Oracle has released a security update for Java SE that addresses a vulnerability present in its previous versions. Oracle states that the exploitation of this vulnerability may allow a remote attacker to take control of an affected system. Oracle further states that this vulnerability only apples to Java SE running in web browsers, and is not applicable to Java deployments in servers or standalone desktop applications that load and run only trusted code. Oracle further states that this vulnerability does not affect Oracle server-based applications. Users and administrators are advised to update their versions of Java SE as early as possible.
Details of the Vulnerability
Oracle states that this vulnerability affects Java SE running on web browsers only. This vulnerability is reported to be remotely exploitable without authentication, and therefore exploited over a network without the need for a username and password. To be successfully exploited, an unsuspecting user running an affected release in a browser will need to view a malicious web page that leverages this vulnerability. Successful Exploits can impact availability, integrity, and confidentiality of the user’s system.
The following versions of Oracle Java SE are affected. This is true for versions for Windows, Solaris, Linux, and Mac OS X.
- Java SE 7 Update 97
- Java SE 8 Update 73
- Java SE 8 Update 74
Recommended Course of Action
Due to the severity of this vulnerability and the public disclosure of technical details, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible. In this regard, the following actions are recommended. Developers can download the latest release from http://www.oracle.com/technetwork/java/javase/downloads/index.html Windows users running Java SE with a browser can either use Automatic Updates or download the latest release from http://java.com.
Oracle’s security advisory on this update is available on the page http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0636-2949497.html .