Qualys Blog

www.qualys.com
wkandek

Oracle out-of-band release for Java 0-day

Oracle published a new version of Java today. The new version Java v8 update 77 addresses a single critical vulnerability with CVE code CVE-2016-0636. This vulnerability had been disclosed publically 2 weeks ago on the fulldisclosure list by Adam Gowdiak, CEO of Security Explorations, a security research company, as a variant of an issue (CVE_2013-5838) that he reported to Oracle in 2013 and that was not fully fixed in Oracle’s patch.

Security Explorations has a technical document describing the issue and POC code for an exploit published on their website. They affirm that Java v7 and Java v9 are also affected by the vulnerability.

Since Oracle chose to fix this vulnerability out of band, we can assume that a workable exploit of the vulnerability based on the published information  is relatively easy to come up with. You should give this fix high priority and address as soon as possible.

 

 

Leave a Reply