and Jrockit related to the 2D component. A remote attacker can cause the system to crash.
Successful exploitation of the vulnerability results in denial of service.
Update the affected packages.
SUSE Linux: 12
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-01/msg00068.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Remote code execution
EUVDB-ID: #VU7334
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-3260
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to execute arbitrary code.
The weakness exists due to unknown error in Oracle Java SE related to the AWT component. A remote attacker can trick the victim into visiting a specially crafted webpage, execute arbitrary code with privileges of the current user and compromise vulnerable system.
Update the affected packages.
SUSE Linux: 12
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-01/msg00068.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Information disclosure
EUVDB-ID: #VU7335
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3261
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information.
The weakness exists due to unknown error in Oracle Java SE and Java SE Embedded related to the Networking component. A remote attacker can trick the victim into visiting a specially crafted webpage and read arbitrary files on the target system.
Successful exploitation of the vulnerability results in information disclosure.
Update the affected packages.
SUSE Linux: 12
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-01/msg00068.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Remote code execution
EUVDB-ID: #VU7336
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-3272
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to execute arbitrary code.
The weakness exists due to unknown error in Oracle Java SE and Java SE Embedded related to the Libraries component. A remote attacker can trick the victim into visiting a specially crafted webpage, execute arbitrary code with privileges of the current user and compromise vulnerable system.
Update the affected packages.
SUSE Linux: 12
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-01/msg00068.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Remote code execution
EUVDB-ID: #VU6712
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-3289
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to execute arbitrary code.
The weakness exists due to unknown error in Oracle Java SE and Java SE Embedded related to the Hotspot component. A remote attacker can trick the victim into opening a specially crafted webpage, execute arbitrary code with privileges of the current user and compromise vulnerable system.
Update the affected packages.
SUSE Linux: 12
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-01/msg00068.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
