Page 3 of 5 FirstFirst 12345 LastLast
Results 21 to 30 of 47

Thread: Java JRE updates/advisories

  1. #21
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Java users at risk ...

    FYI...

    Java users at risk ...
    - http://community.websense.com/blogs/...-exploits.aspx
    4 Jun 2013 - "... collecting telemetry... to provide insight into usage of the most recent version of Java... almost 93% of users are still not patched to the most recent version of Java. This leaves the majority of users still vulnerable to the dangers of exploit code already in use in the wild... So 1 month after release, the remaining 92.8% of users remain vulnerable to at least one exploit in the wild... the April 2013 Java Critical Patch Update contained 42 new security fixes, of which 39 may be remotely exploitable without authentication. We saw that on April 20, 2013, to illustrate the danger of just one of these 39 remote execution vulnerabilities, Metasploit published a module to exploit a vulnerability in CVE-2013-2423*. We have observed this particular exploit code incorporated into exploit kits and used in the wild..."
    * https://web.nvd.nist.gov/view/vuln/d...=CVE-2013-2423

    Java JRE 7u21
    - http://www.oracle.com/technetwork/ja...s-1880261.html
    April 16, 2013

    Recommended Version 7 Update 21
    - https://www.java.com/en/download/manual.jsp

    - https://krebsonsecurity.com/2013/04/...ecurity-holes/
    April 16, 2013 - "... contains 42 new security fixes for Oracle Java SE. A majority of these flaws are browse-to–a-hacked-site-and-get-infected vulnerabilities..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #22
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Java JRE v7u25 released

    FYI...

    Java JRE 7u25
    - http://www.oracle.com/technetwork/ja...s-1880261.html
    June 18, 2013

    - http://www.oracle.com/technetwork/ja...ads/index.html

    Release Notes
    - http://www.oracle.com/technetwork/ja...s-1955741.html

    - http://www.oracle.com/technetwork/to...3-1899847.html
    "... This Critical Patch Update contains 40 new security fixes across Java SE products of which 4 are applicable to server deployments of Java..."

    Java SE Risk Matrix
    - http://www.oracle.com/technetwork/to...l#AppendixJAVA

    - http://www.oracle.com/technetwork/to...e-1899853.html

    - https://blogs.oracle.com/security/en...l_patch_update
    Jun 18, 2013

    Recommended Version 7 Update 25
    - https://www.java.com/en/download/manual.jsp
    ___

    - http://www.securitytracker.com/id/1028679
    CVE Reference: CVE-2013-1500, CVE-2013-1571, CVE-2013-2400, CVE-2013-2407, CVE-2013-2412, CVE-2013-2437, CVE-2013-2442, CVE-2013-2443, CVE-2013-2444, CVE-2013-2445, CVE-2013-2446, CVE-2013-2447, CVE-2013-2448, CVE-2013-2449, CVE-2013-2450, CVE-2013-2451, CVE-2013-2452, CVE-2013-2453, CVE-2013-2454, CVE-2013-2455, CVE-2013-2456, CVE-2013-2457, CVE-2013-2458, CVE-2013-2459, CVE-2013-2460, CVE-2013-2461, CVE-2013-2462, CVE-2013-2463, CVE-2013-2464, CVE-2013-2465, CVE-2013-2466, CVE-2013-2467, CVE-2013-2468, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-3743, CVE-2013-3744
    Jun 18 2013
    Impact: Denial of service via local system, Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, Root access via local system, User access via network
    Fix Available: Yes Vendor Confirmed: Yes
    Version(s): 5.0 Update 45, 6 Update 45, 7 Update 21; and prior versions ...
    Solution: The vendor has issued a fix (7 Update 25).

    - https://secunia.com/advisories/53846/
    Release Date: 2013-06-19
    Criticality level: Highly critical
    Impact: Spoofing, Manipulation of data, Exposure of sensitive information, Privilege escalation, DoS, System access
    Where: From remote
    ... vulnerabilities are reported in the following products:
    * JDK and JRE 7 Update 21 and prior
    * JDK and JRE 6 Update 45 and prior
    * JDK and JRE 5 Update 45 and prior
    Solution: Apply updates...
    ___

    Less Than 1 Percent Of Enterprises Run Newest Version Of Java
    Most businesses have multiple, outdated versions of the app on their endpoints, new report finds
    - http://www.darkreading.com/vulnerabi...ndly=this-page
    July 18, 2013 - "... More than 90 percent of organizations are running a version of Java that's at least five years old, and 82 percent of endpoints run Java version 6, according to a new report by Bit9 that investigated Java installations in the enterprise. There are an average of 1.6 versions of Java on every endpoint, and nearly half of all endpoints have more than two versions of the application. Fewer than 1 percent run the newest version of Java: version 7 Update 25, Bit9 found... why don't enterprises merely purge older versions of Java? It's the old legacy application problem. Applications that are tied to a specific version of Java could lose functionality if only the new version of Java were running..."

