THIS PAGE IS NOW RETIRED.
For current information on Security Vulnerability fixes for IBM Java, please visit the new page on the Java SDK Developer Center
IBM Security Updates and Oracle Critical Patch Updates (CPUs)
Page navigation
- Oracle October 18 2016 CPU (1.6.0_131, 1.7.0_121, 1.8.0_111)
- Oracle July 19 2016 CPU (1.6.0_121, 1.7.0_111, 1.8.0_101)
- IBM Security Update April 2016
- Oracle April 19 2016 CPU (1.6.0_115, 1.7.0_101, 1.8.0_91)
- Oracle Security Alert for CVE-2016-0636 (1.7.0_99, 1.8.0_77)
- Oracle Security Alert for CVE-2016-0603 (1.6.0_113, 1.7.0_97, 1.8.0_73)
- IBM Security Update January 2016
- Oracle January 19 2016 CPU (1.6.0_111, 1.7.0_95, 1.8.0_71)
- IBM Security Update November 2015
- Oracle October 20 2015 CPU (1.6.0_105, 1.7.0_91, 1.8.0_65)
- IBM Security Update July 2015
- Oracle July 14 2015 CPU (1.6.0_101, 1.7.0_85, 1.8.0_51)
- IBM Security Update June 2015
- IBM Security Update May 2015
- Oracle April 14 2015 CPU (1.5.0_85, 1.6.0_95, 1.7.0_79, 1.8.0_45)
- Older Java Security Alerts
Here are details of the most recent fixes in the Developer Kits currently available from our download pages.
IBM customers who require these fixes in a binary IBM Java SDK/JRE for use with an IBM product should contact IBM Support and engage the appropriate product service team.
Oracle October 18 2016 CPU (1.6.0_131, 1.7.0_121, 1.8.0_111)
| CVE | CVSS | IBM 6 Fix | IBM 7 Fix | IBM 8 Fix | Notes |
|---|---|---|---|---|---|
| CVE-2016-5582 | 9.6 | 6.0.16.35 6.1.8.35 |
7.0.9.60 7.1.3.60 |
8.0.3.20 | Applicable on Solaris, HP-UX and Mac OS X only |
| CVE-2016-5568 | 9.6 | 6.0.16.35 6.1.8.35 |
7.0.9.60 7.1.3.60 |
8.0.3.20 | |
| CVE-2016-5556 | 9.6 | 6.0.16.35 6.1.8.35 |
7.0.9.60 7.1.3.60 |
8.0.3.20 | |
| CVE-2016-5573 | 8.3 | 6.0.16.35 6.1.8.35 |
7.0.9.60 7.1.3.60 |
8.0.3.20 | |
| CVE-2016-5597 | 5.9 | 6.0.16.35 6.1.8.35 |
7.0.9.60 7.1.3.60 |
8.0.3.20 | |
| CVE-2016-5554 | 4.3 | 6.0.16.35 6.1.8.35 |
7.0.9.60 7.1.3.60 |
8.0.3.20 | |
| CVE-2016-5542 | 3.1 | 6.0.16.35 6.1.8.35 |
7.0.9.60 7.1.3.60 |
8.0.3.20 |
Further information on Oracle's October 18 2016 Critical Patch Update is available here.
Oracle July 19 2016 CPU (1.6.0_121, 1.7.0_111, 1.8.0_101)
| CVE | CVSS | IBM 6 Fix | IBM 7 Fix | IBM 8 Fix | Notes |
|---|---|---|---|---|---|
| CVE-2016-3610 | 9.6 | N/A |
N/A |
8.0.3.10 | Applicable on Solaris, HP-UX and Mac OS X only |
| CVE-2016-3598 | 9.6 | N/A |
7.0.9.50 7.1.3.50 |
8.0.3.10 | |
| CVE-2016-3606 | 9.6 | N/A |
7.0.9.50 | 8.0.3.10 | Applicable on Solaris, HP-UX and Mac OS X only |
| CVE-2016-3587 | 9.6 | N/A |
N/A |
8.0.3.10 | Applicable on Solaris, HP-UX and Mac OS X only |
| CVE-2016-3552 | 8.1 | N/A |
N/A |
N/A |
Not applicable to IBM JRE/SDK |
| CVE-2016-3503 | 7.7 | N/A |
N/A |
N/A |
Not applicable to IBM JRE/SDK |
| CVE-2016-3511 | 7.7 | N/A |
7.0.9.50 7.1.3.50 |
8.0.3.10 | |
| CVE-2016-3498 | 5.3 | N/A |
N/A |
N/A |
Not applicable to IBM JRE/SDK |
| CVE-2016-3508 | 5.3 | N/A |
N/A |
N/A |
Not applicable to IBM JRE/SDK |
| CVE-2016-3550 | 4.3 | 6.0.16.30 6.1.8.30 |
7.0.9.50 | 8.0.3.10 | Applicable on Solaris, HP-UX and Mac OS X only |
| CVE-2016-3500 | 4.3 | N/A |
N/A |
N/A |
Not applicable to IBM JRE/SDK |
| CVE-2016-3458 | 4.3 | N/A |
N/A |
N/A |
Not applicable to IBM JRE/SDK |
| CVE-2016-3485 | 2.9 | 6.0.16.30 6.1.8.30 |
7.0.9.50 7.1.3.50 |
8.0.3.10 |
Further information on Oracle's July 19 2016 Critical Patch Update is available here.
IBM Security Update April 2016
| CVE | CVSS | IBM 6 Fix | IBM 7 Fix | IBM 8 Fix | Notes |
|---|---|---|---|---|---|
| CVE-2016-0376 | 8.1 | 6.0.16.25 6.1.8.25 |
7.0.9.40 7.1.3.40 |
8.0.3.0 | |
| CVE-2016-0363 | 8.1 | 6.0.16.25 6.1.8.25 |
7.0.9.40 7.1.3.40 |
8.0.3.0 | |
| CVE-2016-0264 | 5.6 | 6.0.16.25 6.1.8.25 |
7.0.9.40 7.1.3.40 |
8.0.3.0 | Not applicable on Solaris, HP-UX and Mac OS X |
Further information on the April 2016 IBM Security Update is available here.
Oracle April 19 2016 CPU (1.6.0_115, 1.7.0_101, 1.8.0_91)
| CVE | CVSS | IBM 6 Fix | IBM 7 Fix | IBM 8 Fix | Notes |
|---|---|---|---|---|---|
| CVE-2016-3443 | 9.6 | 6.0.16.25 6.1.8.25 |
7.0.9.40 7.1.3.40 |
8.0.3.0 | |
| CVE-2016-0687 | 9.6 | 6.0.16.25 6.1.8.25 |
7.0.9.40 7.1.3.40 |
8.0.3.0 | |
| CVE-2016-0686 | 9.6 | 6.0.16.25 6.1.8.25 |
7.0.9.40 7.1.3.40 |
8.0.3.0 | |
| CVE-2016-3427 | 9 | 6.0.16.25 6.1.8.25 |
7.0.9.40 7.1.3.40 |
8.0.3.0 | |
| CVE-2016-3449 | 8.3 | 6.0.16.25 6.1.8.25 |
7.0.9.40 7.1.3.40 |
8.0.3.0 | |
| CVE-2016-3425 | 5.3 | N/A |
N/A |
N/A |
Not applicable to IBM JRE/SDK |
| CVE-2016-3422 | 4.3 | 6.0.16.25 6.1.8.25 |
7.0.9.40 7.1.3.40 |
8.0.3.0 | |
| CVE-2016-0695 | 3.7 | N/A |
N/A |
N/A |
Not applicable to IBM JRE/SDK |
| CVE-2016-3426 | 3.1 | 6.0.16.25 6.1.8.25 |
7.0.9.40 7.1.3.40 |
8.0.3.0 |
Further information on Oracle's April 19 2016 Critical Patch Update is available here.
Oracle Security Alert for CVE-2016-0636 (1.7.0_99, 1.8.0_77)
| CVE | CVSS | IBM 6 Fix | IBM 7 Fix | IBM 8 Fix | Notes |
|---|---|---|---|---|---|
| CVE-2016-0636 | 9.3 | 6.0.16.25 6.1.8.25 |
7.0.9.40 7.1.3.40 |
8.0.3.0 | Applicable on Solaris, HP-UX and Mac OS X only |
Further information on the Oracle Security Alert for CVE-2016-0636 is available here and here.
Oracle Security Alert for CVE-2016-0603 (1.6.0_113, 1.7.0_97, 1.8.0_73)
| CVE | CVSS | IBM 6 Fix | IBM 7 Fix | IBM 8 Fix | Notes |
|---|---|---|---|---|---|
| CVE-2016-0603 | 7.6 | 6.0.16.21 6.1.8.21 |
7.0.9.31 7.1.3.31 |
8.0.2.11 | This issue is applicable to the Windows platform only |
Further information on the Oracle Security Alert for CVE-2016-0603 is available here.
