-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2017.0108
                     Security Advisory: Oracle Java SE
                               19 July 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Oracle Java Advanced Management Console
                      Oracle Java SE
                      Oracle Java SE Embedded
                      Oracle JRockit
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                      Access Privileged Data          -- Remote/Unauthenticated      
                      Modify Arbitrary Files          -- Remote with User Interaction
                      Delete Arbitrary Files          -- Remote with User Interaction
                      Denial of Service               -- Remote/Unauthenticated      
Resolution:           Patch/Upgrade
CVE Names:            CVE-2017-10243 CVE-2017-10198 CVE-2017-10193
                      CVE-2017-10176 CVE-2017-10145 CVE-2017-10135
                      CVE-2017-10125 CVE-2017-10121 CVE-2017-10118
                      CVE-2017-10117 CVE-2017-10116 CVE-2017-10115
                      CVE-2017-10114 CVE-2017-10111 CVE-2017-10110
                      CVE-2017-10109 CVE-2017-10108 CVE-2017-10107
                      CVE-2017-10105 CVE-2017-10104 CVE-2017-10102
                      CVE-2017-10101 CVE-2017-10096 CVE-2017-10090
                      CVE-2017-10089 CVE-2017-10087 CVE-2017-10086
                      CVE-2017-10081 CVE-2017-10078 CVE-2017-10074
                      CVE-2017-10067 CVE-2017-10053 
Member content until: Friday, August 18 2017

OVERVIEW

        Multiple vulnerabilities have been identified in Oracle Java SE products:
        
         - Java Advanced Management Console, version 2.6
        
         - Oracle Java SE, versions 6u151, 7u141, 8u131
        
         - Oracle Java SE Embedded, version 8u131
        
         - Oracle JRockit, version R28.3.14. [1]


IMPACT

        The vendor has provided the following information regarding to the 
        vulnerabilities.
        
        "This Critical Patch Update contains 32 new security fixes for Oracle
        Java SE. 28 of these vulnerabilities may be remotely exploitable 
        without authentication, i.e., may be exploited over a network 
        without requiring user credentials." [1]
        
        "CVE-2017-10110
        
        9.6
        
        AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
        
        Supported versions that are affected are Java SE: 6u151, 7u141 and 
        8u131. Easily exploitable vulnerability allows unauthenticated 
        attacker with network access via multiple protocols to compromise 
        Java SE. Successful attacks require human interaction from a person
        other than the attacker and while the vulnerability is in Java SE, 
        attacks may significantly impact additional products. Successful 
        attacks of this vulnerability can result in takeover of Java SE. 
        Note: This vulnerability applies to Java deployments, typically in 
        clients running sandboxed Java Web Start applications or sandboxed 
        Java applets, that load and run untrusted code (e.g., code that 
        comes from the internet) and rely on the Java sandbox for security.
        This vulnerability does not apply to Java deployments, typically in
        servers, that load and run only trusted code (e.g., code installed 
        by an administrator).
        
        CVE-2017-10089
        
        9.6
        
        AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
        
        Supported versions that are affected are Java SE: 6u151, 7u141 and 
        8u131. Easily exploitable vulnerability allows unauthenticated 
        attacker with network access via multiple protocols to compromise 
        Java SE. Successful attacks require human interaction from a person
        other than the attacker and while the vulnerability is in Java SE, 
        attacks may significantly impact additional products. Successful 
        attacks of this vulnerability can result in takeover of Java SE. 
        Note: This vulnerability applies to Java deployments, typically in 
        clients running sandboxed Java Web Start applications or sandboxed 
        Java applets, that load and run untrusted code (e.g., code that 
        comes from the internet) and rely on the Java sandbox for security.
        This vulnerability does not apply to Java deployments, typically in
        servers, that load and run only trusted code (e.g., code installed 
        by an administrator).
        
        CVE-2017-10086
        
        9.6
        
        AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
        
        Supported versions that are affected are Java SE: 7u141 and 8u131. 
        Easily exploitable vulnerability allows unauthenticated attacker 
        with network access via multiple protocols to compromise Java SE. 
        Successful attacks require human interaction from a person other 
        than the attacker and while the vulnerability is in Java SE, attacks
        may significantly impact additional products. Successful attacks of
        this vulnerability can result in takeover of Java SE. Note: This 
        vulnerability applies to Java deployments, typically in clients 
        running sandboxed Java Web Start applications or sandboxed Java 
        applets, that load and run untrusted code (e.g., code that comes 
        from the internet) and rely on the Java sandbox for security. This 
        vulnerability does not apply to Java deployments, typically in 
        servers, that load and run only trusted code (e.g., code installed 
        by an administrator).
        
