Security update for java-1_7_1-ibm

SUSE Security Update: Security update for java-1_7_1-ibm
Announcement ID: SUSE-SU-2017:3455-1
Rating: important
References: #1070162
Affected Products:
  • SUSE OpenStack Cloud 6
  • SUSE Linux Enterprise Software Development Kit 12-SP3
  • SUSE Linux Enterprise Software Development Kit 12-SP2
  • SUSE Linux Enterprise Server for SAP 12-SP1
  • SUSE Linux Enterprise Server 12-SP3
  • SUSE Linux Enterprise Server 12-SP2
  • SUSE Linux Enterprise Server 12-SP1-LTSS
  • SUSE Linux Enterprise Server 12-LTSS

  • An update that fixes 16 vulnerabilities is now available.

    Description:

    This update for java-1_7_1-ibm fixes the following issues:

    - Security update to version 7.1.4.15 [bsc#1070162]

    * CVE-2017-10349: "Vulnerability in the Java SE, Java SE Embedded,
    JRockit component of Oracle Java SE (subcomponent: Serialization).
    Supported versions that are affected are Java SE: 6u161, 7u151, 8u144
    and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to
    exploit vulnerability allows unauthenticated attacker with network
    access via multiple protocols to compromise Java SE, Java SE Embedded,
    JRockit. Successful attacks require human interaction from a person
    other than the attacker. Successful attacks of this vulnerability can
    result in unauthorized ability to cause a partial denial of service
    (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This
    vulnerability can be exploited through sandboxed Java Web Start
    applications and sandboxed Java applets. It can also be exploited by
    supplying data to APIs in the specified Component without using
    sandboxed Java Web Start applications or sandboxed Java applets, such
    as through a web service. CVSS 3.0 Base Score 3.1 (Availability
    impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."

    * CVE-2017-10348: "Vulnerability in the Java SE, Java SE Embedded,
    JRockit component of Oracle Java SE (subcomponent: Serialization).
    Supported versions that are affected are Java SE: 6u161, 7u151, 8u144
    and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to
    exploit vulnerability allows unauthenticated attacker with network
    access via multiple protocols to compromise Java SE, Java SE Embedded,
    JRockit. Successful attacks require human interaction from a person
    other than the attacker. Successful attacks of this vulnerability can
    result in unauthorized ability to cause a partial denial of service
    (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This
    vulnerability can be exploited through sandboxed Java Web Start
    applications and sandboxed Java applets. It can also be exploited by
    supplying data to APIs in the specified Component without using
    sandboxed Java Web Start applications or sandboxed Java applets, such
    as through a web service. CVSS 3.0 Base Score 3.1 (Availability
    impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."

    * CVE-2017-10388: "Vulnerability in the Java SE, Java SE Embedded,
    JRockit component of Oracle Java SE (subcomponent: Serialization).
    Supported versions that are affected are Java SE: 6u161, 7u151, 8u144
    and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to
    exploit vulnerability allows unauthenticated attacker with network
    access via multiple protocols to compromise Java SE, Java SE Embedded,
    JRockit. Successful attacks require human interaction from a person
    other than the attacker. Successful attacks of this vulnerability can
    result in unauthorized ability to cause a partial denial of service
    (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This
    vulnerability can be exploited through sandboxed Java Web Start
    applications and sandboxed Java applets. It can also be exploited by
    supplying data to APIs in the specified Component without using
    sandboxed Java Web Start applications or sandboxed Java applets, such
    as through a web service. CVSS 3.0 Base Score 3.1 (Availability
    impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."