IBM Security Update January 2016
| CVE | CVSS | IBM 6 Fix | IBM 7 Fix | IBM 8 Fix | Notes |
|---|---|---|---|---|---|
| CVE-2015-8540 | 9.8 | 6.0.16.20 6.1.8.20 |
7.0.9.30 7.1.3.30 |
N/A |
|
| CVE-2015-7981 | 5.3 | 6.0.16.20 6.1.8.20 |
7.0.9.30 7.1.3.30 |
N/A |
|
| CVE-2015-5041 | 4.8 | 6.0.16.20 6.1.8.20 |
7.0.9.30 7.1.3.30 |
8.0.2.10 |
Further information on the January 2016 IBM Security Update is available here.
Oracle January 19 2016 CPU (1.6.0_111, 1.7.0_95, 1.8.0_71)
| CVE | CVSS | IBM 6 Fix | IBM 7 Fix | IBM 8 Fix | Notes |
|---|---|---|---|---|---|
| CVE-2016-0494 | 10 | 6.0.16.20 6.1.8.20 |
7.0.9.30 7.1.3.30 |
8.0.2.10 | |
| CVE-2016-0483 | 10 | 6.0.16.20 6.1.8.20 |
7.0.9.30 7.1.3.30 |
8.0.2.10 | |
| CVE-2015-8126 | 7.8 | 6.0.16.20 6.1.8.20 |
7.0.9.30 7.1.3.30 |
8.0.2.10 | |
| CVE-2015-8472 | 6.3 | 6.0.16.20 6.1.8.20 |
7.0.9.30 7.1.3.30 |
8.0.2.10 | |
| CVE-2016-0475 | 5.8 | N/A |
N/A |
8.0.2.10 | |
| CVE-2016-0466 | 5 | 6.0.16.20 6.1.8.20 |
7.0.9.30 7.1.3.30 |
8.0.2.10 | |
| CVE-2016-0402 | 5 | 6.0.16.20 6.1.8.20 |
7.0.9.30 7.1.3.30 |
8.0.2.10 | |
| CVE-2015-7575 | 4 | 6.0.16.20 6.1.8.20 |
7.0.9.30 7.1.3.30 |
8.0.2.10 | SLOTH |
| CVE-2016-0448 | 4 | 6.0.16.20 6.1.8.20 |
7.0.9.30 7.1.3.30 |
8.0.2.10 |
Further information on Oracle's January 19 2016 Critical Patch Update is available here.
IBM Security Update November 2015
| CVE | CVSS | IBM 5.0 Fix | IBM 6 Fix | IBM 7 Fix | IBM 8 Fix | Notes |
|---|---|---|---|---|---|---|
| CVE-2015-5006 | 4.6 | Will not fix | 6.0.16.15 6.1.8.15 |
7.0.9.20 7.1.3.20 |
8.0.2.0 |
Further information on the November 2015 IBM Security Update is available here.
Oracle October 20 2015 CPU (1.6.0_105, 1.7.0_91, 1.8.0_65)
Further information on Oracle's October 20 2015 Critical Patch Update is available here.
IBM Security Update July 2015
| CVE | CVSS | IBM 5.0 Fix | IBM 6 Fix | IBM 7 Fix | IBM 8 Fix | Notes |
|---|---|---|---|---|---|---|
| CVE-2015-1931 | 2.1 | 5.0.16.13 | 6.0.16.7 6.1.8.7 |
7.0.9.10 7.1.3.10 |
8.0.1.10 |
Further information on the July 2015 IBM Security Update is available here.
Oracle July 14 2015 CPU (1.6.0_101, 1.7.0_85, 1.8.0_51)
Further information on Oracle's July 14 2015 Critical Patch Update is available here.
IBM Security Update June 2015
| CVE | CVSS | IBM 5.0 Fix | IBM 6 Fix | IBM 7 Fix | IBM 8 Fix | Notes |
|---|---|---|---|---|---|---|
| CVE-2015-4000 | 4.3 | 5.0 SR16-FP11 | 6 SR16-FP5 6R1 SR8-FP5 |
7 SR9-FP1 7R1 SR3-FP1 |
8 SR1-FP1 |
Further information on the June 2015 IBM Security Update is available here.
IBM Security Update May 2015
| CVE | CVSS | IBM 5.0 Fix | IBM 6 Fix | IBM 7 Fix | IBM 8 Fix | Notes |
|---|---|---|---|---|---|---|
| CVE-2015-0192 | 6.8 | 5.0 SR16-FP10 | 6 SR16-FP4 6R1 SR8-FP4 |
7 SR9 7R1 SR3 |
8 SR1 | |
| CVE-2015-2808 | 5 | 5.0 SR16-FP10 | 6 SR16-FP4 6R1 SR8-FP4 |
7 SR9 7R1 SR3 |
8 SR1 | Bar Mitzvah vulnerability |
| CVE-2015-1916 | 5 | N/A |
N/A |
N/A |
8 SR1 | |
| CVE-2015-1914 | 4.3 | 5.0 SR16-FP10 | 6 SR16-FP4 6R1 SR8-FP4 |
7 SR9 7R1 SR3 |
8 SR1 | |
| CVE-2015-0138 | 4.3 | 5.0 SR16-FP10 | 6 SR16-FP4 6R1 SR8-FP4 |
7 SR9 7R1 SR3 |
8 SR1 | FREAK vulnerability |
Further information on the May 2015 IBM Security Update is available here.
Oracle April 14 2015 CPU (1.5.0_85, 1.6.0_95, 1.7.0_79, 1.8.0_45)
| CVE | CVSS | IBM 5.0 Fix | IBM 6 Fix | IBM 7 Fix | IBM 8 Fix | Notes |
|---|---|---|---|---|---|---|
| CVE-2015-0491 | 10 | 5.0 SR16-FP10 | 6 SR16-FP4 6R1 SR8-FP4 |
7 SR9 7R1 SR3 |
8 SR1 | |
| CVE-2015-0459 | 10 | 5.0 SR16-FP10 | 6 SR16-FP4 6R1 SR8-FP4 |
7 SR9 7R1 SR3 |
8 SR1 | |
| CVE-2015-0469 | 10 | 5.0 SR16-FP10 | 6 SR16-FP4 6R1 SR8-FP4 |
7 SR9 7R1 SR3 |
8 SR1 | |
| CVE-2015-0460 | 9.3 | N/A |
N/A |
N/A |
N/A |
Not applicable to IBM JRE/SDK |
| CVE-2015-0458 | 7.6 | N/A |
6 SR16-FP4 6R1 SR8-FP4 |
7 SR9 7R1 SR3 |
8 SR1 | |
| CVE-2015-0480 | 5.8 | 5.0 SR16-FP10 | 6 SR16-FP4 6R1 SR8-FP4 |
7 SR9 7R1 SR3 |
8 SR1 | |
| CVE-2015-0488 | 5 | 5.0 SR16-FP10 | 6 SR16-FP4 6R1 SR8-FP4 |
7 SR9 7R1 SR3 |
8 SR1 | |
| CVE-2015-0486 | 5 | N/A |
N/A |
N/A |
8 SR1 | |
| CVE-2015-0478 | 4.3 | 5.0 SR16-FP10 | 6 SR16-FP4 6R1 SR8-FP4 |
7 SR9 7R1 SR3 |
8 SR1 | |
| CVE-2015-0477 | 4.3 | 5.0 SR16-FP10 | 6 SR16-FP4 6R1 SR8-FP4 |
7 SR9 7R1 SR3 |
8 SR1 | |
| CVE-2015-0470 | 4.3 | N/A |
N/A |
N/A |
N/A |
Not applicable to IBM JRE/SDK |
| CVE-2015-0204 | 4.3 | 5.0 SR16-FP10 | 6 SR16-FP4 6R1 SR8-FP4 |
7 SR9 7R1 SR3 |
8 SR1 | FREAK vulnerability Fixed in IBM JRE/SDK under CVE-2015-0138 |
Further information on Oracle's April 14 2015 Critical Patch Update is available here.
Older Java Security Alerts
IBM Security Update February 2015
| CVE | CVSS | IBM 5.0 Fix | IBM 6 Fix | IBM 7 Fix | Notes |
|---|---|---|---|---|---|
| CVE-2014-8891 | 6.8 | 5.0 SR16-FP9 | 6 SR16-FP3 6R1 SR8-FP3 |
7 SR8-FP10 7R1 SR2-FP10 |
|
| CVE-2014-8892 | 4.3 | 5.0 SR16-FP9 | 6 SR16-FP3 6R1 SR8-FP3 |
7 SR8-FP10 7R1 SR2-FP10 |
Further information on the February 2015 IBM Security Update is available here.
Oracle January 20 2015 CPU (1.5.0_81, 1.6.0_91, 1.7.0_75, 1.8.0_31)
Further information on Oracle's January 20 2015 Critical Patch Update is available here.
IBM Security Update November 2014
| CVE | CVSS | IBM 5.0 Fix | IBM 6 Fix | IBM 7 Fix | Notes |
|---|---|---|---|---|---|
| CVE-2014-3065 | 6 | 5.0 SR16-FP8 | 6 SR16-FP2 6R1 SR8-FP2 |
7 SR8 7R1 SR2 |
|
| CVE-2014-3566 | 4.3 | 5.0 SR16-FP8 | 6 SR16-FP2 6R1 SR8-FP2 |
7 SR8 7R1 SR2 |
POODLE SSLv3 Vulnerability |
Further information on the November 2014 IBM Security Update is available here.