        CVE-2017-10096
        
        9.6
        
        AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
        
        Supported versions that are affected are Java SE: 6u151, 7u141 and 
        8u131; Java SE Embedded: 8u131. Easily exploitable vulnerability 
        allows unauthenticated attacker with network access via multiple 
        protocols to compromise Java SE, Java SE Embedded. Successful 
        attacks require human interaction from a person other than the 
        attacker and while the vulnerability is in Java SE, Java SE 
        Embedded, attacks may significantly impact additional products. 
        Successful attacks of this vulnerability can result in takeover of 
        Java SE, Java SE Embedded. Note: This vulnerability applies to Java
        deployments, typically in clients running sandboxed Java Web Start 
        applications or sandboxed Java applets, that load and run untrusted
        code (e.g., code that comes from the internet) and rely on the Java
        sandbox for security. This vulnerability does not apply to Java 
        deployments, typically in servers, that load and run only trusted 
        code (e.g., code installed by an administrator).
        
        CVE-2017-10101
        
        9.6
        
        AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
        
        Supported versions that are affected are Java SE: 6u151, 7u141 and 
        8u131; Java SE Embedded: 8u131. Easily exploitable vulnerability 
        allows unauthenticated attacker with network access via multiple 
        protocols to compromise Java SE, Java SE Embedded. Successful 
        attacks require human interaction from a person other than the 
        attacker and while the vulnerability is in Java SE, Java SE 
        Embedded, attacks may significantly impact additional products. 
        Successful attacks of this vulnerability can result in takeover of 
        Java SE, Java SE Embedded. Note: This vulnerability applies to Java
        deployments, typically in clients running sandboxed Java Web Start 
        applications or sandboxed Java applets, that load and run untrusted
        code (e.g., code that comes from the internet) and rely on the Java
        sandbox for security. This vulnerability does not apply to Java 
        deployments, typically in servers, that load and run only trusted 
        code (e.g., code installed by an administrator).
        
        CVE-2017-10087
        
        9.6
        
        AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
        
        Supported versions that are affected are Java SE: 6u151, 7u141 and 
        8u131; Java SE Embedded: 8u131. Easily exploitable vulnerability 
        allows unauthenticated attacker with network access via multiple 
        protocols to compromise Java SE, Java SE Embedded. Successful 
        attacks require human interaction from a person other than the 
        attacker and while the vulnerability is in Java SE, Java SE 
        Embedded, attacks may significantly impact additional products. 
        Successful attacks of this vulnerability can result in takeover of 
        Java SE, Java SE Embedded. Note: This vulnerability applies to Java
        deployments, typically in clients running sandboxed Java Web Start 
        applications or sandboxed Java applets, that load and run untrusted
        code (e.g., code that comes from the internet) and rely on the Java
        sandbox for security. This vulnerability does not apply to Java 
        deployments, typically in servers, that load and run only trusted 
        code (e.g., code installed by an administrator).
        
        CVE-2017-10090
        
        9.6
        
        AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
        
        Supported versions that are affected are Java SE: 7u141 and 8u131; 
        Java SE Embedded: 8u131. Easily exploitable vulnerability allows 
        unauthenticated attacker with network access via multiple protocols
        to compromise Java SE, Java SE Embedded. Successful attacks require
        human interaction from a person other than the attacker and while 
        the vulnerability is in Java SE, Java SE Embedded, attacks may 
        significantly impact additional products. Successful attacks of this
        vulnerability can result in takeover of Java SE, Java SE Embedded. 
        Note: This vulnerability applies to Java deployments, typically in 
        clients running sandboxed Java Web Start applications or sandboxed 
        Java applets, that load and run untrusted code (e.g., code that 
        comes from the internet) and rely on the Java sandbox for security.
        This vulnerability does not apply to Java deployments, typically in
        servers, that load and run only trusted code (e.g., code installed 
        by an administrator).
        
