Java JRE updates/advisories

Java users at risk ...

FYI...

Java users at risk ...
- http://community.websense.com/blogs...-users-still-vulnerable-to-java-exploits.aspx
4 Jun 2013 - "... collecting telemetry... to provide insight into usage of the most recent version of Java... almost 93% of users are still not patched to the most recent version of Java. This leaves the majority of users still vulnerable to the dangers of exploit code already in use in the wild... So 1 month after release, the remaining 92.8% of users remain vulnerable to at least one exploit in the wild... the April 2013 Java Critical Patch Update contained 42 new security fixes, of which 39 may be remotely exploitable without authentication. We saw that on April 20, 2013, to illustrate the danger of just one of these 39 remote execution vulnerabilities, Metasploit published a module to exploit a vulnerability in CVE-2013-2423*. We have observed this particular exploit code incorporated into exploit kits and used in the wild..."
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2423

Java JRE 7u21
- http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html
April 16, 2013

Recommended Version 7 Update 21
- https://www.java.com/en/download/manual.jsp

- https://krebsonsecurity.com/2013/04/java-update-plugs-42-security-holes/
April 16, 2013 - "... contains 42 new security fixes for Oracle Java SE. A majority of these flaws are browse-to–a-hacked-site-and-get-infected vulnerabilities..."

:fear::fear:
 
Java JRE v7u25 released

FYI...

Java JRE 7u25
- http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html
June 18, 2013

- http://www.oracle.com/technetwork/java/javase/downloads/index.html

Release Notes
- http://www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html

- http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
"... This Critical Patch Update contains 40 new security fixes across Java SE products of which 4 are applicable to server deployments of Java..."

Java SE Risk Matrix
- http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html#AppendixJAVA

- http://www.oracle.com/technetwork/topics/security/javacpujun2013verbose-1899853.html

- https://blogs.oracle.com/security/entry/june_2013_critical_patch_update
Jun 18, 2013

Recommended Version 7 Update 25
- https://www.java.com/en/download/manual.jsp
___

- http://www.securitytracker.com/id/1028679
CVE Reference: CVE-2013-1500, CVE-2013-1571, CVE-2013-2400, CVE-2013-2407, CVE-2013-2412, CVE-2013-2437, CVE-2013-2442, CVE-2013-2443, CVE-2013-2444, CVE-2013-2445, CVE-2013-2446, CVE-2013-2447, CVE-2013-2448, CVE-2013-2449, CVE-2013-2450, CVE-2013-2451, CVE-2013-2452, CVE-2013-2453, CVE-2013-2454, CVE-2013-2455, CVE-2013-2456, CVE-2013-2457, CVE-2013-2458, CVE-2013-2459, CVE-2013-2460, CVE-2013-2461, CVE-2013-2462, CVE-2013-2463, CVE-2013-2464, CVE-2013-2465, CVE-2013-2466, CVE-2013-2467, CVE-2013-2468, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-3743, CVE-2013-3744
Jun 18 2013
Impact: Denial of service via local system, Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, Root access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 5.0 Update 45, 6 Update 45, 7 Update 21; and prior versions ...
Solution: The vendor has issued a fix (7 Update 25).

- https://secunia.com/advisories/53846/
Release Date: 2013-06-19
Criticality level: Highly critical
Impact: Spoofing, Manipulation of data, Exposure of sensitive information, Privilege escalation, DoS, System access
Where: From remote
... vulnerabilities are reported in the following products:
* JDK and JRE 7 Update 21 and prior
* JDK and JRE 6 Update 45 and prior
* JDK and JRE 5 Update 45 and prior
Solution: Apply updates...
___

Less Than 1 Percent Of Enterprises Run Newest Version Of Java
Most businesses have multiple, outdated versions of the app on their endpoints, new report finds
- http://www.darkreading.com/vulnerab...an-1-per/240158496?printer_friendly=this-page
July 18, 2013 - "... More than 90 percent of organizations are running a version of Java that's at least five years old, and 82 percent of endpoints run Java version 6, according to a new report by Bit9 that investigated Java installations in the enterprise. There are an average of 1.6 versions of Java on every endpoint, and nearly half of all endpoints have more than two versions of the application. Fewer than 1 percent run the newest version of Java: version 7 Update 25, Bit9 found... why don't enterprises merely purge older versions of Java? It's the old legacy application problem. Applications that are tied to a specific version of Java could lose functionality if only the new version of Java were running..."

:fear:
 
Last edited:
Java 6 0-Day exploit-in-the-wild

FYI...

Java 6 0-Day exploit-in-the-wild
- https://community.qualys.com/blogs/...s/2013/08/26/java-6-0-day-exploit-in-the-wild
Aug 26, 2013 - "CVE-2013-2463 is a vulnerability in the Java 2D subcomponent, that was addressed by Oracle in the June 2013 Critical Patch Update for Java 7. Java 6 (including the latest u45) has the same vulnerability, as Oracle acknowledges in the CPU, but since Java 6 has become unsupported as of its End-of-Life in April 2013, there is no patch for the vulnerability... this time, things have become a bit more serious. As Matthew Schwartz reports in Informationweek*, F-Secure has seen exploits for this vulnerability in Java 6 in the wild. Further they have seen it included in the Neutrino exploit kit, which guarantees that it will find widespread adoption. In addition, we still see very high rates of Java 6 installed (a bit over 50%), which means many organizations are vulnerable..."
* https://www.informationweek.com/sec...rs-target-java-6-with-security-expl/240160443

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2463 - 10.0 (HIGH)
___

- https://community.qualys.com/blogs/...s/2013/08/26/java-6-0-day-exploit-in-the-wild
Comments: "... OpenJDK 6 remains supported and actively patched for security flaws. An OpenJDK 6 patch for CVE-2013-2463 is available":
- http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-July/023941.html
___

- http://blog.trendmicro.com/trendlabs-security-intelligence/java-native-layer-exploits-going-up/
Aug 28, 2013 - "... We urge users to carefully evaluate their usage of Java is necessary and ensure that copies of Java that are used are updated, to reduce exposure to present and future Java flaws."
___

- http://krebsonsecurity.com/2013/09/researchers-oracles-java-security-fails/
4 Sep 2013
* http://krebsonsecurity.com/wp-content/uploads/2013/09/javaprompt.png

- https://www.cert.org/blogs/certcc/2013/04/dont_sign_that_applet.html

- http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/

:fear::fear:
 
Last edited:
Java JRE 7u45 released

FYI...

Java JRE 7u45 released
- http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html

- http://www.oracle.com/technetwork/java/javase/downloads/index.html
"This release includes important security fixes. Oracle strongly recommends that all Java SE 7 users upgrade to this release..."

- https://blogs.oracle.com/java/entry/java_se_7_update_45
Oct 15, 2013

Release Notes
- http://www.oracle.com/technetwork/java/javase/7u45-relnotes-2016950.html

Recommended Version 7 Update 45
- https://www.java.com/en/download/manual.jsp

- http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html#AppendixJAVA
"This Critical Patch Update contains -51- new security fixes for Oracle Java SE. 50 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password..."

- https://secunia.com/advisories/55315/
Release Date: 2013-10-16
Criticality: Highly Critical
Impact: Manipulation of data, Exposure of sensitive information, DoS, System access
Solution Status: Vendor Patch
CVE Reference(s): CVE-2013-3829, CVE-2013-4002, CVE-2013-5772, CVE-2013-5774, CVE-2013-5775, CVE-2013-5776, CVE-2013-5777, CVE-2013-5778, CVE-2013-5780, CVE-2013-5782, CVE-2013-5783, CVE-2013-5784, CVE-2013-5787, CVE-2013-5788, CVE-2013-5789, CVE-2013-5790, CVE-2013-5797, CVE-2013-5800, CVE-2013-5801, CVE-2013-5802, CVE-2013-5802, CVE-2013-5803, CVE-2013-5804, CVE-2013-5805, CVE-2013-5806, CVE-2013-5809, CVE-2013-5810, CVE-2013-5812, CVE-2013-5814, CVE-2013-5817, CVE-2013-5818, CVE-2013-5819, CVE-2013-5820, CVE-2013-5823, CVE-2013-5824, CVE-2013-5825, CVE-2013-5829, CVE-2013-5830, CVE-2013-5831, CVE-2013-5832, CVE-2013-5838, CVE-2013-5840, CVE-2013-5842, CVE-2013-5843, CVE-2013-5844, CVE-2013-5846, CVE-2013-5848, CVE-2013-5849, CVE-2013-5850, CVE-2013-5851, CVE-2013-5852, CVE-2013-5854
Original Advisory: Oracle:
http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html#AppendixJAVA
http://www.oracle.com/technetwork/topics/security/cpuoct2013verbose-1899842.html#JAVA
___

- http://krebsonsecurity.com/2013/10/java-update-plugs-51-security-holes/
Oct. 16, 2013 - "... seriously consider removing Java altogether. I’ve long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants..."
___

- https://isc.sans.edu/diary.html?storyid=16811
Last Updated: 2013-10-15 20:17:01 UTC - "... Oracle is now on a quarterly update schedule, starting with this version. Going forward, expect regular updates to be released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:
14 January 2014
15 April 2014
15 July 2014
14 October 2014 ..."

:fear::fear:
 
Last edited:
Java JRE 7u51 released ...

FYI...

Java JRE 7u51 released
- http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html
Jan 14, 2014

Java SE Risk Matrix
- http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html#AppendixJAVA

- http://www.oracle.com/technetwork/java/javase/downloads/index.html
"This release includes important security fixes. Oracle strongly recommends that all Java SE 7 users upgrade to this release..."

- https://blogs.oracle.com/java/entry/java_se_7_update_51
"... important security fixes. Oracle strongly recommends that all Java SE 7 users upgrade to this release..."

Release Notes
- http://www.oracle.com/technetwork/java/javase/7u51-relnotes-2085002.html

Recommended Version 7 Update 51
- https://www.java.com/en/download/manual.jsp
___

- http://www.securitytracker.com/id/1029608
CVE Reference: CVE-2013-5870, CVE-2013-5878, CVE-2013-5884, CVE-2013-5887, CVE-2013-5888, CVE-2013-5889, CVE-2013-5893, CVE-2013-5895, CVE-2013-5896, CVE-2013-5898, CVE-2013-5899, CVE-2013-5902, CVE-2013-5904, CVE-2013-5905, CVE-2013-5906, CVE-2013-5907, CVE-2013-5910, CVE-2014-0368, CVE-2014-0373, CVE-2014-0375, CVE-2014-0376, CVE-2014-0382, CVE-2014-0385, CVE-2014-0387, CVE-2014-0403, CVE-2014-0408, CVE-2014-0410, CVE-2014-0411, CVE-2014-0415, CVE-2014-0416, CVE-2014-0417, CVE-2014-0418, CVE-2014-0422, CVE-2014-0423, CVE-2014-0424, CVE-2014-0428
Jan 14 2014
Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 7 Update 51...

- https://secunia.com/advisories/56485/
Release Date: 2014-01-15
Criticality: Highly Critical
Where: From remote
Impact: Manipulation of data, Exposure of sensitive information, DoS, System access...
___

Java Primary Cause of 91% of Attacks
- http://www.eweek.com/security/java-primary-cause-of-91-percent-of-attacks-cisco.html
2014-01-16 - "... no one technology was more abused or more culpable that Java, according to Cisco's latest annual security report*... What that means is that the final payload in observed attacks was a Java exploit..."
* http://www.cisco.com/web/offers/lp/2014-annual-security-report/index.html
"... 91% of web exploits target Java..."

:fear::fear:
 
Last edited:
Java SE 8 ...

FYI...

Java SE 8
- http://www.oracle.com/technetwork/java/javase/downloads/index.html
Mar 18, 2014

Java SE 8 Now Available
- https://blogs.oracle.com/java/entry/java_se_embedded_8

JRE 8
- http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html

JDK 8 Release Notes
- http://www.oracle.com/technetwork/java/javase/8train-relnotes-latest-2153846.html
"The Java Platform, Standard Edition 8 Development Kit (JDK 8 ) is a feature release of the Java SE platform. It contains new features and enhancements in many functional areas... links to release information about enhancements, changes, bugs, installation, runtime deployment, and documentation. Release Notes files are located on our website only and are not in the documentation download bundle, unless otherwise noted..."

Known Issues for JDK 8
- http://www.oracle.com/technetwork/java/javase/8-known-issues-2157115.html
___

Recommended Version 7 Update 51
- https://www.java.com/en/download/manual.jsp

:fear:
 
Java SE 8u5 ...

FYI...

Java SE 8u5
- http://www.oracle.com/technetwork/java/javase/downloads/index.html
Apr 15, 2014

Release Notes
- http://www.oracle.com/technetwork/java/javase/8train-relnotes-latest-2153846.html

Oracle Java SE Risk Matrix
- http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html#AppendixJAVA
___

Recommended Version 7 Update 55
- https://www.java.com/en/download/manual.jsp

Release Notes - 7u55
- http://www.oracle.com/technetwork/java/javase/7u55-relnotes-2177812.html
"... This JRE (version 7u55) will expire with the release of the next critical patch update scheduled for July 15, 2014..."
___

- https://secunia.com/advisories/57932/
Release Date: 2014-04-16
Criticality: Highly Critical
Where: From remote
Impact: Manipulation of data, Exposure of sensitive information, DoS, System access
CVE Reference(s): CVE-2013-6629, CVE-2013-6954, CVE-2014-0429, CVE-2014-0432, CVE-2014-0446, CVE-2014-0448, CVE-2014-0449, CVE-2014-0451, CVE-2014-0452, CVE-2014-0453, CVE-2014-0454, CVE-2014-0455, CVE-2014-0456, CVE-2014-0457, CVE-2014-0458, CVE-2014-0459, CVE-2014-0460, CVE-2014-0461, CVE-2014-0463, CVE-2014-0464, CVE-2014-1876, CVE-2014-2397, CVE-2014-2398, CVE-2014-2401, CVE-2014-2402, CVE-2014-2403, CVE-2014-2409, CVE-2014-2410, CVE-2014-2412, CVE-2014-2413, CVE-2014-2414, CVE-2014-2420, CVE-2014-2421, CVE-2014-2422, CVE-2014-2423, CVE-2014-2427, CVE-2014-2428
... vulnerabilities are reported in the following products:
* JDK and JRE 7 Update 51 and prior
* JDK and JRE 6 Update 71 and prior
* JDK and JRE 5 Update 61 and prior
* JDK and JRE 8
Solution: Apply updates...
Original Advisory:
- http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html#AppendixJAVA

:fear:
 
Last edited:
Java JRE 7u60 released

FYI...

Java JRE 7u60 released
- http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html
May 28, 2014

Release Notes
- http://www.oracle.com/technetwork/java/javase/7u60-relnotes-2200106.html
... notable bug fixes in this release:
Area: security-libs/java.security
Synopsis: Realm.getRealmsList returns realms list in wrong order...

Bug fixes included in JDK 7u60 release
- http://www.oracle.com/technetwork/java/javase/2col/7u60-bugfixes-2202029.html
___

Recommended Version 7 Update 60
- https://www.java.com/en/download/manual.jsp

:fear:
 
Last edited:
Java 7u65 released

FYI...

Java 7u65 released
- http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html
July 15, 2014

Java 8u11
- http://www.oracle.com/technetwork/java/javase/downloads/index.html

Java SE Risk Matrix
- http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html#AppendixJAVA
"... contains 20 new security fixes for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication..."
___

Recommended Version 7 Update 65
- https://www.java.com/en/download/manual.jsp

Java Uninstall Tool
- https://www.java.com/en/download/faq/uninstaller_toolinfo.xml
"... simplifying the process of finding and uninstalling older versions of Java. The Uninstall tool shows you a list of the Java versions on your computer and then removes those that are out of date..."
- https://www.java.com/en/download/uninstallapplet.jsp
___

- http://www.securitytracker.com/id/1030577
CVE Reference: CVE-2014-2483, CVE-2014-2490, CVE-2014-4208, CVE-2014-4209, CVE-2014-4216, CVE-2014-4218, CVE-2014-4219, CVE-2014-4220, CVE-2014-4221, CVE-2014-4223, CVE-2014-4227, CVE-2014-4244, CVE-2014-4247, CVE-2014-4252, CVE-2014-4262, CVE-2014-4263, CVE-2014-4264, CVE-2014-4265, CVE-2014-4266, CVE-2014-4268
Jul 15 2014
Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 5.0u65, Java SE 6u75, Java SE 7u60, Java SE 8u5; and prior versions...
___

- https://atlas.arbor.net/briefs/index#-1227693199
High Severity
17 Jul 2014

:fear:
 
Last edited:
Java 8u25 released

FYI...

Java 8u25 released
- http://www.oracle.com/technetwork/java/javase/downloads/index.html
Oct 14, 2014 - "This release includes important security fixes. Oracle strongly recommends that all Java SE 8 users upgrade to this release."

Release Notes
- http://www.oracle.com/technetwork/java/javase/8u25-relnotes-2296185.html

Java JRE 8u25 downloads
- http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html

Java JDK 8u25 downloads
- http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html

Recommended Version 8 Update 25
- https://www.java.com/en/download/manual.jsp

... if you still need to use Java at all. If not - uninstall it!
___

- http://www.securitytracker.com/id/1031035
CVE Reference: CVE-2014-0050, CVE-2014-2478, CVE-2014-4289, CVE-2014-4290, CVE-2014-4291, CVE-2014-4292, CVE-2014-4293, CVE-2014-4294, CVE-2014-4295, CVE-2014-4296, CVE-2014-4297, CVE-2014-4298, CVE-2014-4299, CVE-2014-4300, CVE-2014-4301, CVE-2014-4310, CVE-2014-6452, CVE-2014-6453, CVE-2014-6454, CVE-2014-6455, CVE-2014-6467, CVE-2014-6483, CVE-2014-6537, CVE-2014-6538, CVE-2014-6542, CVE-2014-6544, CVE-2014-6545, CVE-2014-6546, CVE-2014-6547, CVE-2014-6560, CVE-2014-6563, CVE-2014-6513, CVE-2014-6532, CVE-2014-6503, CVE-2014-6456, CVE-2014-6562, CVE-2014-6485, CVE-2014-6492, CVE-2014-6493, CVE-2014-4288, CVE-2014-6466, CVE-2014-6458, CVE-2014-6468, CVE-2014-6506, CVE-2014-6511, CVE-2014-6476, CVE-2014-6515, CVE-2014-6504, CVE-2014-6519, CVE-2014-6517, CVE-2014-6531, CVE-2014-6512, CVE-2014-6457, CVE-2014-6527, CVE-2014-6502, CVE-2014-6558
Oct 15 2014
Impact: Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via local system
Fix Available: Yes Vendor Confirmed: Yes
Description: Multiple vulnerabilities were reported in Oracle Java. A remote or local user can obtain elevated privileges on the target system. A remote user can partially access and modify data...
Solution: The vendor has issued a fix as part of the Oracle Critical Patch Update Advisory - October 2014.
The vendor's advisory is available at:
- http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

>> http://www.oracle.com/technetwork/topics/security/cpuoct2014verbose-1972962.html#JAVA

:fear::fear:
 
Last edited:
Java 8u31 released

FYI...

Java 8u31 released
- http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
Jan 20, 2015

Release notes
- http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html

Bug Fixes
- http://www.oracle.com/technetwork/java/javase/2col/8u31-bugfixes-2389095.html

JRE Downloads
- http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html

Oracle Java SE Risk Matrix
- http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixJAVA
Jan 20, 2015

Recommended Version 8 Update 31
- https://www.java.com/en/download/manual.jsp
Jan 20, 2015

... -if- you still need to use Java at all. If not - uninstall it!

- https://blogs.oracle.com/security/entry/january_2015_critical_patch_update
Jan 20, 2015 - "... Organizations should disable the use of all versions of SSL as they can no longer rely on SSL to ensure secure communications between systems. Customers should update their custom code to switch to a more resilient protocol (e.g., TLS 1.2). They should also expect that all versions of SSL be disabled in all Oracle software moving forward. A manual configuration change can allow Java SE clients and server endpoints, which have been updated with this Critical Patch Update, to continue to temporarily use SSL v3.0. However, Oracle strongly recommends organizations to phase out their use of SSL v3.0 as soon as possible..."

>> https://www.ssllabs.com/ssltest/viewMyClient.html
___

- http://www.securitytracker.com/id/1031580
CVE Reference: CVE-2014-6549, CVE-2014-6585, CVE-2014-6587, CVE-2014-6591, CVE-2014-6593, CVE-2014-6601, CVE-2015-0383, CVE-2015-0395, CVE-2015-0400, CVE-2015-0403, CVE-2015-0406, CVE-2015-0407, CVE-2015-0408, CVE-2015-0410, CVE-2015-0412, CVE-2015-0413, CVE-2015-0421, CVE-2015-0437
Jan 20 2015
Impact: Denial of service via local system, Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 5.0u75, 6u85, 7u72, 8u25 ...
Solution: The vendor has issued a fix as part of the Oracle Critical Patch Update Advisory - January 2015.
> http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixJAVA

:fear::fear:
 
Last edited:
Java 8u40 released

FYI...

Java 8u40 released
- http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
Mar 4, 2015

Release notes
- http://www.oracle.com/technetwork/java/javase/8u40-relnotes-2389089.html

Downloads / JRE
- http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html

Recommended Version 8 Update 40
- https://www.java.com/en/download/manual.jsp
Mar 4, 2015

... -if- you still need to use Java at all. If not - uninstall it!
___

- http://www.engadget.com/2015/03/06/java-adware-mac/
March 6 2015 - "... For Java 8 Update 40 on Mac, the update instructions now confirm that "Oracle has partnered with companies that offer various products," including Ask .com (McAfee products have also been bundled on the PC)... the parent company of Ask .com - which also owns Tinder, OKCupid, the Daily Beast and others - paid out $883 million to partners like Oracle to distribute its toolbar and other wares..."
> https://www.java.com/ga/images/en/mac_sponsors.jpg

:fear:
 
Java 8u45 released

FYI...

Java 8u45 released
- http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
Apr 14, 2015

Release notes
- http://www.oracle.com/technetwork/java/javase/8u45-relnotes-2494160.html

Downloads / JRE
- http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html

Recommended Version 8 Update 45
- https://www.java.com/en/download/manual.jsp
Apr 14, 2015

... -if- you still need to use Java at all. If not - uninstall it!
___

- http://www.securitytracker.com/id/1032120
CVE Reference: CVE-2015-0458, CVE-2015-0459, CVE-2015-0460, CVE-2015-0469, CVE-2015-0470, CVE-2015-0477, CVE-2015-0478, CVE-2015-0480, CVE-2015-0484, CVE-2015-0486, CVE-2015-0488, CVE-2015-0491, CVE-2015-0492
Apr 14 2015
Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): Java SE 5.0u81, 6u91, 7u76, 8u40; Java FX 2.2.76...
Solution: The vendor has issued a fix as part of Oracle Critical Patch Update Advisory - April 2015.

> http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixJAVA
"... contains 14 new security fixes for Oracle Java... All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password..."
> http://www.oracle.com/technetwork/topics/security/cpuapr2015verbose-2365613.html#JAVA

:fear::fear:
 
Last edited:
Java 8u51 released

FYI...

Java 8u51 released

Release Notes
- http://www.oracle.com/technetwork/java/javase/8u51-relnotes-2587590.html

Downloads / JRE
- http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html

Recommended Version 8 Update 51
- https://www.java.com/en/download/manual.jsp
July 14, 2015

... -if- you still need to use Java at all. If not - uninstall it!
___

Patch Availability Table
- http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA
"... contains 25 new security fixes for Oracle Java SE. 23 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password..."

- https://blogs.oracle.com/security/entry/july_2015_critical_patch_update
Jul 14, 2015 - "... 25 fixes Oracle Java SE. 23 of these Java SE vulnerabilities are remotely exploitable without authentication. 16 of these Java SE fixes are for Java client-only, including one fix for the client installation of Java SE. 5 of the Java fixes are for client and server deployment. One fix is specific to the Mac platform. And 4 fixes are for JSSE client and server deployments. Please note that this Critical Patch Update also addresses a recently announced 0-day vulnerability (CVE-2015-2590), which was being reported as actively exploited in the wild..."

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2590
Last revised: 07/16/2015
10.0 (HIGH)
___

- http://www.securitytracker.com/id/1032910
CVE Reference: CVE-2015-2590, CVE-2015-2596, CVE-2015-2597, CVE-2015-2601, CVE-2015-2613, CVE-2015-2619, CVE-2015-2621, CVE-2015-2625, CVE-2015-2627, CVE-2015-2628, CVE-2015-2632, CVE-2015-2637, CVE-2015-2638, CVE-2015-2659, CVE-2015-2664, CVE-2015-2808, CVE-2015-4000, CVE-2015-4729, CVE-2015-4731, CVE-2015-4732, CVE-2015-4733, CVE-2015-4736, CVE-2015-4748, CVE-2015-4749, CVE-2015-4760
Jul 15 2015
Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes ...
Solution: The vendor has issued a fix as part of Oracle Critical Patch Update Advisory - July 2015.

:fear::fear:
 
Last edited:
Java 8u65 released

FYI...

