Exploited
critical
10
CWE
284
Advisory Published
CVE Published
CVE Published
Updated

CVE-2016-3427: Oracle Java SE and JRockit Unspecified Vulnerability

First published: Mon Apr 18 2016(Updated: )

It was discovered that the RMI (Java Remote Method Invocation) server implementation in the JMX (Java Management Extensions) component of OpenJDK did not restrict which classes can be deserialized when deserializing authentication credentials. A remote unauthenticated attacker able to connect to a JMX port could possibly use this flaw trigger deserialization flaws.

Credit: secalert_us@oracle.com secalert_us@oracle.com

Affected SoftwareAffected VersionHow to fix
redhat/java<1.7.0-oracle-1:1.7.0.101-1jpp.1.el5_11
1.7.0-oracle-1:1.7.0.101-1jpp.1.el5_11
redhat/java<1.6.0-sun-1:1.6.0.115-1jpp.1.el5_11
1.6.0-sun-1:1.6.0.115-1jpp.1.el5_11
redhat/java<1.8.0-oracle-1:1.8.0.91-1jpp.1.el6_7
1.8.0-oracle-1:1.8.0.91-1jpp.1.el6_7
redhat/java<1.7.0-oracle-1:1.7.0.101-1jpp.1.el6_7
1.7.0-oracle-1:1.7.0.101-1jpp.1.el6_7
redhat/java<1.6.0-sun-1:1.6.0.115-1jpp.1.el6_7
1.6.0-sun-1:1.6.0.115-1jpp.1.el6_7
redhat/java<1.8.0-oracle-1:1.8.0.91-1jpp.1.el7
1.8.0-oracle-1:1.8.0.91-1jpp.1.el7
redhat/java<1.7.0-oracle-1:1.7.0.101-1jpp.1.el7
1.7.0-oracle-1:1.7.0.101-1jpp.1.el7
redhat/java<1.6.0-sun-1:1.6.0.115-1jpp.1.el7
1.6.0-sun-1:1.6.0.115-1jpp.1.el7
redhat/java<1.7.0-openjdk-1:1.7.0.101-2.6.6.1.el5_11
1.7.0-openjdk-1:1.7.0.101-2.6.6.1.el5_11
redhat/java<1.6.0-openjdk-1:1.6.0.39-1.13.11.0.el5_11
1.6.0-openjdk-1:1.6.0.39-1.13.11.0.el5_11
redhat/java<1.7.0-ibm-1:1.7.0.9.40-1jpp.1.el5
1.7.0-ibm-1:1.7.0.9.40-1jpp.1.el5
redhat/java<1.6.0-ibm-1:1.6.0.16.25-1jpp.1.el5
1.6.0-ibm-1:1.6.0.16.25-1jpp.1.el5
redhat/java<1.8.0-openjdk-1:1.8.0.91-0.b14.el6_7
1.8.0-openjdk-1:1.8.0.91-0.b14.el6_7
redhat/java<1.7.0-openjdk-1:1.7.0.101-2.6.6.1.el6_7
1.7.0-openjdk-1:1.7.0.101-2.6.6.1.el6_7
redhat/java<1.6.0-openjdk-1:1.6.0.39-1.13.11.0.el6_7
1.6.0-openjdk-1:1.6.0.39-1.13.11.0.el6_7
redhat/java<1.7.1-ibm-1:1.7.1.3.40-1jpp.1.el6_7
1.7.1-ibm-1:1.7.1.3.40-1jpp.1.el6_7
redhat/java<1.6.0-ibm-1:1.6.0.16.25-1jpp.1.el6_7
1.6.0-ibm-1:1.6.0.16.25-1jpp.1.el6_7
redhat/java<1.8.0-ibm-1:1.8.0.3.0-1jpp.1.el6
1.8.0-ibm-1:1.8.0.3.0-1jpp.1.el6
redhat/java<1.8.0-openjdk-1:1.8.0.91-0.b14.el7_2
1.8.0-openjdk-1:1.8.0.91-0.b14.el7_2
redhat/java<1.7.0-openjdk-1:1.7.0.101-2.6.6.1.el7_2
1.7.0-openjdk-1:1.7.0.101-2.6.6.1.el7_2
redhat/java<1.6.0-openjdk-1:1.6.0.39-1.13.11.0.el7_2
1.6.0-openjdk-1:1.6.0.39-1.13.11.0.el7_2
redhat/java<1.7.1-ibm-1:1.7.1.3.40-1jpp.1.el7
1.7.1-ibm-1:1.7.1.3.40-1jpp.1.el7
redhat/java<1.8.0-ibm-1:1.8.0.3.0-1jpp.1.el7
1.8.0-ibm-1:1.8.0.3.0-1jpp.1.el7
redhat/spacewalk-java<0:2.0.2-109.el6
0:2.0.2-109.el6
redhat/java<1.7.1-ibm-1:1.7.1.4.1-1jpp.1.el6_8
1.7.1-ibm-1:1.7.1.4.1-1jpp.1.el6_8
redhat/spacewalk-java<0:2.3.8-146.el6
0:2.3.8-146.el6
debian/openjdk-8
8u442-ga-2
Oracle Java SE
Oracle Java SE 7=1.6.0-update113
Oracle Java SE 7=1.7.0-update99
Oracle Java SE 7=1.8.0-update77
Oracle JRE=1.6.0-update113
Oracle JRE=1.7.0-update99
Oracle JRE=1.8.0-update77
Oracle Java SE=r28.3.9
Oracle Linux=5
Oracle Linux=6
Oracle Linux=7
Ubuntu=12.04
Ubuntu=14.04
Ubuntu=15.10
Ubuntu=16.04
Debian Linux=8.0
NetApp E-Series SANtricity Management Plug-ins for VMware vCenter
NetApp SANtricity Storage Manager