        CVE-2017-10111
        
        9.6
        
        AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
        
        The supported version that is affected is Java SE: 8u131; Java SE 
        Embedded: 8u131. Easily exploitable vulnerability allows 
        unauthenticated attacker with network access via multiple protocols
        to compromise Java SE, Java SE Embedded. Successful attacks require
        human interaction from a person other than the attacker and while 
        the vulnerability is in Java SE, Java SE Embedded, attacks may 
        significantly impact additional products. Successful attacks of this
        vulnerability can result in takeover of Java SE, Java SE Embedded. 
        Note: This vulnerability applies to Java deployments, typically in 
        clients running sandboxed Java Web Start applications or sandboxed 
        Java applets, that load and run untrusted code (e.g., code that 
        comes from the internet) and rely on the Java sandbox for security.
        This vulnerability does not apply to Java deployments, typically in
        servers, that load and run only trusted code (e.g., code installed 
        by an administrator).
        
        CVE-2017-10107
        
        9.6
        
        AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
        
        Supported versions that are affected are Java SE: 6u151, 7u141 and 
        8u131; Java SE Embedded: 8u131. Easily exploitable vulnerability 
        allows unauthenticated attacker with network access via multiple 
        protocols to compromise Java SE, Java SE Embedded. Successful 
        attacks require human interaction from a person other than the 
        attacker and while the vulnerability is in Java SE, Java SE 
        Embedded, attacks may significantly impact additional products. 
        Successful attacks of this vulnerability can result in takeover of 
        Java SE, Java SE Embedded. Note: This vulnerability applies to Java
        deployments, typically in clients running sandboxed Java Web Start 
        applications or sandboxed Java applets, that load and run untrusted
        code (e.g., code that comes from the internet) and rely on the Java
        sandbox for security. This vulnerability does not apply to Java 
        deployments, typically in servers, that load and run only trusted 
        code (e.g., code installed by an administrator).
        
        CVE-2017-10102
        
        9.0
        
        AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
        
        Supported versions that are affected are Java SE: 6u151, 7u141 and 
        8u131; Java SE Embedded: 8u131. Difficult to exploit vulnerability 
        allows unauthenticated attacker with network access via multiple 
        protocols to compromise Java SE, Java SE Embedded. While the 
        vulnerability is in Java SE, Java SE Embedded, attacks may 
        significantly impact additional products. Successful attacks of this
        vulnerability can result in takeover of Java SE, Java SE Embedded. 
        Note: This vulnerability can only be exploited by supplying data to
        APIs in the specified Component without using Untrusted Java Web 
        Start applications or Untrusted Java applets, such as through a web
        service.
        
        CVE-2017-10114
        
        8.3
        
        AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
        
        Supported versions that are affected are Java SE: 7u141 and 8u131. 
        Difficult to exploit vulnerability allows unauthenticated attacker 
        with network access via multiple protocols to compromise Java SE. 
        Successful attacks require human interaction from a person other 
        than the attacker and while the vulnerability is in Java SE, attacks
        may significantly impact additional products. Successful attacks of
        this vulnerability can result in takeover of Java SE. Note: This 
        vulnerability applies to Java deployments, typically in clients 
        running sandboxed Java Web Start applications or sandboxed Java 
        applets, that load and run untrusted code (e.g., code that comes 
        from the internet) and rely on the Java sandbox for security. This 
        vulnerability does not apply to Java deployments, typically in 
        servers, that load and run only trusted code (e.g., code installed 
        by an administrator).
        
        CVE-2017-10074
        
        8.3
        
        AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
        
        Supported versions that are affected are Java SE: 6u151, 7u141 and 
        8u131; Java SE Embedded: 8u131. Difficult to exploit vulnerability 
        allows unauthenticated attacker with network access via multiple 
        protocols to compromise Java SE, Java SE Embedded. Successful 
        attacks require human interaction from a person other than the 
        attacker and while the vulnerability is in Java SE, Java SE 
        Embedded, attacks may significantly impact additional products. 
        Successful attacks of this vulnerability can result in takeover of 
        Java SE, Java SE Embedded. Note: This vulnerability applies to Java
        deployments, typically in clients running sandboxed Java Web Start 
        applications or sandboxed Java applets, that load and run untrusted
        code (e.g., code that comes from the internet) and rely on the Java
        sandbox for security. This vulnerability does not apply to Java 
        deployments, typically in servers, that load and run only trusted 
        code (e.g., code installed by an administrator).
        