    * CVE-2016-9841: "Vulnerability in the Java SE, Java SE Embedded,
    JRockit component of Oracle Java SE (subcomponent: Serialization).
    Supported versions that are affected are Java SE: 6u161, 7u151, 8u144
    and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to
    exploit vulnerability allows unauthenticated attacker with network
    access via multiple protocols to compromise Java SE, Java SE Embedded,
    JRockit. Successful attacks require human interaction from a person
    other than the attacker. Successful attacks of this vulnerability can
    result in unauthorized ability to cause a partial denial of service
    (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This
    vulnerability can be exploited through sandboxed Java Web Start
    applications and sandboxed Java applets. It can also be exploited by
    supplying data to APIs in the specified Component without using
    sandboxed Java Web Start applications or sandboxed Java applets, such
    as through a web service. CVSS 3.0 Base Score 3.1 (Availability
    impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."

    * CVE-2017-10293: "Vulnerability in the Java SE, Java SE Embedded,
    JRockit component of Oracle Java SE (subcomponent: Serialization).
    Supported versions that are affected are Java SE: 6u161, 7u151, 8u144
    and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to
    exploit vulnerability allows unauthenticated attacker with network
    access via multiple protocols to compromise Java SE, Java SE Embedded,
    JRockit. Successful attacks require human interaction from a person
    other than the attacker. Successful attacks of this vulnerability can
    result in unauthorized ability to cause a partial denial of service
    (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This
    vulnerability can be exploited through sandboxed Java Web Start
    applications and sandboxed Java applets. It can also be exploited by
    supplying data to APIs in the specified Component without using
    sandboxed Java Web Start applications or sandboxed Java applets, such
    as through a web service. CVSS 3.0 Base Score 3.1 (Availability
    impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."

    * CVE-2017-10345: "Vulnerability in the Java SE, Java SE Embedded,
    JRockit component of Oracle Java SE (subcomponent: Serialization).
    Supported versions that are affected are Java SE: 6u161, 7u151, 8u144
    and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to
    exploit vulnerability allows unauthenticated attacker with network
    access via multiple protocols to compromise Java SE, Java SE Embedded,
    JRockit. Successful attacks require human interaction from a person
    other than the attacker. Successful attacks of this vulnerability can
    result in unauthorized ability to cause a partial denial of service
    (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This
    vulnerability can be exploited through sandboxed Java Web Start
    applications and sandboxed Java applets. It can also be exploited by
    supplying data to APIs in the specified Component without using
    sandboxed Java Web Start applications or sandboxed Java applets, such
    as through a web service. CVSS 3.0 Base Score 3.1 (Availability
    impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."

    * CVE-2017-10350: "Vulnerability in the Java SE, Java SE Embedded,
    JRockit component of Oracle Java SE (subcomponent: Serialization).
    Supported versions that are affected are Java SE: 6u161, 7u151, 8u144
    and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to
    exploit vulnerability allows unauthenticated attacker with network
    access via multiple protocols to compromise Java SE, Java SE Embedded,
    JRockit. Successful attacks require human interaction from a person
    other than the attacker. Successful attacks of this vulnerability can
    result in unauthorized ability to cause a partial denial of service
    (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This
    vulnerability can be exploited through sandboxed Java Web Start
    applications and sandboxed Java applets. It can also be exploited by
    supplying data to APIs in the specified Component without using
    sandboxed Java Web Start applications or sandboxed Java applets, such
    as through a web service. CVSS 3.0 Base Score 3.1 (Availability
    impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."

    * CVE-2017-10356: "Vulnerability in the Java SE, Java SE Embedded,
    JRockit component of Oracle Java SE (subcomponent: Serialization).
    Supported versions that are affected are Java SE: 6u161, 7u151, 8u144
    and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to
    exploit vulnerability allows unauthenticated attacker with network
    access via multiple protocols to compromise Java SE, Java SE Embedded,
    JRockit. Successful attacks require human interaction from a person
    other than the attacker. Successful attacks of this vulnerability can
    result in unauthorized ability to cause a partial denial of service
    (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This
    vulnerability can be exploited through sandboxed Java Web Start
    applications and sandboxed Java applets. It can also be exploited by
    supplying data to APIs in the specified Component without using
    sandboxed Java Web Start applications or sandboxed Java applets, such
    as through a web service. CVSS 3.0 Base Score 3.1 (Availability
    impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."

