SB2017121311 - Red Hat update for java-1.8.0-ibm
Published: December 13, 2017 Updated: February 27, 2025
Security Bulletin ID
SB2017121311
Severity
High
Patch available
YES
Number of vulnerabilities
50
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 50 secuirty vulnerabilities.
1) Denial of service (CVE-ID: CVE-2016-9840)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists in zlib due to out-of-bounds pointer arithmetic in inftrees.c. A remote attacker can send a specially crafted document, trick the victim into opening it, and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
2) Denial of service (CVE-ID: CVE-2016-9841)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists in zlib due to out-of-bounds pointer arithmetic in inftrees.c. A remote attacker can cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
3) Denial of service (CVE-ID: CVE-2016-9842)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists in zlib due to an undefined left shift of negative number. A remote attacker can send a specially crafted document, trick the victim into opening it, and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
4) Denial of service (CVE-ID: CVE-2016-9843)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists in zlib due to big-endian out-of-bounds pointer. A remote attacker can send a specially crafted document, trick the victim into opening it, and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
5) Information disclosure (CVE-ID: CVE-2016-10165)
The vulnerability allows a remote attacker to obtain potentially sensitive information.The weakness exists due to a flaw in the 2D (Little CMS 2) component. A remote attacker can read arbitrary files on the target system.
6) Buffer over-read (CVE-ID: CVE-2017-12899)
The vulnerability allows a remote attacker to obtain potentially sensitive information.The weakness exists due to buffer over-read in the DECnet component. A remote attacker can send a specially crafted request and retrieve arbitrary files on the system.
7) Buffer over-read (CVE-ID: CVE-2017-12898)
The vulnerability allows a remote attacker to obtain potentially sensitive information.The weakness exists due to buffer over-read in the NFS component. A remote attacker can send a specially crafted request and retrieve arbitrary files on the system.
8) Buffer over-read (CVE-ID: CVE-2017-12897)
The vulnerability allows a remote attacker to obtain potentially sensitive information.The weakness exists due to buffer over-read in the ISO CLNS component. A remote attacker can send a specially crafted request and retrieve arbitrary files on the system.
9) Buffer over-read (CVE-ID: CVE-2017-12896)
The vulnerability allows a remote attacker to obtain potentially sensitive information.The weakness exists due to buffer over-read in the ISAKMP component. A remote attacker can send a specially crafted request and retrieve arbitrary files on the system.
10) Buffer over-read (CVE-ID: CVE-2017-12895)
The vulnerability allows a remote attacker to obtain potentially sensitive information.The weakness exists due to buffer over-read in the ICMP component. A remote attacker can send a specially crafted request and retrieve arbitrary files on the system.
11) Buffer over-read (CVE-ID: CVE-2017-12894)
The vulnerability allows a remote attacker to obtain potentially sensitive information.The weakness exists due to buffer over-read in the lookup_bytestring component. A remote attacker can send a specially crafted request and retrieve arbitrary files on the system.
12) Buffer over-read (CVE-ID: CVE-2017-12893)
The vulnerability allows a remote attacker to obtain potentially sensitive information.The weakness exists due to buffer over-read in the SMB/CIFS component. A remote attacker can send a specially crafted request and retrieve arbitrary files on the system.
13) Insecure DLL loading (CVE-ID: CVE-2017-12892)
The vulnerability allows a remote attacker to gain elevated privileges.The vulnerability exists in the application's installer package due to untrusted search path elemant. A remote attacker can place a specially crafted .dll file on a remote SBM or WebDAV share, trick the victim into opening legitimate media file and execute arbitrary code on the target system with system privileges.
Successful exploitation of the vulnerability may result in system compromise.
14) XML injection (CVE-ID: CVE-2017-1289)
The vulnerability allows a remote attacker to perform XXE attack.The weakness exists due to improper handling of XML External Entity (XXE) entries when parsing an XML data. A remote attacker can supply a specially crafted XML file to disclose important data or consume memory resources.