    Last edited by AplusWebMaster; 2013-07-19 at 23:18.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #23
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Java 6 0-Day exploit-in-the-wild

    FYI...

    Java 6 0-Day exploit-in-the-wild
    - https://community.qualys.com/blogs/l...it-in-the-wild
    Aug 26, 2013 - "CVE-2013-2463 is a vulnerability in the Java 2D subcomponent, that was addressed by Oracle in the June 2013 Critical Patch Update for Java 7. Java 6 (including the latest u45) has the same vulnerability, as Oracle acknowledges in the CPU, but since Java 6 has become unsupported as of its End-of-Life in April 2013, there is no patch for the vulnerability... this time, things have become a bit more serious. As Matthew Schwartz reports in Informationweek*, F-Secure has seen exploits for this vulnerability in Java 6 in the wild. Further they have seen it included in the Neutrino exploit kit, which guarantees that it will find widespread adoption. In addition, we still see very high rates of Java 6 installed (a bit over 50%), which means many organizations are vulnerable..."
    * https://www.informationweek.com/secu...expl/240160443

    - https://web.nvd.nist.gov/view/vuln/d...=CVE-2013-2463 - 10.0 (HIGH)
    ___

    - https://community.qualys.com/blogs/l...it-in-the-wild
    Comments: "... OpenJDK 6 remains supported and actively patched for security flaws. An OpenJDK 6 patch for CVE-2013-2463 is available":
    - http://mail.openjdk.java.net/piperma...ly/023941.html
    ___

    - http://blog.trendmicro.com/trendlabs...oits-going-up/
    Aug 28, 2013 - "... We urge users to carefully evaluate their usage of Java is necessary and ensure that copies of Java that are used are updated, to reduce exposure to present and future Java flaws."
    ___

    - http://krebsonsecurity.com/2013/09/r...ecurity-fails/
    4 Sep 2013
    * http://krebsonsecurity.com/wp-conten...javaprompt.png

    - https://www.cert.org/blogs/certcc/20...at_applet.html

    - http://krebsonsecurity.com/how-to-un...m-the-browser/

    Last edited by AplusWebMaster; 2013-09-04 at 15:04.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #24
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #25
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Java JRE 7u45 released

    FYI...

    Java JRE 7u45 released
    - http://www.oracle.com/technetwork/ja...s-1880261.html

    - http://www.oracle.com/technetwork/ja...ads/index.html
    "This release includes important security fixes. Oracle strongly recommends that all Java SE 7 users upgrade to this release..."

    - https://blogs.oracle.com/java/entry/java_se_7_update_45
    Oct 15, 2013

    Release Notes
    - http://www.oracle.com/technetwork/ja...s-2016950.html

    Recommended Version 7 Update 45
    - https://www.java.com/en/download/manual.jsp

    - http://www.oracle.com/technetwork/to...l#AppendixJAVA
    "This Critical Patch Update contains -51- new security fixes for Oracle Java SE. 50 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password..."

    - https://secunia.com/advisories/55315/
    Release Date: 2013-10-16
    Criticality: Highly Critical
    Impact: Manipulation of data, Exposure of sensitive information, DoS, System access
    Solution Status: Vendor Patch
    CVE Reference(s): CVE-2013-3829, CVE-2013-4002, CVE-2013-5772, CVE-2013-5774, CVE-2013-5775, CVE-2013-5776, CVE-2013-5777, CVE-2013-5778, CVE-2013-5780, CVE-2013-5782, CVE-2013-5783, CVE-2013-5784, CVE-2013-5787, CVE-2013-5788, CVE-2013-5789, CVE-2013-5790, CVE-2013-5797, CVE-2013-5800, CVE-2013-5801, CVE-2013-5802, CVE-2013-5802, CVE-2013-5803, CVE-2013-5804, CVE-2013-5805, CVE-2013-5806, CVE-2013-5809, CVE-2013-5810, CVE-2013-5812, CVE-2013-5814, CVE-2013-5817, CVE-2013-5818, CVE-2013-5819, CVE-2013-5820, CVE-2013-5823, CVE-2013-5824, CVE-2013-5825, CVE-2013-5829, CVE-2013-5830, CVE-2013-5831, CVE-2013-5832, CVE-2013-5838, CVE-2013-5840, CVE-2013-5842, CVE-2013-5843, CVE-2013-5844, CVE-2013-5846, CVE-2013-5848, CVE-2013-5849, CVE-2013-5850, CVE-2013-5851, CVE-2013-5852, CVE-2013-5854
    Original Advisory: Oracle:
    http://www.oracle.com/technetwork/to...l#AppendixJAVA
    http://www.oracle.com/technetwork/to...9842.html#JAVA
    ___

