Vulnerability in Oracle Java SE Could Allow for Remote Code Execution

ITS Advisory Number: 
2016-060
Date(s) Issued: 
Thursday, April 7, 2016
Subject: 
Vulnerability in Oracle Java SE Could Allow for Remote Code Execution
Overview: 

A vulnerability in Oracle Java SE for desktop web browsers could allow for remote code execution. This vulnerability does not affect Java deployments, such as those in servers or standalone applications that run only trusted code nor does it affect Oracle server-based software. Successful exploitation of this vulnerability may allow for remote code execution in the context of the current application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. 

Systems Affected: 
  • Oracle Java SE 7 Update 97
  • Oracle Java SE 8 Update 73 and 74  

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

Oracle Java SE is vulnerable to a remote code execution vulnerability due to a flaw in its 'Hotspot' sub-component. This vulnerability can be exploited when a user running an unpatched version of Java SE visits a malicious web page.  Successful exploitation of this vulnerability may allow for remote code execution in the context of the current application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. 

 

  • Vulnerability affecting JAVA SE may be remotely exploitable without authentication 0636) 

Actions: 
  • Install the updates provided by Oracle immediately after appropriate testing.
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.
  • Limit application and user access to only what is required.
  • Do not open email attachments from unknown or untrusted sources.