989734 – (CVE-2016-3485) VUL-0: CVE-2016-3485: java-1_8_0-openjdk,java-1_7_0-openjdk: weak authentication secret in Pipe implementation on Windows (Networking, 8145446)

Bug 989734 (CVE-2016-3485) - VUL-0: CVE-2016-3485: java-1_8_0-openjdk,java-1_7_0-openjdk: weak authentication secret in Pipe implementation on Windows (Networking, 8145446)

Summary: VUL-0: CVE-2016-3485: java-1_8_0-openjdk,java-1_7_0-openjdk: weak authenticat...

Status:	RESOLVED FIXED

Alias:	CVE-2016-3485

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Minor
Target Milestone:	---
Assignee:	Fridrich Strba
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-07-20 10:32 UTC by Andreas Stieger
Modified:	2016-08-12 10:09 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Stieger 2016-07-20 10:32:18 UTC

Oracle July 2016 Patch Day.
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixJAVA
http://www.oracle.com/technetwork/topics/security/cpujul2016verbose-2881721.html#JAVA

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u115, 7u101 and 8u92; Java SE Embedded: 8u91; JRockit: R28.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE, Java SE Embedded, JRockit executes to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded, JRockit accessible data.

Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.

CVSS v3.0 Base Score 2.9 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).  CVSS v2 Vector (AV:N/AC:H/Au:N/C:N/I:P/A:N)

Comment 1 Andreas Stieger 2016-07-20 11:37:51 UTC

Windows only, closing.

Comment 2 Swamp Workflow Management 2016-08-05 22:14:25 UTC

openSUSE-SU-2016:1979-1: An update that solves 13 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 984684,987895,989721,989722,989723,989725,989726,989727,989728,989729,989730,989731,989732,989733,989734
CVE References: CVE-2016-3458,CVE-2016-3485,CVE-2016-3498,CVE-2016-3500,CVE-2016-3503,CVE-2016-3508,CVE-2016-3511,CVE-2016-3550,CVE-2016-3552,CVE-2016-3587,CVE-2016-3598,CVE-2016-3606,CVE-2016-3610
Sources used:
openSUSE 13.2 (src):    java-1_8_0-openjdk-1.8.0.101-30.2

Comment 3 Swamp Workflow Management 2016-08-09 15:17:37 UTC

SUSE-SU-2016:1997-1: An update that solves 11 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 982366,984684,988651,989722,989723,989725,989727,989728,989729,989730,989731,989732,989733,989734
CVE References: CVE-2016-3458,CVE-2016-3485,CVE-2016-3498,CVE-2016-3500,CVE-2016-3503,CVE-2016-3508,CVE-2016-3511,CVE-2016-3550,CVE-2016-3598,CVE-2016-3606,CVE-2016-3610
Sources used:
SUSE Linux Enterprise Server 12-SP1 (src):    java-1_7_0-openjdk-1.7.0.111-33.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    java-1_7_0-openjdk-1.7.0.111-33.1

Comment 4 Swamp Workflow Management 2016-08-09 15:37:38 UTC

SUSE-SU-2016:2012-1: An update that solves 13 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 984684,987895,988651,989721,989722,989723,989725,989726,989727,989728,989729,989730,989731,989732,989733,989734
CVE References: CVE-2016-3458,CVE-2016-3485,CVE-2016-3498,CVE-2016-3500,CVE-2016-3503,CVE-2016-3508,CVE-2016-3511,CVE-2016-3550,CVE-2016-3552,CVE-2016-3587,CVE-2016-3598,CVE-2016-3606,CVE-2016-3610
Sources used:
SUSE Linux Enterprise Server 12-SP1 (src):    java-1_8_0-openjdk-1.8.0.101-14.3
SUSE Linux Enterprise Desktop 12-SP1 (src):    java-1_8_0-openjdk-1.8.0.101-14.3

Comment 5 Andreas Stieger 2016-08-11 17:27:01 UTC

All done, closing

Comment 6 Swamp Workflow Management 2016-08-11 21:10:40 UTC

openSUSE-SU-2016:2050-1: An update that solves 11 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 988651,989722,989723,989725,989727,989728,989729,989730,989731,989732,989733,989734
CVE References: CVE-2016-3458,CVE-2016-3485,CVE-2016-3498,CVE-2016-3500,CVE-2016-3503,CVE-2016-3508,CVE-2016-3511,CVE-2016-3550,CVE-2016-3598,CVE-2016-3606,CVE-2016-3610
Sources used:
openSUSE 13.2 (src):    java-1_7_0-openjdk-1.7.0.111-25.1, java-1_7_0-openjdk-bootstrap-1.7.0.111-25.1

Comment 7 Swamp Workflow Management 2016-08-11 21:13:02 UTC

openSUSE-SU-2016:2051-1: An update that solves 13 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 984684,987895,988651,989721,989722,989723,989725,989726,989727,989728,989729,989730,989731,989732,989733,989734
CVE References: CVE-2016-3458,CVE-2016-3485,CVE-2016-3498,CVE-2016-3500,CVE-2016-3503,CVE-2016-3508,CVE-2016-3511,CVE-2016-3550,CVE-2016-3552,CVE-2016-3587,CVE-2016-3598,CVE-2016-3606,CVE-2016-3610
Sources used:
openSUSE Leap 42.1 (src):    java-1_8_0-openjdk-1.8.0.101-15.1

Comment 8 Swamp Workflow Management 2016-08-11 21:15:00 UTC

openSUSE-SU-2016:2052-1: An update that solves 11 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 982366,984684,988651,989722,989723,989725,989727,989728,989729,989730,989731,989732,989733,989734
CVE References: CVE-2016-3458,CVE-2016-3485,CVE-2016-3498,CVE-2016-3500,CVE-2016-3503,CVE-2016-3508,CVE-2016-3511,CVE-2016-3550,CVE-2016-3598,CVE-2016-3606,CVE-2016-3610
Sources used:
openSUSE Leap 42.1 (src):    java-1_7_0-openjdk-1.7.0.111-34.1, java-1_7_0-openjdk-bootstrap-1.7.0.111-34.1

Comment 9 Swamp Workflow Management 2016-08-12 10:09:52 UTC

openSUSE-SU-2016:2058-1: An update that solves 11 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 988651,989722,989723,989725,989727,989728,989729,989730,989731,989732,989733,989734
CVE References: CVE-2016-3458,CVE-2016-3485,CVE-2016-3498,CVE-2016-3500,CVE-2016-3503,CVE-2016-3508,CVE-2016-3511,CVE-2016-3550,CVE-2016-3598,CVE-2016-3606,CVE-2016-3610
Sources used:
openSUSE 13.1 (src):    java-1_7_0-openjdk-1.7.0.111-24.39.1