java 업데이트 소식

오라클은 오늘 발표 2017년 1월 중요 패치 업데이트 .

이 중요 패치 업데이트는 Oracle Database Server, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle Industry Applications, Oracle Fusion Middleware, Oracle Sun 제품, Oracle Java SE 및 Oracle MySQL을 포함한 광범위한 제품군에 대한 수정을 제공합니다. .

이 중요 패치 업데이트는 가능한 한 빨리 적용하는 것이 좋습니다. 이 중요 패치 업데이트의 요약 및 분석에 게시 된 내 오라클 지원 (문서 ID 2220314.1)

자세한 내용은: 

중요 패치 업데이트 권고가에 위치하고 http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html

내 오라클 지원 참고 2220314.1  https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=2220314.1 (MOS 계정 필요).

Oracle Java SE Executive Summary

This Critical Patch Update contains 17 new security fixes for Oracle Java SE.  16 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are "Low" instead of "High", lowering the CVSS Base Score. For example, a Base Score of 9.6 becomes 7.1. 


Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 8 releases.

Oracle Java SE Risk Matrix

CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
					Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-3289	Java SE, Java SE Embedded	Hotspot	Multiple	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	Java SE: 7u121, 8u112; Java SE Embedded: 8u111	See Note 1
CVE-2017-3272	Java SE, Java SE Embedded	Libraries	Multiple	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	Java SE: 6u131, 7u121, 8u112; Java SE Embedded: 8u111	See Note 1
CVE-2017-3241	Java SE, Java SE Embedded, JRockit	RMI	Multiple	Yes	9.0	Network	High	None	None	Changed	High	High	High	Java SE: 6u131, 7u121, 8u112; Java SE Embedded: 8u111; JRockit: R28.3.12	See Note 2
CVE-2017-3260	Java SE	AWT	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 7u121, 8u112	See Note 1
CVE-2017-3253	Java SE, Java SE Embedded, JRockit	2D	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Java SE: 6u131, 7u121, 8u112; Java SE Embedded: 8u111; JRockit: R28.3.12	See Note 3
CVE-2016-5546	Java SE, Java SE Embedded, JRockit	Libraries	Multiple	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	Java SE: 6u131, 7u121, 8u112; Java SE Embedded: 8u111; JRockit: R28.3.12	See Note 3
CVE-2016-5549	Java SE, Java SE Embedded	Libraries	Multiple	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	Java SE: 7u121, 8u112; Java SE Embedded: 8u111	See Note 1
CVE-2016-5548	Java SE, Java SE Embedded	Libraries	Multiple	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	Java SE: 6u131, 7u121, 8u112; Java SE Embedded: 8u111	See Note 1
CVE-2017-3252	Java SE, Java SE Embedded, JRockit	JAAS	Multiple	No	5.8	Network	High	Low	Required	Changed	None	High	None	Java SE: 6u131, 7u121, 8u112; Java SE Embedded: 8u111; JRockit: R28.3.12	See Note 3
CVE-2017-3262	Java SE	Java Mission Control	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	Java SE: 8u112	See Note 4
CVE-2016-5547	Java SE, Java SE Embedded, JRockit	Libraries	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Java SE: 7u121, 8u112; Java SE Embedded: 8u111; JRockit: R28.3.12	See Note 3
CVE-2016-5552	Java SE, Java SE Embedded, JRockit	Networking	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	Java SE: 6u131, 7u121, 8u112; Java SE Embedded: 8u111; JRockit: R28.3.12	See Note 3
CVE-2017-3231	Java SE, Java SE Embedded	Networking	Multiple	Yes	4.3	Network	Low	None	Required	Un- changed	Low	None	None	Java SE: 6u131, 7u121, 8u112; Java SE Embedded: 8u111	See Note 1
CVE-2017-3261	Java SE, Java SE Embedded	Networking	Multiple	Yes	4.3	Network	Low	None	Required	Un- changed	Low	None	None	Java SE: 6u131, 7u121, 8u112; Java SE Embedded: 8u111	See Note 1
CVE-2017-3259	Java SE	Deployment	Multiple	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	Java SE: 6u131, 7u121, 8u112	See Note 1
CVE-2016-8328	Java SE	Java Mission Control	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	Low	None	Java SE: 8u112	See Note 4
CVE-2016-2183	Java SE, Java SE Embedded	Libraries	Multiple	Yes	3.1	Network	High	None	Required	Un- changed	Low	None	None	Java SE: 6u131, 7u121, 8u112; Java SE Embedded: 8u111	See Note 3

 

Notes:

1. This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
2. This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.
3. Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
4. Applies to Java Mission Control Installation.