NetApp E-Series SANtricity Web Services
NetApp OnCommand Balance
NetApp OnCommand Cloud Manager
NetApp OnCommand Insight
NetApp OnCommand Performance Manager
NetApp OnCommand Report
NetApp OnCommand Shift
NetApp OnCommand Unified Manager for 7-Mode
NetApp OnCommand Unified Manager
NetApp OnCommand Workflow Automation
NetApp StorageGRID Webscale<=9.0.4
NetApp VASA Provider>=7.2
NetApp Virtual Storage Console for VMware vSphere>=7.2
Apache Cassandra>=2.1.0<2.1.22
Apache Cassandra>=2.2.0<2.2.18
Apache Cassandra>=3.0.0<3.0.22
Apache Cassandra>=3.11.0<3.11.8
Apache Cassandra=4.0.0-beta1
Red Hat Satellite=5.6
Red Hat Satellite=5.7
Red Hat Enterprise Linux Desktop=5.0
Red Hat Enterprise Linux Desktop=6.0
Red Hat Enterprise Linux Desktop=7.0
Red Hat Enterprise Linux Server EUS=6.7
Red Hat Enterprise Linux Server EUS=7.2
Red Hat Enterprise Linux Server EUS=7.3
Red Hat Enterprise Linux Server EUS=7.4
Red Hat Enterprise Linux Server EUS=7.5
Red Hat Enterprise Linux Server EUS=7.6
Red Hat Enterprise Linux Server EUS=7.7
Red Hat Enterprise Linux Server=5.0
Red Hat Enterprise Linux Server=6.0
Red Hat Enterprise Linux Server=7.0
Red Hat Enterprise Linux Server=7.2
Red Hat Enterprise Linux Server=7.3
Red Hat Enterprise Linux Server=7.4
Red Hat Enterprise Linux Server=7.6
Red Hat Enterprise Linux Server=7.7
Red Hat Enterprise Linux Server=6.7
Red Hat Enterprise Linux Server=7.2
Red Hat Enterprise Linux Server=7.2
Red Hat Enterprise Linux Server=7.3
Red Hat Enterprise Linux Server=7.6
Red Hat Enterprise Linux Server=7.7
Red Hat Enterprise Linux Workstation=5.0
Red Hat Enterprise Linux Workstation=6.0
Red Hat Enterprise Linux Workstation=7.0
SUSE Linux Enterprise Module for Legacy=12
SUSE Manager Server=2.1
SUSE Manager Proxy=2.1
openSUSE OpenStack Cloud=5
SUSE Linux=42.1
openSUSE=13.1
openSUSE=13.2
SUSE Linux Enterprise Desktop=12
SUSE Linux Enterprise Desktop=12-sp1
SUSE Linux Enterprise Server=10-sp4
SUSE Linux Enterprise Server=11-sp2
SUSE Linux Enterprise Server=11-sp3
SUSE Linux Enterprise Server=11-sp4
SUSE Linux Enterprise Server=12
SUSE Linux Enterprise Server=12-sp1
SUSE Linux Enterprise Software Development Kit=11-sp4
SUSE Linux Enterprise Software Development Kit=12-sp1

Remedy

http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html

Remedy

http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html

Remedy

https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

  • What is the severity of CVE-2016-3427?

    CVE-2016-3427 is classified as a critical vulnerability due to its potential impact on confidentiality, integrity, and availability.

  • How do I fix CVE-2016-3427?

    To fix CVE-2016-3427, update to the latest recommended Java version as per the vendor's security advisories.

  • Which versions of Java are affected by CVE-2016-3427?

    CVE-2016-3427 affects multiple Java versions including Oracle JDK 6, 7, and 8, along with JRockit.

  • Can CVE-2016-3427 be exploited remotely?

    Yes, CVE-2016-3427 can be exploited by remote attackers through vulnerabilities related to Java Management Extensions (JMX).

  • What type of vulnerability is CVE-2016-3427 classified as?

    CVE-2016-3427 is classified as a denial of service vulnerability that can lead to various security impacts.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203