Oracle October 14 2014 CPU (1.5.0_75, 1.6.0_85, 1.7.0_71, 1.8.0_25)
Further information on Oracle's October 14 2014 Critical Patch Update is available here.
IBM Security Update July 2014
| CVE | CVSS | IBM 5.0 Fix | IBM 6 Fix | IBM 7 Fix | Notes |
|---|---|---|---|---|---|
| CVE-2014-3086 | 9.3 | 5.0 SR16-FP7 | 6 SR16-FP1 6R1 SR8-FP1 |
7 SR7-FP1 7R1 SR1-FP1 |
|
| CVE-2014-3068 | 2.4 | 5.0 SR16-FP7 | 6 SR16-FP1 6R1 SR8-FP1 |
7 SR7-FP1 7R1 SR1-FP1 |
Further information on the July 2014 IBM Security Update is available here.
Oracle July 15 2014 CPU (1.5.0_71, 1.6.0_81, 1.7.0_65, 1.8.0_11)
Further information on Oracle's July 15 2014 Critical Patch Update is available here.
IBM Security Update May 2014
| CVE | CVSS | IBM 5.0 Fix | IBM 6 Fix | IBM 7 Fix | Notes |
|---|---|---|---|---|---|
| CVE-2014-0878 | 5.8 | 5.0 SR16-FP6 | 6 SR15-FP2 6R1 SR8 |
7 SR7 7R1 SR1 |
Further information on the May 2014 IBM Security Update is available here.
Oracle April 15 2014 CPU (1.5.0_65, 1.6.0_75, 1.7.0_55, 1.8.0_05)
Further information on Oracle's April 15 2014 Critical Patch Update is available here.
Oracle January 14 2014 CPU (1.5.0_61, 1.6.0_71, 1.7.0_51)
Further information on Oracle's January 14 2014 Critical Patch Update is available here.
IBM Security Update November 2013
| CVE | CVSS | IBM 5.0 Fix | IBM 6 Fix | IBM 7 Fix | Notes |
|---|---|---|---|---|---|
| CVE-2013-5458 | 9.3 | N/A |
N/A |
7 SR6 | |
| CVE-2013-5456 | 9.3 | N/A |
N/A |
7 SR6 | |
| CVE-2013-5457 | 9.3 | N/A |
6 SR15 6.0.1 SR7 |
7 SR6 | |
| CVE-2013-4041 | 6.8 | 5.0 SR16-FP4 | 6 SR15 6.0.1 SR7 |
7 SR6 | |
| CVE-2013-5375 | 4.3 | 5.0 SR16-FP4 | 6 SR15 6.0.1 SR7 |
7 SR6 | |
| CVE-2013-5372 | 4.3 | 5.0 SR16-FP4 | 6 SR15 6.0.1 SR7 |
7 SR6 |
Further information on the November 2013 IBM Security Update is available here.
Oracle October 15 2013 CPU (1.5.0_55, 1.6.0_65, 1.7.0_45)
Further information on Oracle's October 15 2013 Critical Patch Update is available here.
IBM Security Update July 2013
| CVE | CVSS | IBM 1.4.2 Fix | IBM 5.0 Fix | IBM 6 Fix | IBM 7 Fix | Notes |
|---|---|---|---|---|---|---|
| CVE-2013-3006 | 9.3 | N/A |
N/A |
N/A |
7 SR5 | |
| CVE-2013-3007 | 9.3 | N/A |
N/A |
6.0.1 SR6 | 7 SR5 | |
| CVE-2013-3008 | 9.3 | N/A |
N/A |
N/A |
7 SR5 | |
| CVE-2013-3009 | 9.3 | 1.4.2 SR13-FP18 | 5.0 SR16-FP3 | 6 SR14 6.0.1 SR6 |
7 SR5 | |
| CVE-2013-3010 | 9.3 | N/A |
N/A |
6.0.1 SR6 | 7 SR5 | |
| CVE-2013-3011 | 9.3 | 1.4.2 SR13-FP18 | 5.0 SR16-FP3 | 6 SR14 6.0.1 SR6 |
7 SR5 | |
| CVE-2013-3012 | 9.3 | 1.4.2 SR13-FP18 | 5.0 SR16-FP3 | 6 SR14 6.0.1 SR6 |
7 SR5 | |
| CVE-2013-4002 | 7.1 | Will not fix | 5.0 SR16-FP3 | 6 SR14 6.0.1 SR6 |
7 SR5 |
Oracle June 18 2013 CPU (1.5.0_51, 1.6.0_51, 1.7.0_25)
Further information on Oracle's June 18 2013 Critical Patch Update is available here.
Oracle April 16 2013 CPU (1.5.0_45, 1.6.0_45, 1.7.0_21)
Further information on Oracle's April 16 2013 Critical Patch Update is available here.
Oracle March 2013 Security Alert (1.5.0_41, 1.6.0_43, 1.7.0_17)
| CVE | CVSS | IBM 1.4.2 Fix | IBM 5.0 Fix | IBM 6 Fix | IBM 7 Fix | Notes |
|---|---|---|---|---|---|---|
| CVE-2013-0809 | 10 | 1.4.2 SR13-FP16 | 5.0 SR16 | 6 SR13 6.0.1 SR5 |
7 SR4 | |
| CVE-2013-1493 | 10 | 1.4.2 SR13-FP16 | 5.0 SR16 | 6 SR13 6.0.1 SR5 |
7 SR4 |
Further information on Oracle's March 2013 Security Alert is available here.
Oracle February 19 2013 CPU (1.4.2_42, 1.5.0_40, 1.6.0_41, 1.7.0_15)
| CVE | CVSS | IBM 1.4.2 Fix | IBM 5.0 Fix | IBM 6 Fix | IBM 7 Fix | Notes |
|---|---|---|---|---|---|---|
| CVE-2013-1487 | 10 | N/A |
N/A |
6 SR13 6.0.1 SR5 |
7 SR4 | |
| CVE-2013-1486 | 10 | N/A |
5.0 SR16 | 6 SR13 6.0.1 SR5 |
7 SR4 | |
| CVE-2013-1484 | 10 | N/A |
N/A |
N/A |
7 SR4 | |
| CVE-2013-1485 | 5 | N/A |
N/A |
N/A |
7 SR4 | |
| CVE-2013-0169 | 4.3 | 1.4.2 SR13-FP17 | 5.0 SR16-FP2 | 6 SR13-FP1 6.0.1 SR5-FP1 |
7 SR4-FP1 |
Further information on Oracle's February 19 2013 Critical Patch Updates is available here.
Oracle February 1 2013 CPU (1.4.2_41, 1.5.0_39, 1.6.0_39, 1.7.0_13)
Further information on Oracle's February 1 2013 Critical Patch Updates is available here.
Oracle January 2013 Security Alert (1.7.0_11)
| CVE | CVSS | IBM 1.4.2 Fix | IBM 5.0 Fix | IBM 6 Fix | IBM 7 Fix | Notes |
|---|---|---|---|---|---|---|
| CVE-2013-0422 | 10 | N/A |
N/A |
N/A |
7 SR4 | See IBM PSIRT blog for further details |
| CVE-2012-3174 | 10 | N/A |
N/A |
N/A |
7 SR4 | See IBM PSIRT blog for further details |
Further information on Oracle's January 2013 Security Alert is available here.
IBM Security Update November 2012
| CVE | CVSS | IBM 1.4.2 Fix | IBM 5.0 Fix | IBM 6 Fix | IBM 7 Fix | Notes |
|---|---|---|---|---|---|---|
| CVE-2012-4820 | 9.3 | 1.4.2 SR13-FP14 | 5.0 SR15 | 6 SR12 6.0.1 SR4 |
7 SR3 | |
| CVE-2012-4821 | 9.3 | N/A |
N/A |
N/A |
7 SR3 | |
| CVE-2012-4822 | 9.3 | 1.4.2 SR13-FP14 | 5.0 SR15 | 6 SR12 6.0.1 SR4 |
7 SR3 | |
| CVE-2012-4823 | 9.3 | N/A |
N/A |
6 SR12 6.0.1 SR4 |
7 SR3 |
Further information on these CVEs is available here.
Oracle October 16 2012 CPU (1.4.2_40, 1.5.0_38, 1.6.0_37, 1.7.0_09)
Further information on Oracle's October 16 2012 Critical Patch Update is available here.
Oracle August 2012 Security Alert (1.6.0_35, 1.7.0_07)
| CVE | CVSS | IBM 1.4.2 Fix | IBM 5.0 Fix | IBM 6 Fix | IBM 7 Fix | Notes |
|---|---|---|---|---|---|---|
| CVE-2012-4681 | 10 | N/A |
N/A |
N/A |
7 SR2 | |
| CVE-2012-1682 | 10 | N/A |
N/A |
6 SR12 6.0.1 SR4 |
7 SR2 | |
| CVE-2012-3136 | 10 | N/A |
N/A |
N/A |
7 SR2 | |
| CVE-2012-0547 | 0 | N/A |
N/A |
6 SR12 6.0.1 SR4 |
7 SR2 | This issue is not directly exploitable |
Further information on Oracle's August 2012 Security Alert is available here.