    * CVE-2017-10357: "Vulnerability in the Java SE, Java SE Embedded,
    JRockit component of Oracle Java SE (subcomponent: Serialization).
    Supported versions that are affected are Java SE: 6u161, 7u151, 8u144
    and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to
    exploit vulnerability allows unauthenticated attacker with network
    access via multiple protocols to compromise Java SE, Java SE Embedded,
    JRockit. Successful attacks require human interaction from a person
    other than the attacker. Successful attacks of this vulnerability can
    result in unauthorized ability to cause a partial denial of service
    (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This
    vulnerability can be exploited through sandboxed Java Web Start
    applications and sandboxed Java applets. It can also be exploited by
    supplying data to APIs in the specified Component without using
    sandboxed Java Web Start applications or sandboxed Java applets, such
    as through a web service. CVSS 3.0 Base Score 3.1 (Availability
    impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."

    * CVE-2017-10347: "Vulnerability in the Java SE, Java SE Embedded,
    JRockit component of Oracle Java SE (subcomponent: Serialization).
    Supported versions that are affected are Java SE: 6u161, 7u151, 8u144
    and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to
    exploit vulnerability allows unauthenticated attacker with network
    access via multiple protocols to compromise Java SE, Java SE Embedded,
    JRockit. Successful attacks require human interaction from a person
    other than the attacker. Successful attacks of this vulnerability can
    result in unauthorized ability to cause a partial denial of service
    (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This
    vulnerability can be exploited through sandboxed Java Web Start
    applications and sandboxed Java applets. It can also be exploited by
    supplying data to APIs in the specified Component without using
    sandboxed Java Web Start applications or sandboxed Java applets, such
    as through a web service. CVSS 3.0 Base Score 3.1 (Availability
    impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."

    * CVE-2017-10355: "Vulnerability in the Java SE, Java SE Embedded,
    JRockit component of Oracle Java SE (subcomponent: Serialization).
    Supported versions that are affected are Java SE: 6u161, 7u151, 8u144
    and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to
    exploit vulnerability allows unauthenticated attacker with network
    access via multiple protocols to compromise Java SE, Java SE Embedded,
    JRockit. Successful attacks require human interaction from a person
    other than the attacker. Successful attacks of this vulnerability can
    result in unauthorized ability to cause a partial denial of service
    (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This
    vulnerability can be exploited through sandboxed Java Web Start
    applications and sandboxed Java applets. It can also be exploited by
    supplying data to APIs in the specified Component without using
    sandboxed Java Web Start applications or sandboxed Java applets, such
    as through a web service. CVSS 3.0 Base Score 3.1 (Availability
    impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."

    * CVE-2017-10285: "Vulnerability in the Java SE, Java SE Embedded,
    JRockit component of Oracle Java SE (subcomponent: Serialization).
    Supported versions that are affected are Java SE: 6u161, 7u151, 8u144
    and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to
    exploit vulnerability allows unauthenticated attacker with network
    access via multiple protocols to compromise Java SE, Java SE Embedded,
    JRockit. Successful attacks require human interaction from a person
    other than the attacker. Successful attacks of this vulnerability can
    result in unauthorized ability to cause a partial denial of service
    (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This
    vulnerability can be exploited through sandboxed Java Web Start
    applications and sandboxed Java applets. It can also be exploited by
    supplying data to APIs in the specified Component without using
    sandboxed Java Web Start applications or sandboxed Java applets, such
    as through a web service. CVSS 3.0 Base Score 3.1 (Availability
    impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."