        CVE-2017-10116
        
        8.3
        
        AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
        
        Supported versions that are affected are Java SE: 6u151, 7u141 and 
        8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Difficult to 
        exploit vulnerability allows unauthenticated attacker with network 
        access via multiple protocols to compromise Java SE, Java SE 
        Embedded, JRockit. Successful attacks require human interaction from
        a person other than the attacker and while the vulnerability is in 
        Java SE, Java SE Embedded, JRockit, attacks may significantly impact
        additional products. Successful attacks of this vulnerability can 
        result in takeover of Java SE, Java SE Embedded, JRockit. Note: This
        vulnerability can be exploited through sandboxed Java Web Start 
        applications and sandboxed Java applets. It can also be exploited by
        supplying data to APIs in the specified Component without using 
        sandboxed Java Web Start applications or sandboxed Java applets, 
        such as through a web service.
        
        CVE-2017-10078
        
        8.1
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
        
        The supported version that is affected is Java SE: 8u131. Easily 
        exploitable vulnerability allows low privileged attacker with 
        network access via multiple protocols to compromise Java SE. 
        Successful attacks of this vulnerability can result in unauthorized
        creation, deletion or modification access to critical data or all 
        Java SE accessible data as well as unauthorized access to critical 
        data or complete access to all Java SE accessible data. Note: This 
        vulnerability can be exploited through sandboxed Java Web Start 
        applications and sandboxed Java applets. It can also be exploited by
        supplying data to APIs in the specified Component without using 
        sandboxed Java Web Start applications or sandboxed Java applets, 
        such as through a web service.
        
        CVE-2017-10067
        
        7.5
        
        AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
        
        Supported versions that are affected are Java SE: 6u151, 7u141 and 
        8u131. Difficult to exploit vulnerability allows unauthenticated 
        attacker with network access via multiple protocols to compromise 
        Java SE. Successful attacks require human interaction from a person
        other than the attacker. Successful attacks of this vulnerability 
        can result in takeover of Java SE. Note: This vulnerability applies
        to Java deployments, typically in clients running sandboxed Java Web
        Start applications or sandboxed Java applets, that load and run 
        untrusted code (e.g., code that comes from the internet) and rely on
        the Java sandbox for security. This vulnerability does not apply to
        Java deployments, typically in servers, that load and run only 
        trusted code (e.g., code installed by an administrator).
        
        CVE-2017-10115
        
        7.5
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
        
        Supported versions that are affected are Java SE: 6u151, 7u141 and 
        8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Easily 
        exploitable vulnerability allows unauthenticated attacker with 
        network access via multiple protocols to compromise Java SE, Java SE
        Embedded, JRockit. Successful attacks of this vulnerability can 
        result in unauthorized access to critical data or complete access to
        all Java SE, Java SE Embedded, JRockit accessible data. Note: This 
        vulnerability can be exploited through sandboxed Java Web Start 
        applications and sandboxed Java applets. It can also be exploited by
        supplying data to APIs in the specified Component without using 
        sandboxed Java Web Start applications or sandboxed Java applets, 
        such as through a web service.
        
        CVE-2017-10118
        
        7.5
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
        
        Supported versions that are affected are Java SE: 7u141 and 8u131; 
        Java SE Embedded: 8u131; JRockit: R28.3.14. Easily exploitable 
        vulnerability allows unauthenticated attacker with network access 
        via multiple protocols to compromise Java SE, Java SE Embedded, 
        JRockit. Successful attacks of this vulnerability can result in 
        unauthorized access to critical data or complete access to all Java
        SE, Java SE Embedded, JRockit accessible data. Note: This 
        vulnerability can be exploited through sandboxed Java Web Start 
        applications and sandboxed Java applets. It can also be exploited by
        supplying data to APIs in the specified Component without using 
        sandboxed Java Web Start applications or sandboxed Java applets, 
        such as through a web service.
        
        CVE-2017-10176
        
        7.5
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
        
        Supported versions that are affected are Java SE: 7u141 and 8u131; 
        Java SE Embedded: 8u131; JRockit: R28.3.14. Easily exploitable 
        vulnerability allows unauthenticated attacker with network access 
        via multiple protocols to compromise Java SE, Java SE Embedded, 
        JRockit. Successful attacks of this vulnerability can result in 
        unauthorized access to critical data or complete access to all Java
        SE, Java SE Embedded, JRockit accessible data. Note: This 
        vulnerability can be exploited through sandboxed Java Web Start 
        applications and sandboxed Java applets. It can also be exploited by
        supplying data to APIs in the specified Component without using 
        sandboxed Java Web Start applications or sandboxed Java applets, 
        such as through a web service.
        