Oracle June 12 2012 CPU (1.4.2_38, 1.5.0_36, 1.6.0_33, 1.7.0_05)
Further information on Oracle's June 12 2012 Critical Patch Update is available here.
Oracle February 14 2012 CPU (1.4.2_36, 1.5.0_34, 1.6.0_31, 1.7.0_03)
| CVE | CVSS | IBM 1.4.2 Fix | IBM 5.0 Fix | IBM 6 Fix | IBM 7 Fix | Notes |
|---|---|---|---|---|---|---|
| CVE-2012-0502 | 6.4 | 1.4.2 SR13-FP12 | 5.0 SR13-FP1 | 6 SR10-FP1 | 7 SR1 | |
| CVE-2012-0503 | 7.5 | 1.4.2 SR13-FP12 | 5.0 SR13-FP1 | 6 SR10-FP1 | 7 SR1 | |
| CVE-2012-0506 | 4.3 | 1.4.2 SR13-FP12 | 5.0 SR13-FP1 | 6 SR10-FP1 | 7 SR1 | |
| CVE-2012-0507 | 10 | N/A |
5.0 SR13-FP1 | 6 SR10-FP1 | 7 SR1 | Previously tracked under CVE-2011-3571 |
| CVE-2011-3563 | 6.4 | 1.4.2 SR13-FP12 | 5.0 SR13-FP1 | 6 SR10-FP1 | 7 SR1 | |
| CVE-2012-0500 | 10 | N/A |
N/A |
6 SR10-FP1 | 7 SR1 | |
| CVE-2012-0497 | 10 | N/A |
N/A |
6 SR10-FP1 | 7 SR1 | |
| CVE-2012-0498 | 10 | N/A |
5.0 SR13-FP1 | 6 SR10-FP1 | 7 SR1 | |
| CVE-2012-0499 | 10 | 1.4.2 SR13-FP12 | 5.0 SR13-FP1 | 6 SR10-FP1 | 7 SR1 | |
| CVE-2012-0500 | 10 | N/A |
N/A |
6 SR10-FP1 | 7 SR1 | |
| CVE-2012-0501 | 5 | N/A |
5.0 SR13-FP1 | 6 SR10-FP1 | 7 SR1 | |
| CVE-2012-0505 | 7.5 | 1.4.2 SR13-FP12 | 5.0 SR13-FP1 | 6 SR10-FP1 | 7 SR1 | |
| CVE-2011-5035 | 5 | N/A |
N/A |
6 SR10-FP1 | 7 SR1 | |
| CVE-2012-0504 | 9.3 | N/A |
N/A |
N/A |
N/A |
Not applicable to IBM JRE/SDK |
Further information on Oracle's February 14 2012 Critical Patch Update is available here.
Oracle October 18 2011 CPU (1.4.2_34, 1.5.0_32, 1.6.0_29, 1.7.0_01)
| CVE | CVSS | IBM 1.4.2 Fix | IBM 5.0 Fix | IBM 6 Fix | IBM 7 Fix | Notes |
|---|---|---|---|---|---|---|
| CVE-2011-3547 | 5 | 1.4.2 SR13-FP11 | 5.0 SR13 | 6 SR10 | 7 SR1 | |
| CVE-2011-3546 | 5.8 | N/A |
N/A |
6 SR10 | 7 SR1 | |
| CVE-2011-3548 | 10 | 1.4.2 SR13-FP11 | 5.0 SR13 | 6 SR10 | 7 SR1 | |
| CVE-2011-3549 | 10 | 1.4.2 SR13-FP11 | 5.0 SR13 | 6 SR10 | N/A |
|
| CVE-2011-3516 | 7.6 | N/A |
N/A |
6 SR10 | N/A |
|
| CVE-2011-3550 | 7.6 | N/A |
N/A |
6 SR10 | 7 SR1 | |
| CVE-2011-3551 | 9.3 | N/A |
N/A |
6 SR10 | 7 SR1 | |
| CVE-2011-3552 | 2.6 | 1.4.2 SR13-FP11 | 5.0 SR13 | 6 SR10 | 7 SR1 | |
| CVE-2011-3553 | 3.5 | N/A |
N/A |
6 SR10 | 7 SR1 | |
| CVE-2011-3544 | 10 | N/A |
N/A |
6 SR10 | 7 SR3 | |
| CVE-2011-3545 | 10 | 1.4.2 SR13-FP11 | 5.0 SR13 | 6 SR10 | N/A |
|
| CVE-2011-3521 | 10 | N/A |
N/A |
6 SR10 | 7 SR1 | Not applicable to IBM 5.0 JRE/SDK |
| CVE-2011-3554 | 10 | N/A |
5.0 SR13 | 6 SR10 | 7 SR1 | |
| CVE-2011-3555 | 2.6 | N/A |
N/A |
N/A |
7 SR1 | |
| CVE-2011-3558 | 5 | N/A |
N/A |
N/A |
N/A |
Not applicable to IBM JRE/SDK |
| CVE-2011-3556 | 7.5 | 1.4.2 SR13-FP11 | 5.0 SR13 | 6 SR10 | 7 SR1 | |
| CVE-2011-3557 | 6.8 | 1.4.2 SR13-FP11 | 5.0 SR13-FP1 | 6 SR10 | 7 SR1 | |
| CVE-2011-3389 | 4.3 | 1.4.2 SR13-FP11 | 5.0 SR13-FP1 | 6 SR10 | 7 SR1 | |
| CVE-2011-3560 | 6.4 | 1.4.2 SR13-FP11 | 5.0 SR13-FP1 | 6 SR10 | 7 SR1 | |
| CVE-2011-3561 | 1.8 | N/A |
N/A |
6 SR10 | 7 SR1 |
Further information on Oracle's October 18 2011 Critical Patch Update is available here.
Oracle June 7 2011 CPU(1.4.2_32, 1.5.0_30, 1.6.0_26)
| CVE | CVSS | IBM 1.4.2 Fix | IBM 5.0 Fix |
IBM 6 Fix | Notes |
|---|---|---|---|---|---|
| CVE-2011-0865 | 2.6 | 1.4.2 SR13-FP10 | 5.0 SR12-FP5 | 6 SR9-FP2 | |
| CVE-2011-0866 | 7.6 | 1.4.2 SR13-FP10 | 5.0 SR12-FP5 | 6 SR9-FP2 | |
| CVE-2011-0786 | 7.6 | N/A |
N/A |
6 SR9-FP2 | |
| CVE-2011-0788 | 7.6 | N/A |
N/A |
6 SR9-FP2 | |
| CVE-2011-0802 | 10 | 1.4.2 SR13-FP10 | 5.0 SR12-FP5 | 6 SR9-FP2 | |
| CVE-2011-0814 | 10 | 1.4.2 SR13-FP10 | 5.0 SR12-FP5 | 6 SR9-FP2 | |
| CVE-2011-0815 | 10 | 1.4.2 SR13-FP10 | 5.0 SR12-FP5 | 6 SR9-FP2 | |
| CVE-2011-0862 | 10 | 1.4.2 SR13-FP10 | 5.0 SR12-FP5 | 6 SR9-FP2 | |
| CVE-2011-0867 | 5 | 1.4.2 SR13-FP10 | 5.0 SR12-FP5 | 6 SR9-FP2 | |
| CVE-2011-0869 | 5 | N/A |
N/A |
6 SR9-FP2 | |
| CVE-2011-0817 | 10 | N/A |
N/A |
6 SR9-FP2 | |
| CVE-2011-0863 | 10 | N/A |
N/A |
6 SR9-FP2 | |
| CVE-2011-0868 | 5 | N/A |
N/A |
6 SR9-FP2 | |
| CVE-2011-0864 | 5 | N/A |
N/A |
N/A |
Not applicable to IBM JRE/SDK |
| CVE-2011-0871 | 10 | 1.4.2 SR13-FP10 | 5.0 SR12-FP5 | 6 SR9-FP2 | |
| CVE-2011-0872 | 5 | 1.4.2 SR13-FP10 | 5.0 SR12-FP5 | 6 SR9-FP2 | |
| CVE-2011-0873 | 10 | N/A |
5.0 SR12-FP5 | 6 SR9-FP2 |
Further information on Oracle's June 7 2011 Critical Patch Update is available here.