Successful exploitation of the vulnerability results in information disclosure.
15) Security restrictions bypass (CVE-ID: CVE-2017-3509)
The vulnerability allows a remote attacker to gain access to potentially sensitive information on the target system.The weakness exists due to unknown error. A remote attacker can read and modify arbitrary files.
16) Remote code execution (CVE-ID: CVE-2017-3511)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to unknown error related to the Java SE, Java SE Embedded, JRockit JCE component. A remote attacker can trick the victim into visiting a specially crafted webpage and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
17) Security restrictions bypass (CVE-ID: CVE-2017-3533)
The vulnerability allows a remote attacker to modify information on the target system.The weakness exists due to unknown error related to the Java SE, Java SE Embedded, JRockit Networking component. A remote attacker can access and modify arbitrary data.
18) Security restrictions bypass (CVE-ID: CVE-2017-3539)
The vulnerability allows a remote attacker to modify information on the target system.The weakness exists due to unknown error related to the Java SE, Java SE Embedded Security component. A remote attacker can trick the victim into visiting a specially crafted webpage, access and modify arbitrary data.
19) Security restrictions bypass (CVE-ID: CVE-2017-3544)
The vulnerability allows a remote attacker to modify information on the target system.The weakness exists due to unknown error related to the Java SE, Java SE Embedded Networking component. A remote attacker can access and modify arbitrary data.
20) Denial of service (CVE-ID: CVE-2017-10053)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists due to unknown error. A remote attacker can cause the application to crash.
21) Privilege escalation (CVE-ID: CVE-2017-10067)
The vulnerability allows a remote authenticated attacker to gain elevated privileges.The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website and gain privileged access to the system.
22) Security restrictions bypass (CVE-ID: CVE-2017-10078)
The vulnerability allows a remote attacker to bypass security restrictions.The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website, bypass security restrictions and disclose and modify important data on the system.
23) Remote code execution (CVE-ID: CVE-2017-10087)
The vulnerability allows a remote attacker to execute arbitrary code.The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website, execute arbitrary code with elevated privileges and take full control over the system.
24) Remote code execution (CVE-ID: CVE-2017-10089)
The vulnerability allows a remote attacker to execute arbitrary code.The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website, execute arbitrary code with elevated privileges and take full control over the system.
25) Remote code execution (CVE-ID: CVE-2017-10090)
The vulnerability allows a remote attacker to execute arbitrary code.The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website, execute arbitrary code with elevated privileges and take full control over the system.
26) Remote code execution (CVE-ID: CVE-2017-10096)
The vulnerability allows a remote attacker to execute arbitrary code.The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website, execute arbitrary code with elevated privileges and take full control over the system.
27) Remote code execution (CVE-ID: CVE-2017-10101)
The vulnerability allows a remote attacker to execute arbitrary code.The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website, execute arbitrary code with elevated privileges and take full control over the system.
28) Remote code execution (CVE-ID: CVE-2017-10102)
The vulnerability allows a remote authenticated attacker to execute arbitrary code.The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website, execute arbitrary code with elevated privileges and take full control over the system.
29) Security restrictions bypass (CVE-ID: CVE-2017-10105)
The vulnerability allows a remote attacker to bypass security restrictions.The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website, bypass security restrictions and modify arbitrary data on the system.
30) Remote code execution (CVE-ID: CVE-2017-10107)
The vulnerability allows a remote attacker to execute arbitrary code.The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website, execute arbitrary code with elevated privileges and take full control over the system.
31) Denial of service (CVE-ID: CVE-2017-10108)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists due to unknown error. A remote attacker can cause the application to crash.
32) Denial of service (CVE-ID: CVE-2017-10109)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists due to unknown error. A remote attacker can cause the application to crash.
33) Remote code execution (CVE-ID: CVE-2017-10110)
The vulnerability allows a remote attacker to execute arbitrary code.The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website, execute arbitrary code with elevated privileges and take control over the affected system.