        CVE-2017-10104
        
        7.4
        
        AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
        
        The supported version that is affected is Java Advanced Management 
        Console: 2.6. Easily exploitable vulnerability allows low privileged
        attacker with network access via HTTP to compromise Java Advanced 
        Management Console. While the vulnerability is in Java Advanced 
        Management Console, attacks may significantly impact additional 
        products. Successful attacks of this vulnerability can result in 
        unauthorized update, insert or delete access to some of Java 
        Advanced Management Console accessible data as well as unauthorized
        read access to a subset of Java Advanced Management Console 
        accessible data and unauthorized ability to cause a partial denial 
        of service (partial DOS) of Java Advanced Management Console.
        
        CVE-2017-10145
        
        7.4
        
        AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
        
        The supported version that is affected is Java Advanced Management 
        Console: 2.6. Easily exploitable vulnerability allows low privileged
        attacker with network access via multiple protocols to compromise 
        Java Advanced Management Console. While the vulnerability is in Java
        Advanced Management Console, attacks may significantly impact 
        additional products. Successful attacks of this vulnerability can 
        result in unauthorized update, insert or delete access to some of 
        Java Advanced Management Console accessible data as well as 
        unauthorized read access to a subset of Java Advanced Management 
        Console accessible data and unauthorized ability to cause a partial
        denial of service (partial DOS) of Java Advanced Management Console.
        
        CVE-2017-10125
        
        7.1
        
        AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
        
        Supported versions that are affected are Java SE: 7u141 and 8u131. 
        Difficult to exploit vulnerability allows physical access to 
        compromise Java SE. While the vulnerability is in Java SE, attacks 
        may significantly impact additional products. Successful attacks of
        this vulnerability can result in takeover of Java SE. Note: Applies
        to deployment of Java where the Java Auto Update is enabled.
        
        CVE-2017-10198
        
        6.8
        
        AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
        
        Supported versions that are affected are Java SE: 6u151, 7u141 and 
        8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Difficult to 
        exploit vulnerability allows unauthenticated attacker with network 
        access via multiple protocols to compromise Java SE, Java SE 
        Embedded, JRockit. While the vulnerability is in Java SE, Java SE 
        Embedded, JRockit, attacks may significantly impact additional 
        products. Successful attacks of this vulnerability can result in 
        unauthorized access to critical data or complete access to all Java
        SE, Java SE Embedded, JRockit accessible data. Note: This 
        vulnerability can be exploited through sandboxed Java Web Start 
        applications and sandboxed Java applets. It can also be exploited by
        supplying data to APIs in the specified Component without using 
        sandboxed Java Web Start applications or sandboxed Java applets, 
        such as through a web service.
        
        CVE-2017-10243
        
        6.5
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
        
        Supported versions that are affected are Java SE: 6u151, 7u141 and 
        8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Easily 
        exploitable vulnerability allows unauthenticated attacker with 
        network access via multiple protocols to compromise Java SE, Java SE
        Embedded, JRockit. Successful attacks of this vulnerability can 
        result in unauthorized read access to a subset of Java SE, Java SE 
        Embedded, JRockit accessible data and unauthorized ability to cause
        a partial denial of service (partial DOS) of Java SE, Java SE 
        Embedded, JRockit. Note: This vulnerability can be exploited through
        sandboxed Java Web Start applications and sandboxed Java applets. It
        can also be exploited by supplying data to APIs in the specified 
        Component without using sandboxed Java Web Start applications or 
        sandboxed Java applets, such as through a web service.
        
        CVE-2017-10121
        
        6.1
        
        AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
        
        The supported version that is affected is Java Advanced Management 
        Console: 2.6. Easily exploitable vulnerability allows 
        unauthenticated attacker with network access via HTTP to compromise
        Java Advanced Management Console. Successful attacks require human 
        interaction from a person other than the attacker and while the 
        vulnerability is in Java Advanced Management Console, attacks may 
        significantly impact additional products. Successful attacks of this
        vulnerability can result in unauthorized update, insert or delete 
        access to some of Java Advanced Management Console accessible data 
        as well as unauthorized read access to a subset of Java Advanced 
        Management Console accessible data.
        