Oracle February 15 2011 CPU (1.4.2_30, 1.5.0_28, 1.6.0_24)
| CVE | CVSS | IBM 1.4.2 Fix | IBM 5.0 Fix |
IBM 6 Fix | Notes |
|---|---|---|---|---|---|
| CVE-2010-4467 | 10 | N/A |
N/A |
6 SR9-FP1 | |
| CVE-2010-4468 | 5.1 | N/A |
5.0 SR12-FP4 | 6 SR9-FP1 | |
| CVE-2010-4469 | 10 | N/A |
N/A |
N/A |
Not applicable to IBM JRE/SDK |
| CVE-2010-4465 | 10 | 1.4.2 SR13-FP9 | 5.0 SR12-FP4 | 6 SR9-FP1 | |
| CVE-2010-4470 | 5 | N/A |
N/A |
N/A |
Not applicable to IBM JRE/SDK |
| CVE-2010-4422 | 7.6 | N/A |
N/A |
6 SR9-FP1 | |
| CVE-2010-4471 | 5 | N/A |
5.0 SR12-FP4 | 6 SR9-FP1 | |
| CVE-2010-4448 | 2.6 | 1.4.2 SR13-FP9 | 5.0 SR12-FP4 | 6 SR9-FP1 | |
| CVE-2010-4450 | 5.1 | N/A |
5.0 SR12-FP4 | N/A |
Not applicable to IBM 1.4.2 and 6 JREs/SDKs |
| CVE-2010-4451 | 7.6 | N/A |
N/A |
N/A |
Not applicable to IBM JRE/SDK |
| CVE-2010-4452 | 10 | N/A |
N/A |
6 SR9-FP1 | |
| CVE-2010-4462 | 10 | 1.4.2 SR13-FP9 | 5.0 SR12-FP4 | 6 SR9-FP1 | |
| CVE-2010-4463 | 10 | N/A |
N/A |
6 SR9-FP1 | |
| CVE-2010-4472 | 2.6 | N/A |
N/A |
N/A |
Not applicable to IBM JRE/SDK |
| CVE-2010-4466 | 5 | 1.4.2 SR13-FP9 | 5.0 SR12-FP4 | 6 SR9-FP1 | |
| CVE-2010-4447 | 8.3 | 1.4.2 SR13-FP9 | 5.0 SR12-FP4 | 6 SR9-FP1 | |
| CVE-2010-4475 | 7.1 | 1.4.2 SR13-FP9 | 5.0 SR12-FP4 | 6 SR9-FP1 | |
| CVE-2010-4454 | 10 | 1.4.2 SR13-FP9 | 5.0 SR12-FP4 | 6 SR9-FP1 | |
| CVE-2010-4473 | 10 | 1.4.2 SR13-FP9 | 5.0 SR12-FP4 | 6 SR9-FP1 | |
| CVE-2010-4476 | 5 | 1.4.2 SR13-FP9 | 5.0 SR12-FP4 | 6 SR9-FP1 | Further information available here |
Further information on Oracle's February 15 2011 Critical Patch Update is available here.
IBM Security Update February 2011
| CVE | CVSS | IBM 1.4.2 Fix | IBM 5.0 Fix |
IBM 6 Fix | Notes |
|---|---|---|---|---|---|
| CVE-2011-0311 | 3.5 | 1.4.2 SR13-FP10 | 5.0 SR12-FP4 | 6 SR9-FP1 | APAR: IZ89602 |
This issue is limited to IBM JRE/SDK implementations. Further information is available here.
Oracle October 12 2010 SSR (1.4.2_28, 1.5.0_26, 1.6.0_22)
| CVE | CVSS | IBM 1.4.2 Fix | IBM 5.0 Fix |
IBM 6 Fix | Notes |
|---|---|---|---|---|---|
| CVE-2010-3553 | 10 | 1.4.2 SR13-FP6 | 5.0 SR12-FP3 | 6 SR9 | |
| CVE-2010-3554 | 10 | N/A |
N/A |
N/A |
Not applicable to IBM JRE/SDK |
| CVE-2009-3555 | 6.8 | 1.4.2 SR13-FP6 | 5.0 SR12 | 6 SR9 | RFC 5746 |
| CVE-2010-3561 | 7.5 | N/A |
N/A |
N/A |
Not applicable to IBM JRE/SDK |
| CVE-2010-3562 | 10 | 1.4.2 SR13-FP6 | 5.0 SR12-FP2 | 6 SR9 | |
| CVE-2010-3557 | 6.8 | 1.4.2 SR13-FP6 | 5.0 SR12-FP3 | 6 SR9 | |
| CVE-2010-3558 | 10 | N/A |
N/A |
6 SR9 | |
| CVE-2010-3563 | 10 | N/A |
N/A |
6 SR9 | |
| CVE-2010-0771 | 10 | N/A |
N/A |
6 SR9 | |
| CVE-2010-3550 | 9.3 | N/A |
5.0 SR12-FP2 | 6 SR9 | |
| CVE-2010-3549 | 6.8 | 1.4.2 SR13-FP6 | 5.0 SR12-FP2 | 6 SR9 | |
| CVE-2010-3551 | 5 | 1.4.2 SR13-FP6 | 5.0 SR12-FP2 | 6 SR9 | |
| CVE-2010-3555 | 9.3 | N/A |
N/A |
6 SR9 | |
| CVE-2010-3556 | 10 | 1.4.2 SR13-FP6 | 5.0 SR12-FP2 | 6 SR9 | |
| CVE-2010-3559 | 10 | N/A |
5.0 SR12-FP2 | 6 SR9 | Not applicable to IBM 1.4.2 JRE/SDK |
| CVE-2010-3548 | 5 | 1.4.2 SR13-FP6 | 5.0 SR12-FP2 | 6 SR9 | |
| CVE-2010-1321 | 6.8 | 1.4.2 SR13-FP8 | 5.0 SR12-FP2 | 6 SR9 | |
| CVE-2010-3565 | 10 | 1.4.2 SR13-FP6 | 5.0 SR12-FP2 | 6 SR9 | |
| CVE-2010-3567 | 10 | N/A |
N/A |
6 SR9 | Not applicable to IBM 5.0 JRE/SDK |
| CVE-2010-3566 | 10 | N/A |
5.0 SR12-FP2 | 6 SR9 | |
| CVE-2010-3568 | 10 | 1.4.2 SR13-FP6 | 5.0 SR12-FP2 | 6 SR9 | |
| CVE-2010-3541 | 5.1 | 1.4.2 SR13-FP6 | 5.0 SR12-FP2 | 6 SR9 | |
| CVE-2010-3569 | 10 | 1.4.2 SR13-FP6 | 5.0 SR12-FP2 | 6 SR9 | |
| CVE-2010-3571 | 10 | 1.4.2 SR13-FP6 | 5.0 SR12-FP3 | 6 SR9 | |
| CVE-2010-3572 | 10 | 1.4.2 SR13-FP6 | 5.0 SR12-FP2 | 6 SR9 | |
| CVE-2010-3570 | 7.6 | N/A |
N/A |
N/A |
Not applicable to IBM JRE/SDKs |
| CVE-2010-3560 | 2.6 | N/A |
N/A |
6 SR9 | |
| CVE-2010-3573 | 5.1 | N/A |
5.0 SR12-FP2 | 6 SR9 | |
| CVE-2010-3574 | 5.1 | 1.4.2 SR13-FP8 | 5.0 SR12-FP2 | 6 SR9 |
Further information about the SSR issued by Oracle on October 12 2010 is available here.
Oracle 1.6.0_20 Emergency Release
| CVE | CVSS | IBM 1.4.2 Fix | IBM 5.0 Fix |
IBM 6 Fix | Notes |
|---|---|---|---|---|---|
| CVE-2010-0886 | 5.1 | N/A |
N/A |
N/A |
Not applicable to IBM JRE/SDKs |
| CVE-2010-0887 | 5.1 | N/A |
N/A |
6 SR8-FP1 |
Further information about the Emergency SSR issued by Oracle is available here.