    - http://krebsonsecurity.com/2013/10/j...ecurity-holes/
    Oct. 16, 2013 - "... seriously consider removing Java altogether. I’ve long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants..."
    ___

    - https://isc.sans.edu/diary.html?storyid=16811
    Last Updated: 2013-10-15 20:17:01 UTC - "... Oracle is now on a quarterly update schedule, starting with this version. Going forward, expect regular updates to be released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:
    14 January 2014
    15 April 2014
    15 July 2014
    14 October 2014 ..."

    Last edited by AplusWebMaster; 2013-10-16 at 19:17.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #26
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Java JRE 7u51 released ...

    FYI...

    Java JRE 7u51 released
    - http://www.oracle.com/technetwork/ja...s-1880261.html
    Jan 14, 2014

    Java SE Risk Matrix
    - http://www.oracle.com/technetwork/to...l#AppendixJAVA

    - http://www.oracle.com/technetwork/ja...ads/index.html
    "This release includes important security fixes. Oracle strongly recommends that all Java SE 7 users upgrade to this release..."

    - https://blogs.oracle.com/java/entry/java_se_7_update_51
    "... important security fixes. Oracle strongly recommends that all Java SE 7 users upgrade to this release..."

    Release Notes
    - http://www.oracle.com/technetwork/ja...s-2085002.html

    Recommended Version 7 Update 51
    - https://www.java.com/en/download/manual.jsp
    ___

    - http://www.securitytracker.com/id/1029608
    CVE Reference: CVE-2013-5870, CVE-2013-5878, CVE-2013-5884, CVE-2013-5887, CVE-2013-5888, CVE-2013-5889, CVE-2013-5893, CVE-2013-5895, CVE-2013-5896, CVE-2013-5898, CVE-2013-5899, CVE-2013-5902, CVE-2013-5904, CVE-2013-5905, CVE-2013-5906, CVE-2013-5907, CVE-2013-5910, CVE-2014-0368, CVE-2014-0373, CVE-2014-0375, CVE-2014-0376, CVE-2014-0382, CVE-2014-0385, CVE-2014-0387, CVE-2014-0403, CVE-2014-0408, CVE-2014-0410, CVE-2014-0411, CVE-2014-0415, CVE-2014-0416, CVE-2014-0417, CVE-2014-0418, CVE-2014-0422, CVE-2014-0423, CVE-2014-0424, CVE-2014-0428
    Jan 14 2014
    Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
    Fix Available: Yes Vendor Confirmed: Yes
    Version(s): prior to 7 Update 51...

    - https://secunia.com/advisories/56485/
    Release Date: 2014-01-15
    Criticality: Highly Critical
    Where: From remote
    Impact: Manipulation of data, Exposure of sensitive information, DoS, System access...
    ___

    Java Primary Cause of 91% of Attacks
    - http://www.eweek.com/security/java-p...cks-cisco.html
    2014-01-16 - "... no one technology was more abused or more culpable that Java, according to Cisco's latest annual security report*... What that means is that the final payload in observed attacks was a Java exploit..."
    * http://www.cisco.com/web/offers/lp/2...ort/index.html
    "... 91% of web exploits target Java..."

    Last edited by AplusWebMaster; 2014-01-21 at 04:46.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #27
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Java SE 8 ...

    FYI...

    Java SE 8
    - http://www.oracle.com/technetwork/ja...ads/index.html
    Mar 18, 2014

    Java SE 8 Now Available
    - https://blogs.oracle.com/java/entry/java_se_embedded_8

    JRE 8
    - http://www.oracle.com/technetwork/ja...s-2133155.html

    JDK 8 Release Notes
    - http://www.oracle.com/technetwork/ja...t-2153846.html
    "The Java Platform, Standard Edition 8 Development Kit (JDK 8 ) is a feature release of the Java SE platform. It contains new features and enhancements in many functional areas... links to release information about enhancements, changes, bugs, installation, runtime deployment, and documentation. Release Notes files are located on our website only and are not in the documentation download bundle, unless otherwise noted..."

    Known Issues for JDK 8
    - http://www.oracle.com/technetwork/ja...s-2157115.html
    ___

    Recommended Version 7 Update 51
    - https://www.java.com/en/download/manual.jsp

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #28
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Java SE 8u5 ...

    FYI...