        CVE-2017-10135
        
        5.9
        
        AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
        
        Supported versions that are affected are Java SE: 6u151, 7u141 and 
        8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Difficult to 
        exploit vulnerability allows unauthenticated attacker with network 
        access via multiple protocols to compromise Java SE, Java SE 
        Embedded, JRockit. Successful attacks of this vulnerability can 
        result in unauthorized access to critical data or complete access to
        all Java SE, Java SE Embedded, JRockit accessible data. Note: This 
        vulnerability can be exploited through sandboxed Java Web Start 
        applications and sandboxed Java applets. It can also be exploited by
        supplying data to APIs in the specified Component without using 
        sandboxed Java Web Start applications or sandboxed Java applets, 
        such as through a web service.
        
        CVE-2017-10117
        
        5.3
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
        
        The supported version that is affected is Java Advanced Management 
        Console: 2.6. Easily exploitable vulnerability allows 
        unauthenticated attacker with network access via HTTP to compromise
        Java Advanced Management Console. Successful attacks of this 
        vulnerability can result in unauthorized read access to a subset of
        Java Advanced Management Console accessible data.
        
        CVE-2017-10053
        
        5.3
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
        
        Supported versions that are affected are Java SE: 6u151, 7u141 and 
        8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Easily 
        exploitable vulnerability allows unauthenticated attacker with 
        network access via multiple protocols to compromise Java SE, Java SE
        Embedded, JRockit. Successful attacks of this vulnerability can 
        result in unauthorized ability to cause a partial denial of service
        (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This 
        vulnerability can be exploited through sandboxed Java Web Start 
        applications and sandboxed Java applets. It can also be exploited by
        supplying data to APIs in the specified Component without using 
        sandboxed Java Web Start applications or sandboxed Java applets, 
        such as through a web service.
        
        CVE-2017-10108
        
        5.3
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
        
        Supported versions that are affected are Java SE: 6u151, 7u141 and 
        8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Easily 
        exploitable vulnerability allows unauthenticated attacker with 
        network access via multiple protocols to compromise Java SE, Java SE
        Embedded, JRockit. Successful attacks of this vulnerability can 
        result in unauthorized ability to cause a partial denial of service
        (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This 
        vulnerability can be exploited through sandboxed Java Web Start 
        applications and sandboxed Java applets. It can also be exploited by
        supplying data to APIs in the specified Component without using 
        sandboxed Java Web Start applications or sandboxed Java applets, 
        such as through a web service.
        
        CVE-2017-10109
        
        5.3
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
        
        Supported versions that are affected are Java SE: 6u151, 7u141 and 
        8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Easily 
        exploitable vulnerability allows unauthenticated attacker with 
        network access via multiple protocols to compromise Java SE, Java SE
        Embedded, JRockit. Successful attacks of this vulnerability can 
        result in unauthorized ability to cause a partial denial of service
        (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This 
        vulnerability applies to Java deployments, typically in clients 
        running sandboxed Java Web Start applications or sandboxed Java 
        applets, that load and run untrusted code (e.g., code that comes 
        from the internet) and rely on the Java sandbox for security. This 
        vulnerability does not apply to Java deployments, typically in 
        servers, that load and run only trusted code (e.g., code installed 
        by an administrator).
        
        CVE-2017-10105
        
        4.3
        
        AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
        
        Supported versions that are affected are Java SE: 6u151, 7u141 and 
        8u131. Easily exploitable vulnerability allows unauthenticated 
        attacker with network access via multiple protocols to compromise 
        Java SE. Successful attacks require human interaction from a person
        other than the attacker. Successful attacks of this vulnerability 
        can result in unauthorized update, insert or delete access to some 
        of Java SE accessible data. Note: This vulnerability applies to Java
        deployments, typically in clients running sandboxed Java Web Start 
        applications or sandboxed Java applets, that load and run untrusted
        code (e.g., code that comes from the internet) and rely on the Java
        sandbox for security. This vulnerability does not apply to Java 
        deployments, typically in servers, that load and run only trusted 
        code (e.g., code installed by an administrator).
        
