| Description: | Summary:
Oracle Java SE JRE is prone to multiple unspecified vulnerabilities.
Vulnerability Insight:
Multiple unspecified flaws exist due to:
- An infinite loop in the DER decoder that is triggered when handling negative
length values.
- An error in the RMI component's transport implementation related to incorrect
context class loader use.
- An error in the Swing component's file chooser implementation.
- An error in vm/memory/referenceProcessor.cpp related to handling of phantom
object references in the Hotspot JVM garbage collector.
- An error in the Hotspot JVM related to insecure handling of temporary
performance data files.
- An error in the JSSE component related to improper ChangeCipherSpec tracking
during SSL/TLS handshakes.
- Two out-of-bounds read errors in the layout component that is triggered when
parsing fonts.
Vulnerability Impact:
Successful exploitation will allow attackers
to conduct a denial of service attack, man-in-the-middle attack, potentially
disclose memory contents, remove or overwrite arbitrary files on the system,
disclose certain directory information, bypass sandbox restrictions and
potentially execute arbitrary code.
Affected Software/OS:
Oracle Java SE 5 update 75 and prior, 6
update 85 and prior, 7 update 72 and prior, and 8 update 25 and prior on
Windows.
Solution:
Apply the patch from the referenced advisory.
CVSS Score:
10.0
CVSS Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C
|