March 30 2010 SSR (1.4.2_26, 1.5.0_24, 1.6.0_19)
| CVE | CVSS | IBM 1.4.2 Fix | IBM 5.0 Fix |
IBM 6 Fix | Notes |
|---|---|---|---|---|---|
| CVE-2010-0082 | 5.1 | N/A |
N/A |
N/A |
Not applicable to IBM JRE/SDKs |
| CVE-2010-0084 | 5 | 1.4.2 SR13-FP5 | 5.0 SR11-FP1 | 6 SR8 | |
| CVE-2010-0085 | 5.1 | 1.4.2 SR13-FP5 | 5.0 SR11-FP1 | 6 SR8 | |
| CVE-2010-0087 | 7.5 | 1.4.2 SR13-FP5 | 5.0 SR11-FP1 | 6 SR8 | |
| CVE-2010-0088 | 6.8 | 1.4.2 SR13-FP5 | 5.0 SR11-FP1 | 6 SR8 | |
| CVE-2010-0089 | 5 | 1.4.2 SR13-FP5 | 5.0 SR11-FP1 | 6 SR8 | |
| CVE-2010-0090 | 5.8 | N/A |
N/A |
6 SR8 | |
| CVE-2010-0091 | 4.3 | 1.4.2 SR13-FP5 | 5.0 SR11-FP1 | 6 SR8 | |
| CVE-2010-0092 | 5.1 | N/A |
5.0 SR11-FP1 | 6 SR8 | |
| CVE-2009-3555 | 6.8 | 1.4.2 SR13-FP4 | 5.0 SR11-FP1 | 6 SR7 | |
| CVE-2010-0093 | 5.1 | N/A |
N/A |
N/A |
Not applicable to IBM JRE/SDKs |
| CVE-2010-0094 | 7.5 | N/A |
5.0 SR11-FP1 | 6 SR8 | |
| CVE-2010-0095 | 6.8 | 1.4.2 SR13-FP5 | 5.0 SR11-FP1 | 6 SR8 | |
| CVE-2010-0837 | 7.5 | N/A |
5.0 SR11-FP1 | 6 SR8 | |
| CVE-2010-0838 | 7.5 | N/A |
5.0 SR11-FP1 | 6 SR8 | |
| CVE-2010-0839 | 7.5 | 1.4.2 SR13-FP5 | 5.0 SR11-FP1 | 6 SR8 | |
| CVE-2010-0840 | 7.5 | 1.4.2 SR13-FP5 | 5.0 SR11-FP2 | 6 SR8 | |
| CVE-2010-0841 | 7.5 | 1.4.2 SR13-FP5 | 5.0 SR11-FP2 | 6 SR8 | |
| CVE-2010-0842 | 7.5 | 1.4.2 SR13-FP5 | 5.0 SR11-FP2 | 6 SR8 | |
| CVE-2010-0843 | 7.5 | 1.4.2 SR13-FP5 | 5.0 SR11-FP2 | 6 SR8 | |
| CVE-2010-0844 | 7.5 | 1.4.2 SR13-FP5 | 5.0 SR11-FP2 | 6 SR8 | |
| CVE-2010-0845 | 5.1 | N/A |
N/A |
N/A |
Not applicable to IBM JRE/SDKs |
| CVE-2010-0846 | 7.5 | 1.4.2 SR13-FP5 | 5.0 SR11-FP2 | 6 SR8 | |
| CVE-2010-0847 | 7.5 | 1.4.2 SR13-FP5 | 5.0 SR11-FP2 | 6 SR8 | |
| CVE-2010-0848 | 7.5 | 1.4.2 SR13-FP5 | 5.0 SR11-FP2 | 6 SR8 | |
| CVE-2010-0849 | 7.5 | 1.4.2 SR13-FP5 | 5.0 SR11-FP2 | 6 SR8 |
Further information about the SSR issued by Oracle on March 30 2010 is available here.
| CVE Number | Date released | Synopsis | Affected Releases | Releases containing fix | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| CVE-2009-3555 | 27 January 2010 | A security vulnerability in the TLS protocol (including SSL v3) may allow an attacker to conduct man-in-the-middle (MITM) type of attacks where chosen plain text may be injected as a prefix in an user's TLS session. This vulnerability does not allow an attacker to decrypt the intercepted network communication. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2009-3876 CVE-2009-3877 |
4 December 2009 | A vulnerability in the Java Runtime Environment with decoding DER encoded data might allow a remote client to cause the JRE to crash, resulting in a denial of service condition. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2009-3867 | 19 November 2009 | A buffer overflow vulnerability in the Java Runtime Environment audio system might allow an untrusted applet or Java Web Start application to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files, or run local applications that are accessible to the user running the untrusted applet. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2009-3868 | 19 November 2009 | A buffer overflow vulnerability in the Java Runtime Environment with parsing image files might allow an untrusted applet or Java Web Start application to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files, or run local applications that are accessible to the user running the untrusted applet. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2009-3872 | 19 November 2009 | An integer overflow vulnerability in the Java Runtime Environment with reading JPEG files might allow an untrusted applet or Java Web Start application to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files, or run local applications that are accessible to the user running the untrusted applet. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2009-3873 | 19 November 2009 | A buffer overflow vulnerability in the Java Runtime Environment with processing JPEG files might allow an untrusted applet or Java Web Start application to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files, or run local applications that are accessible to the user running the untrusted applet. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2009-3875 | 19 November 2009 | A security vulnerability in the Java Runtime Environment with verifying HMAC digests might allow authentication to be bypassed. This action can allow a user to forge a digital signature that would be accepted as valid. Applications that validate HMAC-based digital signatures might be vulnerable to this type of attack. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2009-3865 | 19 November 2009 | A command execution vulnerability in the Java Runtime Environment Deployment Toolkit might be used to run arbitrary code. This issue might occur as the result of a user of the Java Runtime Environment viewing a specially crafted web page that exploits this vulnerability. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2009-3869 | 19 November 2009 | A buffer overflow vulnerability in the Java Runtime Environment with processing image files might allow an untrusted applet or Java Web Start application to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted applet. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2009-3871 | 19 November 2009 | A buffer overflow vulnerability in the Java Runtime Environment with processing image files might allow an untrusted applet or Java Web Start application to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted applet. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2009-3866 | 19 November 2009 | A security vulnerability in the Java Web Start Installer might be used to allow an untrusted Java Web Start application to run as a trusted application and run arbitrary code. This issue might occur as the result of a user of the Java Runtime Environment viewing a specially crafted web page that exploits this vulnerability. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2009-3874 | 19 November 2009 | An integer overflow vulnerability in the Java Runtime Environment with processing JPEG images might allow an untrusted applet or Java Web Start application to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted applet. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2009-2676 | 24 August 2009 | A security vulnerability in the JNLPAppletLauncher might impact users of the Sun JDK and JRE. Non-current versions of the JNLPAppletLauncher might be re-purposed with an untrusted Java applet to write arbitrary files on the system of the user downloading and running the untrusted applet. The JNLPAppletLauncher is a general purpose JNLP-based applet launcher class for deploying applets that use extension libraries containing native code. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2009-2493 |
12 August 2009 | The Java Runtime Environment includes the Java Web Start technology that uses the Java Web Start ActiveX control to launch Java Web Start in Internet Explorer. A security vulnerability in the Active Template Library (ATL) in various releases of Microsoft Visual Studio, which is used by the Java Web Start ActiveX control, might allow the Java Web Start ActiveX control to be leveraged to run arbitrary code. This might occur as the result of a user of the Java Runtime Environment viewing a specially crafted web page that exploits this vulnerability. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2009-2670 | 10 August 2009 | A vulnerability in the Java Runtime Environment audio system might allow an untrusted applet or Java Web Start application to access system properties. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2009-0217 | 10 August 2009 | A vulnerability with verifying HMAC-based XML digital signatures in the XML Digital Signature implementation included with the Java Runtime Environment (JRE) might allow authentication to be bypassed. Applications that validate HMAC-based XML digital signatures might be vulnerable to this type of attack. Note: This vulnerability cannot be exploited by an untrusted applet or Java Web Start application. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2009-2671 CVE-2009-2672 |
10 August 2009 | A vulnerability in the Java Runtime Environment with the SOCKS proxy implementation might allow an untrusted applet or Java Web Start application to determine the username of the user running the applet or application. A second vulnerability in the Java Runtime Environment with the proxy mechanism implementation might allow an untrusted applet or Java Web Start application to obtain browser cookies and leverage those cookies to hijack sessions. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2009-2673 | 10 August 2009 | A vulnerability in the Java Runtime Environment with the proxy mechanism implementation might allow an untrusted applet or Java Web Start application to make non-authorized socket or URL connections to hosts other than the origin host. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2009-2674 | 10 August 2009 | An integer overflow vulnerability in the Java Runtime Environment with processing JPEG images might allow an untrusted Java Web Start application to escalate privileges. For example, an untrusted application might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted applet. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2009-2675 | 10 August 2009 | An integer overflow vulnerability in the Java Runtime Environment with unpacking applets and Java Web Start applications using the unpack200 JAR unpacking utility might allow an untrusted applet or application to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted applet. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2009-2625 | 10 August 2009 | A vulnerability in the Java Runtime Environment (JRE) with parsing XML data might allow a remote client to create a denial-of-service condition on the system that the JRE runs on. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2009-1100 | 6 April 2009 | A vulnerability in the Java Runtime Environment (JRE) with storing temporary font files might allow an untrusted applet or application to consume a disproportionate amount of disk space resulting in a denial-of-service condition. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2009-1101 | 6 April 2009 | A vulnerability in the Java Runtime Environment (JRE) HTTP server implementation might allow a remote client to create a denial-of-service condition on a JAX-WS service endpoint that runs on the JRE. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2009-1103 | 6 April 2009 | A vulnerability in the Java Plug-in with deserializing applets might allow an untrusted applet to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted applet. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2009-1105 | 6 April 2009 | The Java Plug-in allows a trusted applet to be launched on an earlier version of the Java Runtime Environment (JRE) provided the user that downloaded the applet allows it to run on the requested release. A vulnerability allows Javascript code that is present in the same web page as the applet to exploit known vulnerabilities of the requested JRE. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2009-1104 | 6 April 2009 | The Java Plug-in allows Javascript code that is loaded from the localhost to connect to any port on the system. This might be leveraged together with XSS vulnerabilities in a blended attack to access other applications listening on ports other than the one where the Javascript code was served from. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2009-1093 | 6 April 2009 | A vulnerability in the Java Runtime Environment (JRE) with initializing LDAP connections might be exploited by a remote client to cause a denial-of-service condition on the LDAP service. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2009-1094 | 6 April 2009 | A vulnerability in Java Runtime Environment LDAP client implementation might allow malicious data from an LDAP server to cause malicious code to be unexpectedly loaded and executed on an LDAP client. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2009-1107 | 6 April 2009 | The Java Plugin displays a warning dialog for signed applets. A signed applet can obscure the contents of the dialog and trick a user into trusting the applet. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2009-1095 CVE-2009-1096 |
