Security update for java-1_6_0-ibm SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2017:3235-1 Final 1 1 2017-12-07T14:33:20Z current 2017-12-07T14:33:20Z 2017-12-07T14:33:20Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for java-1_6_0-ibm This update for java-1_6_0-ibm fixes the following issues: Security issues fixed: - Security update to version 6.0.16.50 (bsc#1070162) * CVE-2017-10346 CVE-2017-10285 CVE-2017-10388 CVE-2017-10356 CVE-2017-10293 CVE-2016-9841 CVE-2017-10355 CVE-2017-10357 CVE-2017-10348 CVE-2017-10349 CVE-2017-10347 CVE-2017-10350 CVE-2017-10281 CVE-2017-10295 CVE-2017-10345 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Module-Legacy-12-2017-2018 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2017/suse-su-20173235-1/ Link for SUSE-SU-2017:3235-1 https://lists.suse.com/pipermail/sle-security-updates/2017-December/003481.html E-Mail link for SUSE-SU-2017:3235-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1070162 SUSE Bug 1070162 https://www.suse.com/security/cve/CVE-2016-9841/ SUSE CVE CVE-2016-9841 page https://www.suse.com/security/cve/CVE-2017-10281/ SUSE CVE CVE-2017-10281 page https://www.suse.com/security/cve/CVE-2017-10285/ SUSE CVE CVE-2017-10285 page https://www.suse.com/security/cve/CVE-2017-10293/ SUSE CVE CVE-2017-10293 page https://www.suse.com/security/cve/CVE-2017-10295/ SUSE CVE CVE-2017-10295 page https://www.suse.com/security/cve/CVE-2017-10345/ SUSE CVE CVE-2017-10345 page https://www.suse.com/security/cve/CVE-2017-10346/ SUSE CVE CVE-2017-10346 page https://www.suse.com/security/cve/CVE-2017-10347/ SUSE CVE CVE-2017-10347 page https://www.suse.com/security/cve/CVE-2017-10348/ SUSE CVE CVE-2017-10348 page https://www.suse.com/security/cve/CVE-2017-10349/ SUSE CVE CVE-2017-10349 page https://www.suse.com/security/cve/CVE-2017-10350/ SUSE CVE CVE-2017-10350 page https://www.suse.com/security/cve/CVE-2017-10355/ SUSE CVE CVE-2017-10355 page https://www.suse.com/security/cve/CVE-2017-10356/ SUSE CVE CVE-2017-10356 page https://www.suse.com/security/cve/CVE-2017-10357/ SUSE CVE CVE-2017-10357 page https://www.suse.com/security/cve/CVE-2017-10388/ SUSE CVE CVE-2017-10388 page SUSE Linux Enterprise Module for Legacy 12 java-1_6_0-ibm-1.6.0_sr16.50-50.3.1 java-1_6_0-ibm-fonts-1.6.0_sr16.50-50.3.1 java-1_6_0-ibm-jdbc-1.6.0_sr16.50-50.3.1 java-1_6_0-ibm-plugin-1.6.0_sr16.50-50.3.1 java-1_6_0-ibm-1.6.0_sr16.50-50.3.1 as a component of SUSE Linux Enterprise Module for Legacy 12 java-1_6_0-ibm-fonts-1.6.0_sr16.50-50.3.1 as a component of SUSE Linux Enterprise Module for Legacy 12 java-1_6_0-ibm-jdbc-1.6.0_sr16.50-50.3.1 as a component of SUSE Linux Enterprise Module for Legacy 12 java-1_6_0-ibm-plugin-1.6.0_sr16.50-50.3.1 as a component of SUSE Linux Enterprise Module for Legacy 12 inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic. CVE-2016-9841 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-fonts-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-jdbc-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-plugin-1.6.0_sr16.50-50.3.1 critical 4.6 AV:N/AC:H/Au:S/C:P/I:P/A:P 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20173235-1/ https://www.suse.com/security/cve/CVE-2016-9841.html CVE-2016-9841 https://bugzilla.suse.com/1003579 SUSE Bug 1003579 https://bugzilla.suse.com/1022633 SUSE Bug 1022633 https://bugzilla.suse.com/1038505 SUSE Bug 1038505 https://bugzilla.suse.com/1064070 SUSE Bug 1064070 https://bugzilla.suse.com/1070162 SUSE Bug 1070162 https://bugzilla.suse.com/1120866 SUSE Bug 1120866 https://bugzilla.suse.com/1123150 SUSE Bug 1123150 https://bugzilla.suse.com/1127473 SUSE Bug 1127473 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). CVE-2017-10281 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-fonts-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-jdbc-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-plugin-1.6.0_sr16.50-50.3.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20173235-1/ https://www.suse.com/security/cve/CVE-2017-10281.html CVE-2017-10281 https://bugzilla.suse.com/1064072 SUSE Bug 1064072 https://bugzilla.suse.com/1070162 SUSE Bug 1070162 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). CVE-2017-10285 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-fonts-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-jdbc-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-plugin-1.6.0_sr16.50-50.3.1 moderate 10 AV:N/AC:L/Au:N/C:C/I:C/A:C 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20173235-1/ https://www.suse.com/security/cve/CVE-2017-10285.html CVE-2017-10285 https://bugzilla.suse.com/1064073 SUSE Bug 1064073 https://bugzilla.suse.com/1070162 SUSE Bug 1070162 Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Javadoc). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). CVE-2017-10293 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-fonts-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-jdbc-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-plugin-1.6.0_sr16.50-50.3.1 important 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20173235-1/ https://www.suse.com/security/cve/CVE-2017-10293.html CVE-2017-10293 https://bugzilla.suse.com/1064074 SUSE Bug 1064074 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Java SE, Java SE Embedded, JRockit. While the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded, JRockit accessible data. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 4.0 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N). CVE-2017-10295 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-fonts-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-jdbc-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-plugin-1.6.0_sr16.50-50.3.1 moderate 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20173235-1/ https://www.suse.com/security/cve/CVE-2017-10295.html CVE-2017-10295 https://bugzilla.suse.com/1064075 SUSE Bug 1064075 https://bugzilla.suse.com/1070162 SUSE Bug 1070162 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L). CVE-2017-10345 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-fonts-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-jdbc-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-plugin-1.6.0_sr16.50-50.3.1 low 2.6 AV:N/AC:H/Au:N/C:N/I:N/A:P 2.6 AV:N/AC:H/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20173235-1/ https://www.suse.com/security/cve/CVE-2017-10345.html CVE-2017-10345 https://bugzilla.suse.com/1064077 SUSE Bug 1064077 https://bugzilla.suse.com/1070162 SUSE Bug 1070162 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). CVE-2017-10346 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-fonts-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-jdbc-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-plugin-1.6.0_sr16.50-50.3.1 important 9.7 AV:N/AC:L/Au:N/C:C/I:C/A:P 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20173235-1/ https://www.suse.com/security/cve/CVE-2017-10346.html CVE-2017-10346 https://bugzilla.suse.com/1064078 SUSE Bug 1064078 https://bugzilla.suse.com/1070162 SUSE Bug 1070162 Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). CVE-2017-10347 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-fonts-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-jdbc-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-plugin-1.6.0_sr16.50-50.3.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20173235-1/ https://www.suse.com/security/cve/CVE-2017-10347.html CVE-2017-10347 https://bugzilla.suse.com/1064079 SUSE Bug 1064079 https://bugzilla.suse.com/1070162 SUSE Bug 1070162 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). CVE-2017-10348 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-fonts-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-jdbc-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-plugin-1.6.0_sr16.50-50.3.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20173235-1/ https://www.suse.com/security/cve/CVE-2017-10348.html CVE-2017-10348 https://bugzilla.suse.com/1064080 SUSE Bug 1064080 https://bugzilla.suse.com/1070162 SUSE Bug 1070162 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). CVE-2017-10349 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-fonts-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-jdbc-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-plugin-1.6.0_sr16.50-50.3.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20173235-1/ https://www.suse.com/security/cve/CVE-2017-10349.html CVE-2017-10349 https://bugzilla.suse.com/1064081 SUSE Bug 1064081 https://bugzilla.suse.com/1070162 SUSE Bug 1070162 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JAX-WS). Supported versions that are affected are Java SE: 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). CVE-2017-10350 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-fonts-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-jdbc-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-plugin-1.6.0_sr16.50-50.3.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20173235-1/ https://www.suse.com/security/cve/CVE-2017-10350.html CVE-2017-10350 https://bugzilla.suse.com/1064082 SUSE Bug 1064082 https://bugzilla.suse.com/1070162 SUSE Bug 1070162 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). CVE-2017-10355 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-fonts-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-jdbc-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-plugin-1.6.0_sr16.50-50.3.1 moderate 3.3 AV:A/AC:L/Au:N/C:N/I:N/A:P 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20173235-1/ https://www.suse.com/security/cve/CVE-2017-10355.html CVE-2017-10355 https://bugzilla.suse.com/1064083 SUSE Bug 1064083 https://bugzilla.suse.com/1070162 SUSE Bug 1070162 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE, Java SE Embedded, JRockit executes to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Java SE Embedded, JRockit accessible data. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 6.2 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). CVE-2017-10356 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-fonts-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-jdbc-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-plugin-1.6.0_sr16.50-50.3.1 moderate 4.9 AV:L/AC:L/Au:N/C:C/I:N/A:N 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20173235-1/ https://www.suse.com/security/cve/CVE-2017-10356.html CVE-2017-10356 https://bugzilla.suse.com/1064084 SUSE Bug 1064084 https://bugzilla.suse.com/1070162 SUSE Bug 1070162 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). CVE-2017-10357 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-fonts-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-jdbc-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-plugin-1.6.0_sr16.50-50.3.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20173235-1/ https://www.suse.com/security/cve/CVE-2017-10357.html CVE-2017-10357 https://bugzilla.suse.com/1064085 SUSE Bug 1064085 https://bugzilla.suse.com/1070162 SUSE Bug 1070162 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: Applies to the Java SE Kerberos client. CVSS 3.0 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). CVE-2017-10388 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-fonts-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-jdbc-1.6.0_sr16.50-50.3.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-plugin-1.6.0_sr16.50-50.3.1 moderate 7.1 AV:N/AC:H/Au:N/C:C/I:C/A:N 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20173235-1/ https://www.suse.com/security/cve/CVE-2017-10388.html CVE-2017-10388 https://bugzilla.suse.com/1064086 SUSE Bug 1064086 https://bugzilla.suse.com/1070162 SUSE Bug 1070162