-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2017.0056
                     Security Advisory: Oracle Java SE
                               20 April 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Oracle Java SE
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Modify Arbitrary Files          -- Remote/Unauthenticated      
                      Denial of Service               -- Remote/Unauthenticated      
Resolution:           Patch/Upgrade
CVE Names:            CVE-2017-3544 CVE-2017-3539 CVE-2017-3533
                      CVE-2017-3526 CVE-2017-3514 CVE-2017-3512
                      CVE-2017-3511 CVE-2017-3509 
Member content until: Saturday, May 20 2017

OVERVIEW

        Multiple vulnerabilities have been identified in the following 
        components of Oracle Java SE:
        Oracle Java SE, version(s) 6u141, 7u131, 8u121
        Oracle Java SE Embedded, version(s) 8u121
        Oracle JRockit, version(s) R28.3.13. [1]


IMPACT

        The vendor has provided the following information:
        
        "CVE-2017-3512 8.3 AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
        Difficult to exploit vulnerability allows unauthenticated attacker 
        with network access via multiple protocols to compromise Java SE. 
        Successful attacks require human interaction from a person other 
        than the attacker and while the vulnerability is in Java SE, attacks
        may significantly impact additional products. Successful attacks of
        this vulnerability can result in takeover of Java SE. Note: This 
        vulnerability applies to Java deployments, typically in clients 
        running sandboxed Java Web Start applications or sandboxed Java 
        applets, that load and run untrusted code (e.g., code that comes 
        from the internet) and rely on the Java sandbox for security. This 
        vulnerability does not apply to Java deployments, typically in 
        servers, that load and run only trusted code (e.g., code installed 
        by an administrator).
        
        CVE-2017-3514 8.3 AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
        Difficult to exploit vulnerability allows unauthenticated attacker 
        with network access via multiple protocols to compromise Java SE. 
        Successful attacks require human interaction from a person other 
        than the attacker and while the vulnerability is in Java SE, attacks
        may significantly impact additional products. Successful attacks of
        this vulnerability can result in takeover of Java SE. Note: This 
        vulnerability applies to Java deployments, typically in clients 
        running sandboxed Java Web Start applications or sandboxed Java 
        applets, that load and run untrusted code (e.g., code that comes 
        from the internet) and rely on the Java sandbox for security. This 
        vulnerability does not apply to Java deployments, typically in 
        servers, that load and run only trusted code (e.g., code installed 
        by an administrator).
        
        CVE-2017-3511 7.7 AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
        Difficult to exploit vulnerability allows unauthenticated attacker 
        with logon to the infrastructure where Java SE, Java SE Embedded, 
        JRockit executes to compromise Java SE, Java SE Embedded, JRockit. 
        Successful attacks require human interaction from a person other 
        than the attacker and while the vulnerability is in Java SE, Java SE
        Embedded, JRockit, attacks may significantly impact additional 
        products. Successful attacks of this vulnerability can result in 
        takeover of Java SE, Java SE Embedded, JRockit. Note: Applies to 
        client and server deployment of Java. This vulnerability can be 
        exploited through sandboxed Java Web Start applications and 
        sandboxed Java applets. It can also be exploited by supplying data 
        to APIs in the specified Component without using sandboxed Java Web
        Start applications or sandboxed Java applets, such as through a web
        service.
        
        CVE-2017-3526 5.9 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
        Difficult to exploit vulnerability allows unauthenticated attacker 
        with network access via multiple protocols to compromise Java SE, 
        Java SE Embedded, JRockit. Successful attacks of this vulnerability
        can result in unauthorized ability to cause a hang or frequently 
        repeatable crash (complete DOS) of Java SE, Java SE Embedded, 
        JRockit. Note: Applies to client and server deployment of Java. This
        vulnerability can be exploited through sandboxed Java Web Start 
        applications and sandboxed Java applets. It can also be exploited by
        supplying data to APIs in the specified Component without using 
        sandboxed Java Web Start applications or sandboxed Java applets, 
        such as through a web service.
        
        CVE-2017-3509 4.2 AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
        Difficult to exploit vulnerability allows unauthenticated attacker 
        with network access via multiple protocols to compromise Java SE, 
        Java SE Embedded. Successful attacks require human interaction from
        a person other than the attacker. Successful attacks of this 
        vulnerability can result in unauthorized update, insert or delete 
        access to some of Java SE, Java SE Embedded accessible data as well
        as unauthorized read access to a subset of Java SE, Java SE Embedded
        accessible data. Note: This vulnerability applies to Java 
        deployments, typically in clients running sandboxed Java Web Start 
        applications or sandboxed Java applets, that load and run untrusted
        code (e.g., code that comes from the internet) and rely on the Java
        sandbox for security. This vulnerability does not apply to Java 
        deployments, typically in servers, that load and run only trusted 
        code (e.g., code installed by an administrator).
        