    * CVE-2017-10281: "Vulnerability in the Java SE, Java SE Embedded,
    JRockit component of Oracle Java SE (subcomponent: Serialization).
    Supported versions that are affected are Java SE: 6u161, 7u151, 8u144
    and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to
    exploit vulnerability allows unauthenticated attacker with network
    access via multiple protocols to compromise Java SE, Java SE Embedded,
    JRockit. Successful attacks require human interaction from a person
    other than the attacker. Successful attacks of this vulnerability can
    result in unauthorized ability to cause a partial denial of service
    (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This
    vulnerability can be exploited through sandboxed Java Web Start
    applications and sandboxed Java applets. It can also be exploited by
    supplying data to APIs in the specified Component without using
    sandboxed Java Web Start applications or sandboxed Java applets, such
    as through a web service. CVSS 3.0 Base Score 3.1 (Availability
    impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."

    * CVE-2017-10295: "Vulnerability in the Java SE, Java SE Embedded,
    JRockit component of Oracle Java SE (subcomponent: Serialization).
    Supported versions that are affected are Java SE: 6u161, 7u151, 8u144
    and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to
    exploit vulnerability allows unauthenticated attacker with network
    access via multiple protocols to compromise Java SE, Java SE Embedded,
    JRockit. Successful attacks require human interaction from a person
    other than the attacker. Successful attacks of this vulnerability can
    result in unauthorized ability to cause a partial denial of service
    (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This
    vulnerability can be exploited through sandboxed Java Web Start
    applications and sandboxed Java applets. It can also be exploited by
    supplying data to APIs in the specified Component without using
    sandboxed Java Web Start applications or sandboxed Java applets, such
    as through a web service. CVSS 3.0 Base Score 3.1 (Availability
    impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."

    * CVE-2017-10346: "Vulnerability in the Java SE, Java SE Embedded,
    JRockit component of Oracle Java SE (subcomponent: Serialization).
    Supported versions that are affected are Java SE: 6u161, 7u151, 8u144
    and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to
    exploit vulnerability allows unauthenticated attacker with network
    access via multiple protocols to compromise Java SE, Java SE Embedded,
    JRockit. Successful attacks require human interaction from a person
    other than the attacker. Successful attacks of this vulnerability can
    result in unauthorized ability to cause a partial denial of service
    (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This
    vulnerability can be exploited through sandboxed Java Web Start
    applications and sandboxed Java applets. It can also be exploited by
    supplying data to APIs in the specified Component without using
    sandboxed Java Web Start applications or sandboxed Java applets, such
    as through a web service. CVSS 3.0 Base Score 3.1 (Availability
    impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."

    * CVE-2016-10165: "Vulnerability in the Java SE, Java SE Embedded,
    JRockit component of Oracle Java SE (subcomponent: Serialization).
    Supported versions that are affected are Java SE: 6u161, 7u151, 8u144
    and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to
    exploit vulnerability allows unauthenticated attacker with network
    access via multiple protocols to compromise Java SE, Java SE Embedded,
    JRockit. Successful attacks require human interaction from a person
    other than the attacker. Successful attacks of this vulnerability can
    result in unauthorized ability to cause a partial denial of service
    (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This
    vulnerability can be exploited through sandboxed Java Web Start
    applications and sandboxed Java applets. It can also be exploited by
    supplying data to APIs in the specified Component without using
    sandboxed Java Web Start applications or sandboxed Java applets, such
    as through a web service. CVSS 3.0 Base Score 3.1 (Availability
    impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)."

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE OpenStack Cloud 6:
      zypper in -t patch SUSE-OpenStack-Cloud-6-2017-2160=1
    • SUSE Linux Enterprise Software Development Kit 12-SP3:
      zypper in -t patch SUSE-SLE-SDK-12-SP3-2017-2160=1
    • SUSE Linux Enterprise Software Development Kit 12-SP2:
      zypper in -t patch SUSE-SLE-SDK-12-SP2-2017-2160=1
    • SUSE Linux Enterprise Server for SAP 12-SP1:
      zypper in -t patch SUSE-SLE-SAP-12-SP1-2017-2160=1
    • SUSE Linux Enterprise Server 12-SP3:
      zypper in -t patch SUSE-SLE-SERVER-12-SP3-2017-2160=1
    • SUSE Linux Enterprise Server 12-SP2:
      zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-2160=1
    • SUSE Linux Enterprise Server 12-SP1-LTSS:
      zypper in -t patch SUSE-SLE-SERVER-12-SP1-2017-2160=1
    • SUSE Linux Enterprise Server 12-LTSS:
      zypper in -t patch SUSE-SLE-SERVER-12-2017-2160=1

