본문 바로가기

취약점 정보2

java 업데이트 소식

728x90

오라클은 오늘 발표 2017년 1월 중요 패치 업데이트 .

이 중요 패치 업데이트는 Oracle Database Server, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle Industry Applications, Oracle Fusion Middleware, Oracle Sun 제품, Oracle Java SE 및 Oracle MySQL을 포함한 광범위한 제품군에 대한 수정을 제공합니다. .

이 중요 패치 업데이트는 가능한 한 빨리 적용하는 것이 좋습니다. 이 중요 패치 업데이트의 요약 및 분석에 게시 된 내 오라클 지원 (문서 ID 2220314.1)

자세한 내용은: 

중요 패치 업데이트 권고가에 위치하고 http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html

내 오라클 지원 참고 2220314.1  https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=2220314.1 (MOS 계정 필요).

Oracle Java SE Executive Summary

This Critical Patch Update contains 17 new security fixes for Oracle Java SE.  16 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.


The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are "Low" instead of "High", lowering the CVSS Base Score. For example, a Base Score of 9.6 becomes 7.1. 


Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 8 releases.

Oracle Java SE Risk Matrix


CVE#ComponentSub-
component
ProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-3289Java SE, Java SE EmbeddedHotspotMultipleYes9.6NetworkLowNoneRequiredChangedHighHighHighJava SE: 7u121, 8u112; Java SE Embedded: 8u111See Note 1
CVE-2017-3272Java SE, Java SE EmbeddedLibrariesMultipleYes9.6NetworkLowNoneRequiredChangedHighHighHighJava SE: 6u131, 7u121, 8u112; Java SE Embedded: 8u111See Note 1
CVE-2017-3241Java SE, Java SE Embedded, JRockitRMIMultipleYes9.0NetworkHighNoneNoneChangedHighHighHighJava SE: 6u131, 7u121, 8u112; Java SE Embedded: 8u111; JRockit: R28.3.12See Note 2
CVE-2017-3260Java SEAWTMultipleYes8.3NetworkHighNoneRequiredChangedHighHighHighJava SE: 7u121, 8u112See Note 1
CVE-2017-3253Java SE, Java SE Embedded, JRockit2DMultipleYes7.5NetworkLowNoneNoneUn-
changed
NoneNoneHighJava SE: 6u131, 7u121, 8u112; Java SE Embedded: 8u111; JRockit: R28.3.12See Note 3
CVE-2016-5546Java SE, Java SE Embedded, JRockitLibrariesMultipleYes7.5NetworkLowNoneNoneUn-
changed
NoneHighNoneJava SE: 6u131, 7u121, 8u112; Java SE Embedded: 8u111; JRockit: R28.3.12See Note 3
CVE-2016-5549Java SE, Java SE EmbeddedLibrariesMultipleYes6.5NetworkLowNoneRequiredUn-
changed
HighNoneNoneJava SE: 7u121, 8u112; Java SE Embedded: 8u111See Note 1
CVE-2016-5548Java SE, Java SE EmbeddedLibrariesMultipleYes6.5NetworkLowNoneRequiredUn-
changed
HighNoneNoneJava SE: 6u131, 7u121, 8u112; Java SE Embedded: 8u111See Note 1
CVE-2017-3252Java SE, Java SE Embedded, JRockitJAASMultipleNo5.8NetworkHighLowRequiredChangedNoneHighNoneJava SE: 6u131, 7u121, 8u112; Java SE Embedded: 8u111; JRockit: R28.3.12See Note 3
CVE-2017-3262Java SEJava Mission ControlMultipleYes5.3NetworkLowNoneNoneUn-
changed
LowNoneNoneJava SE: 8u112See Note 4
CVE-2016-5547Java SE, Java SE Embedded, JRockitLibrariesMultipleYes5.3NetworkLowNoneNoneUn-
changed
NoneNoneLowJava SE: 7u121, 8u112; Java SE Embedded: 8u111; JRockit: R28.3.12See Note 3
CVE-2016-5552Java SE, Java SE Embedded, JRockitNetworkingMultipleYes5.3NetworkLowNoneNoneUn-
changed
NoneLowNoneJava SE: 6u131, 7u121, 8u112; Java SE Embedded: 8u111; JRockit: R28.3.12See Note 3
CVE-2017-3231Java SE, Java SE EmbeddedNetworkingMultipleYes4.3NetworkLowNoneRequiredUn-
changed
LowNoneNoneJava SE: 6u131, 7u121, 8u112; Java SE Embedded: 8u111See Note 1
CVE-2017-3261Java SE, Java SE EmbeddedNetworkingMultipleYes4.3NetworkLowNoneRequiredUn-
changed
LowNoneNoneJava SE: 6u131, 7u121, 8u112; Java SE Embedded: 8u111See Note 1
CVE-2017-3259Java SEDeploymentMultipleYes3.7NetworkHighNoneNoneUn-
changed
LowNoneNoneJava SE: 6u131, 7u121, 8u112See Note 1
CVE-2016-8328Java SEJava Mission ControlMultipleYes3.7NetworkHighNoneNoneUn-
changed
NoneLowNoneJava SE: 8u112See Note 4
CVE-2016-2183Java SE, Java SE EmbeddedLibrariesMultipleYes3.1NetworkHighNoneRequiredUn-
changed
LowNoneNoneJava SE: 6u131, 7u121, 8u112; Java SE Embedded: 8u111See Note 3

 

Notes:

  1. This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
  2. This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.
  3. Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
  4. Applies to Java Mission Control Installation.


728x90