        CVE-2017-3533 3.7 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
        Difficult to exploit vulnerability allows unauthenticated attacker 
        with network access via FTP to compromise Java SE, Java SE Embedded,
        JRockit. Successful attacks of this vulnerability can result in 
        unauthorized update, insert or delete access to some of Java SE, 
        Java SE Embedded, JRockit accessible data. Note: Applies to client 
        and server deployment of Java. This vulnerability can be exploited 
        through sandboxed Java Web Start applications and sandboxed Java 
        applets. It can also be exploited by supplying data to APIs in the 
        specified Component without using sandboxed Java Web Start 
        applications or sandboxed Java applets, such as through a web 
        service.
        
        CVE-2017-3544 3.7 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
        Difficult to exploit vulnerability allows unauthenticated attacker 
        with network access via SMTP to compromise Java SE, Java SE 
        Embedded, JRockit. Successful attacks of this vulnerability can 
        result in unauthorized update, insert or delete access to some of 
        Java SE, Java SE Embedded, JRockit accessible data. Note: Applies to
        client and server deployment of Java. This vulnerability can be 
        exploited through sandboxed Java Web Start applications and 
        sandboxed Java applets. It can also be exploited by supplying data 
        to APIs in the specified Component without using sandboxed Java Web
        Start applications or sandboxed Java applets, such as through a web
        service.
        
        CVE-2017-3539 3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
        Difficult to exploit vulnerability allows unauthenticated attacker 
        with network access via multiple protocols to compromise Java SE, 
        Java SE Embedded. Successful attacks require human interaction from
        a person other than the attacker. Successful attacks of this 
        vulnerability can result in unauthorized update, insert or delete 
        access to some of Java SE, Java SE Embedded accessible data. Note: 
        This vulnerability applies to Java deployments, typically in clients
        running sandboxed Java Web Start applications or sandboxed Java 
        applets, that load and run untrusted code (e.g., code that comes 
        from the internet) and rely on the Java sandbox for security. This 
        vulnerability does not apply to Java deployments, typically in 
        servers, that load and run only trusted code (e.g., code installed 
        by an administrator)." [2]


MITIGATION

        Oracle states:
        
        "Due to the threat posed by a successful attack, Oracle strongly 
        recommends that customers apply CPU fixes as soon as possible. Until
        you apply the CPU fixes, it may be possible to reduce the risk of 
        successful attack by blocking network protocols required by an 
        attack. For attacks that require certain privileges or access to 
        certain packages, removing the privileges or the ability to access 
        the packages from users that do not need the privileges may help 
        reduce the risk of successful attack. Both approaches may break 
        application functionality, so Oracle strongly recommends that 
        customers test changes on non-production systems. Neither approach 
        should be considered a long-term solution as neither corrects the 
        underlying problem." [1]


REFERENCES

        [1] Oracle Critical Patch Update Advisory - April 2017
            http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html

        [2] Text Form of Oracle Critical Patch Update - April 2017 Risk
            Matrices
            https://www.oracle.com/technetwork/topics/security/cpuapr2017verbose-3236619.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWPhTH4x+lLeg9Ub1AQh8kQ//buREno99nnjzrSw330sIU79bwvor+FIH
kUxGuwUXwOlytshOtgvTs+SwD/O+2eVcJg8hATT+2ArTJQmXm4/eKXsJtLHlQtcL
CH0J2rjiMibwmcOC0xdcTSQNM3rmYa9IoSjQLdmKj+J54t2JNsjmkYS+C8sa+J4T
uCBBDq1YkuHHSY8MYU0TAPeZNeTgw7yMnKtWY6mwMVXSbXdtPFRpw4RW2phRajcp
NRwR4S6TOD/B9TIgqQQpajwZYhEEHKnLS/5ZcFKzjSfGNXuLic1V6N/54OZVWPn4
+vdV8ntWCWk9EKj2zOeol9fdMLBtj7t6GWALQPj/rd0hpb8lHEdv4N0HfrKxZJfw
8OsnZn0uxnj5T9Rrs4envZN4O+0pK32w3ERv6iHD3kFTkIbTLRGxwSzV2pKJxqgW
FqayrAVOp0BUE98hfsrKwA5IxFpmtx1vAK4lZudCPH28qiwR5LiWoCBr+k/4SdWF
C/dq9UMT3U9XIAL1lXZ7LbUoMKvybvVCeM8aiT1Bv5sIkjjopRgqaq48BkI2nGx1
INPRzmSd3qxKeKaKFz8Ajk2SX9ZbNACd2roAqwFfMr5rY48/94Q8k4TjWjZ33oTW
9R1QO9nLGIjYMEZ6QLxRhPBDNmjYJdLxi2mPQGimLqzQb7wSA5JoFmS6vSq+MiCW
D3u1rNCzRbI=
=V1WN
-----END PGP SIGNATURE-----