        CVE-2017-10081
        
        4.3
        
        AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
        
        Supported versions that are affected are Java SE: 6u151, 7u141 and 
        8u131; Java SE Embedded: 8u131. Easily exploitable vulnerability 
        allows unauthenticated attacker with network access via multiple 
        protocols to compromise Java SE, Java SE Embedded. Successful 
        attacks require human interaction from a person other than the 
        attacker. Successful attacks of this vulnerability can result in 
        unauthorized update, insert or delete access to some of Java SE, 
        Java SE Embedded accessible data. Note: This vulnerability applies 
        to Java deployments, typically in clients running sandboxed Java Web
        Start applications or sandboxed Java applets, that load and run 
        untrusted code (e.g., code that comes from the internet) and rely on
        the Java sandbox for security. This vulnerability does not apply to
        Java deployments, typically in servers, that load and run only 
        trusted code (e.g., code installed by an administrator).
        
        CVE-2017-10193
        
        3.1
        
        AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
        
        Supported versions that are affected are Java SE: 6u151, 7u141 and 
        8u131; Java SE Embedded: 8u131. Difficult to exploit vulnerability 
        allows unauthenticated attacker with network access via multiple 
        protocols to compromise Java SE, Java SE Embedded. Successful 
        attacks require human interaction from a person other than the 
        attacker. Successful attacks of this vulnerability can result in 
        unauthorized read access to a subset of Java SE, Java SE Embedded 
        accessible data. Note: This vulnerability applies to Java 
        deployments, typically in clients running sandboxed Java Web Start 
        applications or sandboxed Java applets, that load and run untrusted
        code (e.g., code that comes from the internet) and rely on the Java
        sandbox for security. This vulnerability does not apply to Java 
        deployments, typically in servers, that load and run only trusted 
        code (e.g., code installed by an administrator)." [2]


MITIGATION

        Oracle states:
        
        "Due to the threat posed by a successful attack, Oracle strongly 
        recommends that customers apply CPU fixes as soon as possible. Until
        you apply the CPU fixes, it may be possible to reduce the risk of 
        successful attack by blocking network protocols required by an 
        attack. For attacks that require certain privileges or access to 
        certain packages, removing the privileges or the ability to access 
        the packages from users that do not need the privileges may help 
        reduce the risk of successful attack. Both approaches may break 
        application functionality, so Oracle strongly recommends that 
        customers test changes on non-production systems. Neither approach 
        should be considered a long-term solution as neither corrects the 
        underlying problem." [1]


REFERENCES

        [1] Oracle Critical Patch Update Advisory - July 2017
            http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

        [2] Text Form of Oracle Critical Patch Update - July 2017 Risk Matrices
            http://www.oracle.com/technetwork/security-advisory/cpujul2017verbose-3236625.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWW/dM4x+lLeg9Ub1AQglARAAiKTWdkE/tJm+Kl+7tA5NnW2oj2yiV9Fz
OWCzDNAwopEaZYnXKzWmGltO6AAiFlEOs5rxWl/7uTv6p+Gyn1VYPCYzE+zi4JLh
ZOSz9ikxrkjmB0PeZNhuRMua1ighKS8Mbyr4AMSQ29BwpJrnYb/KQKsjhEs0KmRl
FniFXsVg4XJEEwG42hnDifaTwfccEIi4n2LBbYzEQ8AD4RC/7yJe06KN9YbBS8QA
2tVsD4rHUqytXfVXE70NXc1bgC1J4ztVwlCddUtJdxddhmuL2hLyfRuf2FTODdg2
QHRhmJFRr8tKPpXM8634ptbWCXC5ekrrs6Y4oq0rhnSnwz1PSjIyv9PODGmyjzgi
im5wSzgzhjDL/urEpQOC31nNXI+ct4G5ms/i7bMADMFI1ZVnofjHVdUr3oomLqaM
D9Q9PgAVqIQaijXKezjI2zDiULLOCuf5Hz3RvBbfFkHl+cgD48sBhfNUDQnn7+AY
tl8pJJKlEJV31X3v3UEhpjguOhHvvUzK2QS85pIAW8ytli9KyFF16raDndR82WSQ
vB3FzAX7OVgSAZQaKL5CNeJ9+jz6SHbrNbPqM0U6huBUEUwtbrvOr+f+b9vt5hEe
J7ED+NYNnkkVGNIiTRWj+9f72SwE2XjzPU0hjp6/YlvT0m1wwSstUgwm3e7dOFZn
99So+xPXn5M=
=z6IV
-----END PGP SIGNATURE-----