    Java SE 8u5
    - http://www.oracle.com/technetwork/ja...ads/index.html
    Apr 15, 2014

    Release Notes
    - http://www.oracle.com/technetwork/ja...t-2153846.html

    Oracle Java SE Risk Matrix
    - http://www.oracle.com/technetwork/to...l#AppendixJAVA
    ___

    Recommended Version 7 Update 55
    - https://www.java.com/en/download/manual.jsp

    Release Notes - 7u55
    - http://www.oracle.com/technetwork/ja...s-2177812.html
    "... This JRE (version 7u55) will expire with the release of the next critical patch update scheduled for July 15, 2014..."
    ___

    - https://secunia.com/advisories/57932/
    Release Date: 2014-04-16
    Criticality: Highly Critical
    Where: From remote
    Impact: Manipulation of data, Exposure of sensitive information, DoS, System access
    CVE Reference(s): CVE-2013-6629, CVE-2013-6954, CVE-2014-0429, CVE-2014-0432, CVE-2014-0446, CVE-2014-0448, CVE-2014-0449, CVE-2014-0451, CVE-2014-0452, CVE-2014-0453, CVE-2014-0454, CVE-2014-0455, CVE-2014-0456, CVE-2014-0457, CVE-2014-0458, CVE-2014-0459, CVE-2014-0460, CVE-2014-0461, CVE-2014-0463, CVE-2014-0464, CVE-2014-1876, CVE-2014-2397, CVE-2014-2398, CVE-2014-2401, CVE-2014-2402, CVE-2014-2403, CVE-2014-2409, CVE-2014-2410, CVE-2014-2412, CVE-2014-2413, CVE-2014-2414, CVE-2014-2420, CVE-2014-2421, CVE-2014-2422, CVE-2014-2423, CVE-2014-2427, CVE-2014-2428
    ... vulnerabilities are reported in the following products:
    * JDK and JRE 7 Update 51 and prior
    * JDK and JRE 6 Update 71 and prior
    * JDK and JRE 5 Update 61 and prior
    * JDK and JRE 8
    Solution: Apply updates...
    Original Advisory:
    - http://www.oracle.com/technetwork/to...l#AppendixJAVA

    Last edited by AplusWebMaster; 2014-04-16 at 15:46.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #29
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Java JRE 7u60 released

    FYI...

    Java JRE 7u60 released
    - http://www.oracle.com/technetwork/ja...s-1880261.html
    May 28, 2014

    Release Notes
    - http://www.oracle.com/technetwork/ja...s-2200106.html
    ... notable bug fixes in this release:
    Area: security-libs/java.security
    Synopsis: Realm.getRealmsList returns realms list in wrong order...

    Bug fixes included in JDK 7u60 release
    - http://www.oracle.com/technetwork/ja...s-2202029.html
    ___

    Recommended Version 7 Update 60
    - https://www.java.com/en/download/manual.jsp

    Last edited by AplusWebMaster; 2014-05-31 at 17:54.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #30
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Java 7u65 released

    FYI...

    Java 7u65 released
    - http://www.oracle.com/technetwork/ja...s-1880261.html
    July 15, 2014

    Java 8u11
    - http://www.oracle.com/technetwork/ja...ads/index.html

    Java SE Risk Matrix
    - http://www.oracle.com/technetwork/to...l#AppendixJAVA
    "... contains 20 new security fixes for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication..."
    ___

    Recommended Version 7 Update 65
    - https://www.java.com/en/download/manual.jsp

    Java Uninstall Tool
    - https://www.java.com/en/download/faq...r_toolinfo.xml
    "... simplifying the process of finding and uninstalling older versions of Java. The Uninstall tool shows you a list of the Java versions on your computer and then removes those that are out of date..."
    - https://www.java.com/en/download/uninstallapplet.jsp
    ___

    - http://www.securitytracker.com/id/1030577
    CVE Reference: CVE-2014-2483, CVE-2014-2490, CVE-2014-4208, CVE-2014-4209, CVE-2014-4216, CVE-2014-4218, CVE-2014-4219, CVE-2014-4220, CVE-2014-4221, CVE-2014-4223, CVE-2014-4227, CVE-2014-4244, CVE-2014-4247, CVE-2014-4252, CVE-2014-4262, CVE-2014-4263, CVE-2014-4264, CVE-2014-4265, CVE-2014-4266, CVE-2014-4268
    Jul 15 2014
    Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
    Fix Available: Yes Vendor Confirmed: Yes
    Version(s): 5.0u65, Java SE 6u75, Java SE 7u60, Java SE 8u5; and prior versions...
    ___

    - https://atlas.arbor.net/briefs/index#-1227693199
    High Severity
    17 Jul 2014

    Last edited by AplusWebMaster; 2014-07-18 at 15:08.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •