JPCERT-AT-2016-0015
JPCERT/CC
2016-03-24
<<< JPCERT/CC Alert 2016-03-24 >>>
Alert on Vulnerability in Oracle Java SE (CVE-2016-0636)
https://www.jpcert.or.jp/english/at/2016/at160015.html
I. Overview
Java SE JDK and JRE provided by Oracle contain a vulnerability.
A remote attacker may cause Java to execute arbitrary code by convincing
a user to open contents leveraging the vulnerability. For more information
on the vulnerability, please refer to the information provided by Oracle:
Oracle Security Alert for CVE-2016-0636
http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0636-2949497.html
It is recommended to update the software to the latest version provided
by Oracle.
II. Affected Products
The following products and versions are affected by this vulnerability:
- Java SE JDK/JRE 8 Update 74 and earlier
According to Oracle, Java SE JDK / JRE 7, which are no
longer supported, are also affected by this vulnerability.
III. Solution
Oracle has released an update. Please update the software to the
latest version. According to Oracle, arbitrary code may be executed
by convincing a user to open untrusted contents leveraging the
vulnerability.
- Java SE JDK/JRE 8 Update 77
Java SE Downloads
http://www.oracle.com/technetwork/java/javase/downloads/index.html
Free Java Download
https://java.com/en/download/
Users of 64-bit Windows may have 32-bit and/or 64-bit
versions of JDK/JRE installed. Please check the versions installed on
your system and apply the appropriate updates.
Users can check the version of Java that they are using at the page
below. If both 32-bit and 64-bit versions of Java are installed,
please check the versions installed, using a 32-bit and 64-bit browser
respectively. (In environments where Java is not installed, there may
be a request to install Java. If you do not require Java, please do
not install.)
Verify Java and Find Out-of-Date Versions
https://www.java.com/en/download/installed.jsp
* Some applications that use Java may not run properly after updating
Java to the latest version. Please update the software to the latest version
after considering any possible impacts to applications that you may
use.
* PCs provided by some certain manufacturers may have JRE pre-installed.
Please check the PC that you are using for any installed versions
of JRE.
* With the critical patch updates in April 2015, the official
update of Java SE JDK / JRE 7 was terminated. It is recommended
that you consider the transition to Java SE JDK / JRE 8.
Java SE 7 End of Public Updates Notice
https://www.java.com/en/download/faq/java_7.xml
IV. References
Oracle
Oracle Security Alert for CVE-2016-0636
http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0636-2949497.html
Oracle
8u77 Update Release Notes
http://www.oracle.com/technetwork/java/javase/8u77-relnotes-2944725.html
Oracle
Release Notes for JDK 8 and JDK 8 Update Releases
http://www.oracle.com/technetwork/java/javase/8all-relnotes-2226344.html
Oracle
Oracle Java SE Support Roadmap
http://www.oracle.com/technetwork/jp/java/eol-135779.html
Oracle
How do I control when an untrusted applet or application runs in my web browser?
https://www.java.com/en/download/help/jcp_security.xml
If you have any information regarding this alert, please contact
JPCERT/CC.
======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/
Top