6 April 2009 | Buffer overflow vulnerabilities in the Java Runtime Environment (JRE) with unpacking applets and Java Web Start applications using the unpack200 JAR unpacking utility might allow an untrusted applet or application to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted applet. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2009-1106 | 6 April 2009 | A vulnerability in the Java Runtime Environment with parsing crossdomain.xml files might allow an untrusted applet to connect to any site that provides a crossdomain.xml file instead of sites that allow the domain that the applet is running on. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2009-1097 | 6 April 2009 | A buffer overflow vulnerability in the Java Runtime Environment with processing PNG images might allow an untrusted Java Web Start application to escalate privileges. For example, an untrusted application might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted application. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2009-1097 | 6 April 2009 | A buffer overflow vulnerability in the Java Runtime Environment with processing GIF images might allow an untrusted Java Web Start application to escalate privileges. For example, an untrusted application might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted application. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2009-1098 | 6 April 2009 | A buffer overflow vulnerability in the Java Runtime Environment with processing GIF images might allow an untrusted applet or Java Web Start application to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted applet. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2009-1099 | 6 April 2009 | A buffer overflow vulnerability in the Java Runtime Environment with processing fonts might allow an untrusted applet or Java Web Start application to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted applet. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-5349 | 6 April 2009 | A vulnerability in how the Java Runtime Environment (JRE) handles certain RSA public keys might cause the JRE to consume an excessive amount of CPU resources. This might lead to a Denial of Service (DoS) condition on affected systems. Such keys could be provided by a remote client of an application. This issue affects the following security providers: IBMJCE, IBMPKCS11Impl and IBMJCEFIPS. |
IBM Platforms (IBMJCE
IBM Platforms (IBMJCEFIPS):
Sun Platforms:
HP Platforms: |
IBM Platforms (IBMJCE
IBM Platforms (IBMJCEFIPS):
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-5350 | 11 December 2008 | A security vulnerability in the Java Runtime Environment (JRE) might allow an untrusted applet or application to list the contents of the home directory of the user running the applet or application. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-5346 | 11 December 2008 | A security vulnerability in the Java Runtime Environment (JRE) with parsing zip files might allow an untrusted applet or application to read arbitrary memory locations in the process that the applet or application is running in. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-5343 | 11 December 2008 | A vulnerability in Java Web Start and Java Plug-in might allow hidden code on a host to make network connections to that host and to hijack HTTP sessions using cookies stored in the browser. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-5344 | 11 December 2008 | A vulnerability in the Java Runtime Environment (JRE) with applet classloading might allow an untrusted applet to read arbitrary files on a system that the applet runs on and make network connections to hosts other than the host it was loaded from. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-5359 | 11 December 2008 | A buffer overflow vulnerability in the Java Runtime Environment (JRE) image processing code might allow an untrusted applet or application to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted applet. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-5341 | 11 December 2008 | A vulnerability in the Java Runtime Environment might allow an untrusted Java Web Start application to determine the location of the Java Web Start cache and the username of the user running the Java Web Start application. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-5339 | 11 December 2008 | A vulnerability in the Java Runtime Environment (JRE) might allow an untrusted Java Web Start application to make network connections to hosts other than the host that the application is downloaded from. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-5340 | 11 December 2008 | A vulnerability in the Java Runtime Environment with launching Java Web Start applications might allow an untrusted Java Web Start application to escalate privileges. For example, an untrusted application might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted application. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-5347 | 11 December 2008 | Security vulnerabilities in the JAX-WS and JAXB packages in the Java Runtime Environment (JRE) where internal classes can be accessed might allow an untrusted applet or application to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted applet. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-5348 | 11 December 2008 | A security vulnerability in the Java Runtime Environment (JRE) with authenticating users through Kerberos might lead to a Denial of Service (DoS) to the system as a whole, due to excessive consumption of operating system resources. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-2086 | 11 December 2008 | A vulnerability in Java Web Start might allow certain trusted operations to be performed, such as modifying system properties. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-5345 | 11 December 2008 | The Java Runtime Environment (JRE) allows code loaded from the local filesystem to access localhost. This might allow code that is maliciously placed on the local filesystem and then subsequently run, to have network access to localhost that would not otherwise be allowed if the code were loaded from a remote host. This might be leveraged to steal cookies and hijack sessions (for domains that map a name to the localhost). |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-5351 | 11 December 2008 | The UTF-8 (Unicode Transformation Format-8) decoder in the Java Runtime Environment (JRE) accepts encodings that are longer than the "shortest" form. This behavior is not a vulnerability in Java SE. However, it might be leveraged to exploit systems running software that relies on the JRE UTF-8 decoder to reject non-shortest form sequences. For example, non-shortest form sequences might be decoded into illegal URIs, which might then allow files that are not otherwise accessible to be read, if the URIs are not checked following UTF-8 decoding. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-5360 | 11 December 2008 | The Java Runtime Environment creates temporary files with insufficiently random names. This might be leveraged to write JAR files, which might then be loaded as untrusted applets and Java Web Start applications to access and provide services from localhost and hence steal cookies. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-5353 | 11 December 2008 | A security vulnerability in the Java Runtime Environment (JRE) related to deserializing calendar objects might allow an untrusted applet or application to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted applet. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-5356 | 11 December 2008 | A buffer vulnerability in the Java Runtime Environment (JRE) with processing fonts might allow an untrusted applet or Java Web Start application to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted applet. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-5354 | 11 December 2008 | A buffer overflow vulnerability in the Java Runtime Environment (JRE) might allow an untrusted Java application that is launched through the command line to escalate privileges. For example, the untrusted Java application might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted Java application. This vulnerability cannot be exploited by an applet or Java Web Start application. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-5357 | 11 December 2008 | A buffer vulnerability in the Java Runtime Environment (JRE) with processing fonts might allow an untrusted applet or Java Web Start application to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted applet. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-5352 | 11 December 2008 | A buffer overflow vulnerability in the Java Runtime Environment (JRE) with unpacking applets and Java Web Start applications using the "unpack200" JAR unpacking utility might allow an untrusted applet or application to escalate privileges. For example, an untrusted applet might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted applet. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-5358 | 11 December 2008 | A buffer overflow vulnerability in the Java Runtime Environment with processing GIF images might allow an untrusted Java Web Start application to escalate privileges. For example, an untrusted application might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted applet. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-5342 | 11 December 2008 | A security vulnerability in the the Java Web Start BasicService allows untrusted applications that are downloaded from another system to request local files to be displayed by the browser of the user running the untrusted application. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-3105 | 14 August 2008 | A vulnerability in the Java Runtime Environment with processing XML data might allow unauthorized access to certain URL resources (such as some files and web pages) or a Denial of Service (DoS) condition to be created on the system running the JRE. For this vulnerability to be exploited, a trusted application running on a JAX-WS server needs to process XML data that contains malicious content. This vulnerability cannot be exploited through an untrusted applet or untrusted Java Web Start application. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-3108 | 23 July 2008 | A buffer overflow vulnerability in the Java Runtime Environment with processing fonts might allow an untrusted applet or application to elevate its privileges. For example, an untrusted applet might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted applet. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-3109 | 23 July 2008 | A vulnerability in the Java Runtime Environment with scripting language support might allow an untrusted applet or application to elevate its privileges. For example, an untrusted applet might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted applet. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-3110 | 23 July 2008 | A vulnerability in the Java Runtime Environment with scripting language support might allow an untrusted applet to access information from another applet. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-3111 | 23 July 2008 | Buffer overflow vulnerabilities in Java Web Start might allow an untrusted Java Web Start application to elevate its privileges. For example, an untrusted Java Web Start application might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted application. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-3115 | 23 July 2008 | After the installation of a JRE 5.0 Update 6 or later release, the system will no longer allow applets to run on an older release of the JRE. Due to a defect in the implementation of this feature, if an older release is subsequently installed, the system will allow applets to run on that older release. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-3106 | 23 July 2008 | A vulnerability in the Java Runtime Environment with processing XML data might allow an untrusted applet or application that is downloaded from a website unauthorized access to certain URL resources (such as some files and web pages). |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-3103 | 23 July 2008 | A vulnerability in the Java Management Extension (JMX) management agent included in the Java Runtime Environment might allow a JMX client running on a remote host to perform illegal operations on a system running JMX with local monitoring enabled. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-3104 | 23 July 2008 | Security vulnerabilities in the Java Runtime Environment might allow an untrusted applet that is loaded from a remote system to circumvent network access restrictions and establish socket connections to certain services running on the local host, as if it were loaded from the system that the applet is running on. This might allow the untrusted remote applet the ability to exploit any security vulnerabilities existing in the services it has connected to. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-3112 | 23 July 2008 | A vulnerability in Java Web Start might allow an untrusted Java Web Start application downloaded from a website to create arbitrary files with the permissions of the user running the untrusted Java Web Start application. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-3113 | 23 July 2008 | A vulnerability in Java Web Start might allow an untrusted Java Web Start application downloaded from a website to create or delete arbitrary files with the permissions of the user running the untrusted Java Web Start application. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-3114 | 23 July 2008 | A vulnerability in Java Web Start might allow an untrusted Java Web Start application to determine the location of the Java Web Start cache. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-1196 | 27 March 2008 | A buffer overflow vulnerability in Java Web Start might allow an untrusted Java Web Start application that is downloaded from a website to elevate its privileges. For example, an untrusted Java Web Start application might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted application. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-1195 | 27 March 2008 | A vulnerability in the Java Runtime Environment might allow JavaScript(TM) code that is downloaded by a browser to make connections to network services on the system that the browser runs on, through Java APIs. This might allow files (that are accessible through these network services) or vulnerabilities (that exist on these network services) that are not otherwise normally accessible to be accessed or exploited. |
IBM Platforms:
Sun Platforms: HP Platforms: |
IBM Platforms:
Sun Platforms: HP Platforms: |
||||||||
| CVE-2008-1194 | 27 March 2008 | Two buffer overflow vulnerabilities might allow an untrusted applet or application to cause the Java Runtime Environment to crash. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms: HP Platforms: |
||||||||
| CVE-2008-1194 | 27 March 2008 | A buffer overflow vulnerability in the Java Runtime Environment image parsing code might allow an untrusted applet or application to create a denial-of-service condition, by causing the Java Runtime Environment to crash. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-1193 | 27 March 2008 | A buffer overflow vulnerability in the Java Runtime Environment image parsing code allow an untrusted applet or application to elevate its privileges. For example, an application might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted application. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-1192 | 27 March 2008 | A vulnerability in the Java Plug-in might an untrusted applet to bypass same origin policy and leverage this flaw to run local applications that are accessible to the user running the untrusted applet. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-1191 | 27 March 2008 | A vulnerability in Java Web Start might allow an untrusted Java Web Start application to create files on the system that the untrusted application runs on and leverage these files to run local applications with the privileges of the user running the untrusted Java Web Start application. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-1190 | 27 March 2008 | A vulnerability in Java Web Start might allow an untrusted Java Web Start application to elevate its privileges. For example, an application might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted application. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-1189 | 27 March 2008 | A buffer overflow vulnerability in the Java Runtime Environment might allow an untrusted applet or application to elevate its privileges. For example, an applet might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted applet. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms: Sun Platforms: HP Platforms: |
||||||||
| CVE-2008-1188 | 27 March 2008 | Two buffer overflow vulnerabilities in Java Web Start might independently allow an untrusted Java Web Start application to elevate its privileges. For example, an untrusted Java Web Start application might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted application. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2008-1187 | 27 March 2008 | A vulnerability in the Java Runtime Environment with parsing XML data might allow an untrusted applet or application to elevate its privileges. For example, an applet might read certain URL resources (such as some files and web pages). |
IBM Platforms: Sun Platforms: HP Platforms: |
IBM Platforms: Sun Platforms: HP Platforms: |
||||||||
| CVE-2008-0657 | 27 March 2008 | A vulnerability in the Java Runtime Environment might allow an untrusted application or applet that is downloaded from a website to elevate its privileges. For example, the application or applet might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted application or applet. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2007-5232 | 5 November 2007 | A vulnerability in the Java Runtime Environment (JRE) with applet caching might allow an untrusted applet that is downloaded from a malicious website to make network connections to network services on machines other than the one that the applet was downloaded from. This might allow network resources (such as web pages) and vulnerabilities (that exist on these network services) that are not otherwise normally accessible to be accessed or exploited. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
|
CVE-2007-5274 CVE-2007-5273 |
5 November 2007 | A vulnerability in the Java Runtime Environment (JRE) might allow malicious Javascript code that is downloaded by a browser from a malicious website to make network connections, through Java APIs, to network services on machines other than the one that the Javascript code was downloaded from. This might allow network resources (such as web pages) and vulnerabilities (that exist on these network services) that are not otherwise normally accessible to be accessed or exploited. A second vulnerability in the JRE might allow an untrusted applet that is downloaded from a malicious website through a web proxy to make network connections to network services on machines other than the one that the applet was downloaded from. This might allow network resources (such as web pages) and vulnerabilities (that exist on these network services) that are not otherwise normally accessible to be accessed or exploited. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2007-5236 | 5 November 2007 | An untrusted Java Web Start application might write arbitrary files with the privileges of the user running the application. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2007-5238 | 5 November 2007 | Three separate vulnerabilities might allow an untrusted Java Web Start application to determine the location of the Java Web Start cache. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2007-5239 | 5 November 2007 | An untrusted Java Web Start application or Java applet might move or copy arbitrary files by requesting the user of the application or applet to drag and drop a file from the Java Web Start application or Java applet window. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2007-5240 | 5 November 2007 | An untrusted applet might display an over-sized window so that the applet warning banner is not visible to the user running the untrusted applet. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2007-4381 | 5 November 2007 | A vulnerability in the font parsing code in the Java Runtime Environment might allow an untrusted applet to elevate its privileges. For example, an applet might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted applet. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2007-3698 | 5 November 2007 | The Java Secure Socket Extension (JSSE) that is included in various releases of the Java Runtime Environment does not correctly process SSL/TLS handshake requests. This vulnerability might be exploited to create a Denial of Service (DoS) condition to the system as a whole on a server that listens for SSL/TLS connections using JSSE for SSL/TLS support. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2007-2788 CVE-2007-2789 CVE-2007-3004 CVE-2007-3005 |
9 August 2007 | A buffer overflow vulnerability in the image parsing code in the Java(TM) Runtime Environment might allow an untrusted applet or application to elevate its privileges. For example, an applet might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted applet. A second vulnerability might allow an untrusted applet or application to cause the Java Virtual Machine to hang. |
|
|
||||||||
| CVE-2007-3655 | 9 August 2007 | A buffer overflow vulnerability in the Java Web Start URL parsing code might allow an untrusted application to elevate its privileges. For example, an application might grant itself permissions to read and write local files or run local applications with the privileges of the user running the Java Web Start application. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2007-3922 | 9 August 2007 | A security vulnerability in the Java Runtime Environment Applet Class Loader might allow an untrusted applet that is loaded from a remote system to circumvent network access restrictions and establish socket connections to certain services running on the local host, as if it were loaded from the system that the applet is running on. This might allow the untrusted remote applet the ability to exploit any security vulnerabilities existing in the services it has connected to. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2007-3504 | 18 July 2007 | A vulnerability in Java(TM) Web Start allows an untrusted application to grant itself permissions to overwrite the .java.policy file and then invoke applets or Java Web Start applications that can run arbitrary code with the permissions of the user running the untrusted application. There are no reported attacks based on this vulnerability. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2007-3503 | 12 July 2007 | A defect in the Javadoc(TM) tool lets it generate HTML documentation pages that might be leveraged in a cross-site scripting attack. For this defect to be exploited, a user has to click a URL that is created by an attacker that points to a web page with documentation generated by Javadoc. The URL includes Javascript code that will be executed by the browser when the web page is loaded. The Javascript code might access information that is stored in the user's cookies from the website that hosts the documentation pages. There are no reported attacks based on this vulnerability. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2007-2435 | 5 June 2007 | A vulnerability in Java(TM) Web Start allows an untrusted application to elevate its privileges. For example, an application might grant itself permissions to read and write local files that are accessible to the user running the Java Web Start application. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2007-0243 | 05 April 2007 | A buffer overflow vulnerability in the Java(TM) Runtime Environment might allow an untrusted applet to elevate its privileges. For example, an applet might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted applet. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2006-6737 CVE-2006-6736 |
04 January 2007 | Two vulnerabilities in the Java Runtime Environment might independently allow an untrusted applet to access data in other applets. |
|
|
||||||||
| CVE-2006-6745 | 04 January 2007 | Two vulnerabilities in the Java(TM) Runtime Environment with serialization might independently allow an untrusted applet or application to elevate its privileges. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
||||||||
| CVE-2006-6731 | 04 January 2007 | Two buffer overflow vulnerabilities in the Java(TM) Runtime Environment might independently allow an untrusted applet to elevate its privileges. For example, an applet might grant itself permissions to read and write local files or run local applications that are accessible to the user running the untrusted applet. |
IBM Platforms:
Sun Platforms:
HP Platforms: |
IBM Platforms:
Sun Platforms:
HP Platforms: |
- Note 1: For compatibility reasons, this fix is implemented via two system properties:
- javax.xml.stream.supportDTD
- com.ibm.xml.xlxp.support.dtd.compat.mode
Setting both these properties to false activates the fix. Refer to the Java 6 User Guide for more information.