34) Information disclosure (CVE-ID: CVE-2017-10115)
The vulnerability allows a remote attacker to obtain potentially sensitive information.The weakness exists due to unknown error. A remote attacker can disclose important data on the target system
35) Remote code execution (CVE-ID: CVE-2017-10116)
The vulnerability allows a remote authenticated attacker to execute arbitrary code.The weakness exists due to unknown error. A remote attacker can trick the victim into visiting a specially crafted website, execute arbitrary code with elevated privileges and take full control over the system.
36) Information disclosure (CVE-ID: CVE-2017-10243)
The vulnerability allows a remote attacker to obtain potentially sensitive information or cause DoS condition on the target system.The weakness exists due to unknown error. A remote attacker can disclose arbitrary files or cause the application to crash.
37) Denial of service (CVE-ID: CVE-2017-10281)
The vulnerability allows a remote attacker to cause DoS condition.The weakness exists due to a flaw in the Serialization component. A remote attacker can trigger partial denial of service on the target system.
38) Privilege escalation (CVE-ID: CVE-2017-10285)
The vulnerability allows a remote attacker to gain elevated privileges.The weakness exists due to a flaw in the RMI component. A remote attacker can escalate his privileges on the target system.
39) Improper access control (CVE-ID: CVE-2017-10295)
The vulnerability allows a remote attacker to access potentially sensitive information.The weakness exists due to a flaw in the Javadoc component. A remote attacker can partially modify arbitrary files on the target system.
40) Improper access control (CVE-ID: CVE-2017-10309)
The vulnerability allows a remote attacker to access potentially sensitive information and cause DoS condition.The weakness exists due to a flaw in the Deployment component. A remote attacker can partially read and modify arbitrary files and cause partial denial of service on the target system.
41) Improper access control (CVE-ID: CVE-2017-10345)
The vulnerability allows a remote attacker to cause DoS condition.The weakness exists due to a flaw in the Serialization component. A remote attacker can trigger partial denial of service.
42) Privilege escalation (CVE-ID: CVE-2017-10346)
The vulnerability allows a remote attacker to gain elevated privileges.The weakness exists due to a flaw in the Hotspot component. A remote attacker can escalate his privileges on the target system.
43) Denial of service (CVE-ID: CVE-2017-10347)
The vulnerability allows a remote attacker to cause DoS condition.The weakness exists due to a flaw in the Serialization component. A remote attacker can trigger partial denial of service on the target system.
44) Improper access control (CVE-ID: CVE-2017-10348)
The vulnerability allows a remote attacker to cause DoS condition.The weakness exists due to a flaw in the Libraries component. A remote attacker can trigger partial denial of service.
45) Improper access control (CVE-ID: CVE-2017-10349)
The vulnerability allows a remote attacker to cause DoS condition.The weakness exists due to a flaw in the JAXP component. A remote attacker can trigger partial denial of service.
46) Improper access control (CVE-ID: CVE-2017-10350)
The vulnerability allows a remote attacker to cause DoS condition.The weakness exists due to a flaw in the JAX-WS component. A remote attacker can trigger partial denial of service.
47) Improper access control (CVE-ID: CVE-2017-10355)
The vulnerability allows a remote attacker to cause DoS condition.The weakness exists due to a flaw in the Networking component. A remote attacker can trigger partial denial of service.
48) Improper access control (CVE-ID: CVE-2017-10356)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.The weakness exists due to a flaw in the Security component. A remote attacker can gain unauthorized access to sensitive information.
49) Improper access control (CVE-ID: CVE-2017-10357)
The vulnerability allows a remote attacker to cause DoS condition.The weakness exists due to a flaw in the Serialization component. A remote attacker can trigger partial denial of service.
50) Privilege escalation (CVE-ID: CVE-2017-10388)
The vulnerability allows a remote attacker to gain elevated privileges.The weakness exists due to a flaw in the Libraries component. A remote attacker can escalate his privileges on the target system.
Remediation
Install update from vendor's website.