Java 8u65 released
Oct 20, 2015

Release Notes
- http://www.oracle.com/technetwork/java/javase/8u65-relnotes-2687063.html

Downloads / JRE
- http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html

Recommended Version 8 Update 65
- https://www.java.com/en/download/manual.jsp

... -if- you still need to use Java at all. If not - uninstall it!
___

Patch Availability Table
> http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html#AppendixJAVA

- https://blogs.oracle.com/security/entry/october_2015_critical_patch_update
"... Oracle Java SE receives -25- new security fixes, -24- of which are remotely exploitable without authentication. The highest reported CVSS Base Score for these Java SE vulnerabilities is 10.0. -20- of the Java SE vulnerabilities only affect client deployment of Java SE (e.g., Java in the browser). The remaining 5 vulnerabilities affect client and server deployments of Java SE... remove obsolete JAVA SE versions from their desktop if they are not needed..."
___

- http://www.securitytracker.com/id/1033884
CVE Reference: CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4810, CVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4868, CVE-2015-4871, CVE-2015-4872, CVE-2015-4881, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4901, CVE-2015-4902, CVE-2015-4903, CVE-2015-4906, CVE-2015-4908, CVE-2015-4911, CVE-2015-4916
Oct 20 2015
Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 6u101, 7u85, 8u60; Embedded 8u51 ...
Solution: The vendor has issued a fix as part of the October 2105 Oracle Critical Patch Update.

:fear::fear:
 
Last edited:
Java 8u71 released

FYI...

Java 8u71 Update Release Notes
- http://www.oracle.com/technetwork/java/javase/8u71-relnotes-2773756.html
Jan 19, 2016

Java SE Risk Matrix
- http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixJAVA

> http://www.oracle.com/technetwork/topics/security/cpujan2016verbose-2367956.html#JAVA

Recommended Version 8 Update 71
- https://www.java.com/en/download/manual.jsp
Jan 19, 2016

... -if- you still need to use Java at all. If not - uninstall it!
___

- http://www.securitytracker.com/id/1034713
CVE Reference: CVE-2015-8126, CVE-2015-8472
Jan 19 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 6u105, 7u91, 8u66
Impact: A remote user can create content that, when loaded by the target application, will execute arbitrary code on the target user's system.
Solution: Oracle has issued a fix for Oracle Java SE as part of the January 2016 Oracle Critical Patch Update.

- http://www.securitytracker.com/id/1034714
CVE Reference: CVE-2015-7575
Jan 19 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 6u105, 7u91, 8u66
Impact: A remote user can conduct hash collision forgery attacks.
Solution: Sun has issued a fix for CVE-2015-7575 for Oracle Java SE as part of the January 2016 Oracle Critical Patch Update.

- http://www.securitytracker.com/id/1034715
CVE Reference: CVE-2016-0402, CVE-2016-0448, CVE-2016-0466, CVE-2016-0475, CVE-2016-0483, CVE-2016-0494
Jan 20 2016
Impact: A remote user can obtain data on the target system.
A remote user can modify data on the target system.
A remote user can cause partial denial of service conditions.
A remote user can gain elevated privileges on the target system.
Solution: The vendor has issued a fix as part of the January 2016 Oracle Critical Patch Update.

:fear::fear:
 
Last edited:
Java 8u73 released

FYI...

Java 8u73 released
- https://www.java.com/en/download/manual.jsp
Recommended Version 8 Update 73
Feb 5, 2016

Java 8u73 Update Release Notes
- http://www.oracle.com/technetwork/java/javase/8u73-relnotes-2874654.html

- http://www.oracle.com/technetwork/java/javase/downloads/index.html

- http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0603-2874360.html#AppendixJAVA
Notes: Applies to installation of Java SE on Windows only.
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0603

- https://blogs.oracle.com/security/entry/security_alert_cve_2016_0603
Feb 05, 2016 - "... unsuspecting user (can) be tricked into visiting a malicious web site and download files to the user's system before installing Java 6, 7 or 8... vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user’s system..."

- https://www.us-cert.gov/ncas/current-activity/2016/02/08/Oracle-Releases-Security-Updates-Java
February 08, 2016

> http://www.securitytracker.com/id/1034969
Feb 9 2016

... -if- you still need to use Java at all. If not - uninstall it!

:fear::fear:
 
Last edited:
You must log in or register to reply here.
Back
Top