CVE-2016-0686
First published: Fri Apr 15 2016(Updated: )
It was discovered that the ObjectInputStream class in the Serialization component of OpenJDK failed to properly ensure thread consistency when deserializing serialized input. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions.
Credit: secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Oracle JDK 6 | =1.6.0-update113 | |
| Oracle JDK 6 | =1.7.0-update99 | |
| Oracle JDK 6 | =1.8.0-update77 | |
| Oracle Java Runtime Environment (JRE) | =1.6.0-update113 | |
| Oracle Java Runtime Environment (JRE) | =1.7.0-update99 | |
| Oracle Java Runtime Environment (JRE) | =1.8.0-update77 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html#AppendixJAVA
- https://rhn.redhat.com/errata/RHSA-2016-0651.html
- https://rhn.redhat.com/errata/RHSA-2016-0650.html
- https://rhn.redhat.com/errata/RHSA-2016-0676.html
- https://rhn.redhat.com/errata/RHSA-2016-0677.html
- https://rhn.redhat.com/errata/RHSA-2016-0675.html
- https://rhn.redhat.com/errata/RHSA-2016-0679.html
- https://rhn.redhat.com/errata/RHSA-2016-0678.html
- http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/4138b3f27ffe
- https://rhn.redhat.com/errata/RHSA-2016-0701.html
- https://rhn.redhat.com/errata/RHSA-2016-0702.html
- https://rhn.redhat.com/errata/RHSA-2016-0708.html
- https://rhn.redhat.com/errata/RHSA-2016-0716.html
- https://rhn.redhat.com/errata/RHSA-2016-0723.html
- https://rhn.redhat.com/errata/RHSA-2016-1039.html
- https://access.redhat.com/errata/RHSA-2016:1430
- https://access.redhat.com/errata/RHSA-2017:1216
- https://bugzilla.redhat.com/show_bug.cgi?id=1327743
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00009.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00012.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00022.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00026.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00027.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00039.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00040.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00042.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00058.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00059.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00061.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00067.html
- http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00002.html
- http://rhn.redhat.com/errata/RHSA-2016-0650.html
- http://rhn.redhat.com/errata/RHSA-2016-0651.html
- http://rhn.redhat.com/errata/RHSA-2016-0675.html
- http://rhn.redhat.com/errata/RHSA-2016-0676.html
- http://rhn.redhat.com/errata/RHSA-2016-0677.html
- http://rhn.redhat.com/errata/RHSA-2016-0678.html
- http://rhn.redhat.com/errata/RHSA-2016-0679.html
- http://rhn.redhat.com/errata/RHSA-2016-0701.html
- http://rhn.redhat.com/errata/RHSA-2016-0702.html
- http://rhn.redhat.com/errata/RHSA-2016-0708.html
- http://rhn.redhat.com/errata/RHSA-2016-0716.html
- http://rhn.redhat.com/errata/RHSA-2016-0723.html
- http://rhn.redhat.com/errata/RHSA-2016-1039.html
- http://www.debian.org/security/2016/dsa-3558
- http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
- http://www.securityfocus.com/bid/86473
- http://www.securitytracker.com/id/1035596
- http://www.ubuntu.com/usn/USN-2963-1
- http://www.ubuntu.com/usn/USN-2964-1
- http://www.ubuntu.com/usn/USN-2972-1
- https://security.gentoo.org/glsa/201606-18
- https://security.netapp.com/advisory/ntap-20160420-0001/
Frequently Asked Questions
What is the severity of CVE-2016-0686?
CVE-2016-0686 is classified as a high severity vulnerability due to its potential to allow untrusted Java applications to bypass sandbox restrictions.
How do I fix CVE-2016-0686?
To fix CVE-2016-0686, update to the latest version of the Oracle JDK or JRE that contains the security patch addressing this vulnerability.
Which software versions are affected by CVE-2016-0686?
CVE-2016-0686 affects Oracle JDK versions 1.6.0-update113, 1.7.0-update99, and 1.8.0-update77 as well as corresponding Oracle JRE versions.
What kind of exploit is possible with CVE-2016-0686?
An attacker could exploit CVE-2016-0686 to perform unauthorized operations by sending crafted serialized data to an untrusted Java application.
Is CVE-2016-0686 only a concern for enterprise environments?
CVE-2016-0686 can impact any environment running the affected versions of Oracle JDK or JRE, making it a concern for both enterprise and personal systems.
- agent/references
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2016-0686
- agent/author
- agent/severity
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/oracle
- canonical/oracle jdk 6
- version/oracle jdk 6/1.6.0-update113
- version/oracle jdk 6/1.7.0-update99
- version/oracle jdk 6/1.8.0-update77
- canonical/oracle java runtime environment (jre)
- version/oracle java runtime environment (jre)/1.6.0-update113
- version/oracle java runtime environment (jre)/1.7.0-update99
- version/oracle java runtime environment (jre)/1.8.0-update77