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE OpenStack Cloud 6 (x86_64):
      • java-1_7_1-ibm-1.7.1_sr4.15-38.8.1
      • java-1_7_1-ibm-alsa-1.7.1_sr4.15-38.8.1
      • java-1_7_1-ibm-devel-1.7.1_sr4.15-38.8.1
      • java-1_7_1-ibm-jdbc-1.7.1_sr4.15-38.8.1
      • java-1_7_1-ibm-plugin-1.7.1_sr4.15-38.8.1
    • SUSE Linux Enterprise Software Development Kit 12-SP3 (ppc64le s390x x86_64):
      • java-1_7_1-ibm-devel-1.7.1_sr4.15-38.8.1
    • SUSE Linux Enterprise Software Development Kit 12-SP2 (ppc64le s390x x86_64):
      • java-1_7_1-ibm-devel-1.7.1_sr4.15-38.8.1
    • SUSE Linux Enterprise Server for SAP 12-SP1 (ppc64le x86_64):
      • java-1_7_1-ibm-1.7.1_sr4.15-38.8.1
      • java-1_7_1-ibm-devel-1.7.1_sr4.15-38.8.1
      • java-1_7_1-ibm-jdbc-1.7.1_sr4.15-38.8.1
    • SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64):
      • java-1_7_1-ibm-alsa-1.7.1_sr4.15-38.8.1
      • java-1_7_1-ibm-plugin-1.7.1_sr4.15-38.8.1
    • SUSE Linux Enterprise Server 12-SP3 (ppc64le s390x x86_64):
      • java-1_7_1-ibm-1.7.1_sr4.15-38.8.1
      • java-1_7_1-ibm-jdbc-1.7.1_sr4.15-38.8.1
    • SUSE Linux Enterprise Server 12-SP3 (x86_64):
      • java-1_7_1-ibm-alsa-1.7.1_sr4.15-38.8.1
      • java-1_7_1-ibm-plugin-1.7.1_sr4.15-38.8.1
    • SUSE Linux Enterprise Server 12-SP2 (ppc64le s390x x86_64):
      • java-1_7_1-ibm-1.7.1_sr4.15-38.8.1
      • java-1_7_1-ibm-jdbc-1.7.1_sr4.15-38.8.1
    • SUSE Linux Enterprise Server 12-SP2 (x86_64):
      • java-1_7_1-ibm-alsa-1.7.1_sr4.15-38.8.1
      • java-1_7_1-ibm-plugin-1.7.1_sr4.15-38.8.1
    • SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64):
      • java-1_7_1-ibm-1.7.1_sr4.15-38.8.1
      • java-1_7_1-ibm-devel-1.7.1_sr4.15-38.8.1
      • java-1_7_1-ibm-jdbc-1.7.1_sr4.15-38.8.1
    • SUSE Linux Enterprise Server 12-SP1-LTSS (x86_64):
      • java-1_7_1-ibm-alsa-1.7.1_sr4.15-38.8.1
      • java-1_7_1-ibm-plugin-1.7.1_sr4.15-38.8.1
    • SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64):
      • java-1_7_1-ibm-1.7.1_sr4.15-38.8.1
      • java-1_7_1-ibm-devel-1.7.1_sr4.15-38.8.1
      • java-1_7_1-ibm-jdbc-1.7.1_sr4.15-38.8.1
    • SUSE Linux Enterprise Server 12-LTSS (x86_64):
      • java-1_7_1-ibm-alsa-1.7.1_sr4.15-38.8.1
      • java-1_7_1-ibm-plugin-1.7.1_sr4.15-38.8.1

    References: