First published: Mon Apr 18 2016(Updated: )
It was discovered that the RMI (Java Remote Method Invocation) server implementation in the JMX (Java Management Extensions) component of OpenJDK did not restrict which classes can be deserialized when deserializing authentication credentials. A remote unauthenticated attacker able to connect to a JMX port could possibly use this flaw trigger deserialization flaws.
Credit: secalert_us@oracle.com secalert_us@oracle.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/java | <1.7.0-oracle-1:1.7.0.101-1jpp.1.el5_11 | 1.7.0-oracle-1:1.7.0.101-1jpp.1.el5_11 |
redhat/java | <1.6.0-sun-1:1.6.0.115-1jpp.1.el5_11 | 1.6.0-sun-1:1.6.0.115-1jpp.1.el5_11 |
redhat/java | <1.8.0-oracle-1:1.8.0.91-1jpp.1.el6_7 | 1.8.0-oracle-1:1.8.0.91-1jpp.1.el6_7 |
redhat/java | <1.7.0-oracle-1:1.7.0.101-1jpp.1.el6_7 | 1.7.0-oracle-1:1.7.0.101-1jpp.1.el6_7 |
redhat/java | <1.6.0-sun-1:1.6.0.115-1jpp.1.el6_7 | 1.6.0-sun-1:1.6.0.115-1jpp.1.el6_7 |
redhat/java | <1.8.0-oracle-1:1.8.0.91-1jpp.1.el7 | 1.8.0-oracle-1:1.8.0.91-1jpp.1.el7 |
redhat/java | <1.7.0-oracle-1:1.7.0.101-1jpp.1.el7 | 1.7.0-oracle-1:1.7.0.101-1jpp.1.el7 |
redhat/java | <1.6.0-sun-1:1.6.0.115-1jpp.1.el7 | 1.6.0-sun-1:1.6.0.115-1jpp.1.el7 |
redhat/java | <1.7.0-openjdk-1:1.7.0.101-2.6.6.1.el5_11 | 1.7.0-openjdk-1:1.7.0.101-2.6.6.1.el5_11 |
redhat/java | <1.6.0-openjdk-1:1.6.0.39-1.13.11.0.el5_11 | 1.6.0-openjdk-1:1.6.0.39-1.13.11.0.el5_11 |
redhat/java | <1.7.0-ibm-1:1.7.0.9.40-1jpp.1.el5 | 1.7.0-ibm-1:1.7.0.9.40-1jpp.1.el5 |
redhat/java | <1.6.0-ibm-1:1.6.0.16.25-1jpp.1.el5 | 1.6.0-ibm-1:1.6.0.16.25-1jpp.1.el5 |
redhat/java | <1.8.0-openjdk-1:1.8.0.91-0.b14.el6_7 | 1.8.0-openjdk-1:1.8.0.91-0.b14.el6_7 |
redhat/java | <1.7.0-openjdk-1:1.7.0.101-2.6.6.1.el6_7 | 1.7.0-openjdk-1:1.7.0.101-2.6.6.1.el6_7 |
redhat/java | <1.6.0-openjdk-1:1.6.0.39-1.13.11.0.el6_7 | 1.6.0-openjdk-1:1.6.0.39-1.13.11.0.el6_7 |
redhat/java | <1.7.1-ibm-1:1.7.1.3.40-1jpp.1.el6_7 | 1.7.1-ibm-1:1.7.1.3.40-1jpp.1.el6_7 |
redhat/java | <1.6.0-ibm-1:1.6.0.16.25-1jpp.1.el6_7 | 1.6.0-ibm-1:1.6.0.16.25-1jpp.1.el6_7 |
redhat/java | <1.8.0-ibm-1:1.8.0.3.0-1jpp.1.el6 | 1.8.0-ibm-1:1.8.0.3.0-1jpp.1.el6 |
redhat/java | <1.8.0-openjdk-1:1.8.0.91-0.b14.el7_2 | 1.8.0-openjdk-1:1.8.0.91-0.b14.el7_2 |
redhat/java | <1.7.0-openjdk-1:1.7.0.101-2.6.6.1.el7_2 | 1.7.0-openjdk-1:1.7.0.101-2.6.6.1.el7_2 |
redhat/java | <1.6.0-openjdk-1:1.6.0.39-1.13.11.0.el7_2 | 1.6.0-openjdk-1:1.6.0.39-1.13.11.0.el7_2 |
redhat/java | <1.7.1-ibm-1:1.7.1.3.40-1jpp.1.el7 | 1.7.1-ibm-1:1.7.1.3.40-1jpp.1.el7 |
redhat/java | <1.8.0-ibm-1:1.8.0.3.0-1jpp.1.el7 | 1.8.0-ibm-1:1.8.0.3.0-1jpp.1.el7 |
redhat/spacewalk-java | <0:2.0.2-109.el6 | 0:2.0.2-109.el6 |
redhat/java | <1.7.1-ibm-1:1.7.1.4.1-1jpp.1.el6_8 | 1.7.1-ibm-1:1.7.1.4.1-1jpp.1.el6_8 |
redhat/spacewalk-java | <0:2.3.8-146.el6 | 0:2.3.8-146.el6 |
debian/openjdk-8 | 8u442-ga-2 | |
Oracle Java SE | ||
Oracle Java SE 7 | =1.6.0-update113 | |
Oracle Java SE 7 | =1.7.0-update99 | |
Oracle Java SE 7 | =1.8.0-update77 | |
Oracle JRE | =1.6.0-update113 | |
Oracle JRE | =1.7.0-update99 | |
Oracle JRE | =1.8.0-update77 | |
Oracle Java SE | =r28.3.9 | |
Oracle Linux | =5 | |
Oracle Linux | =6 | |
Oracle Linux | =7 | |
Ubuntu | =12.04 | |
Ubuntu | =14.04 | |
Ubuntu | =15.10 | |
Ubuntu | =16.04 | |
Debian Linux | =8.0 | |
NetApp E-Series SANtricity Management Plug-ins for VMware vCenter | ||
NetApp SANtricity Storage Manager | ||
NetApp E-Series SANtricity Web Services | ||
NetApp OnCommand Balance | ||
NetApp OnCommand Cloud Manager | ||
NetApp OnCommand Insight | ||
NetApp OnCommand Performance Manager | ||
NetApp OnCommand Report | ||
NetApp OnCommand Shift | ||
NetApp OnCommand Unified Manager for 7-Mode | ||
NetApp OnCommand Unified Manager | ||
NetApp OnCommand Workflow Automation | ||
NetApp StorageGRID Webscale | <=9.0.4 | |
NetApp VASA Provider | >=7.2 | |
NetApp Virtual Storage Console for VMware vSphere | >=7.2 | |
Apache Cassandra | >=2.1.0<2.1.22 | |
Apache Cassandra | >=2.2.0<2.2.18 | |
Apache Cassandra | >=3.0.0<3.0.22 | |
Apache Cassandra | >=3.11.0<3.11.8 | |
Apache Cassandra | =4.0.0-beta1 | |
Red Hat Satellite | =5.6 | |
Red Hat Satellite | =5.7 | |
Red Hat Enterprise Linux Desktop | =5.0 | |
Red Hat Enterprise Linux Desktop | =6.0 | |
Red Hat Enterprise Linux Desktop | =7.0 | |
Red Hat Enterprise Linux Server EUS | =6.7 | |
Red Hat Enterprise Linux Server EUS | =7.2 | |
Red Hat Enterprise Linux Server EUS | =7.3 | |
Red Hat Enterprise Linux Server EUS | =7.4 | |
Red Hat Enterprise Linux Server EUS | =7.5 | |
Red Hat Enterprise Linux Server EUS | =7.6 | |
Red Hat Enterprise Linux Server EUS | =7.7 | |
Red Hat Enterprise Linux Server | =5.0 | |
Red Hat Enterprise Linux Server | =6.0 | |
Red Hat Enterprise Linux Server | =7.0 | |
Red Hat Enterprise Linux Server | =7.2 | |
Red Hat Enterprise Linux Server | =7.3 | |
Red Hat Enterprise Linux Server | =7.4 | |
Red Hat Enterprise Linux Server | =7.6 | |
Red Hat Enterprise Linux Server | =7.7 | |
Red Hat Enterprise Linux Server | =6.7 | |
Red Hat Enterprise Linux Server | =7.2 | |
Red Hat Enterprise Linux Server | =7.2 | |
Red Hat Enterprise Linux Server | =7.3 | |
Red Hat Enterprise Linux Server | =7.6 | |
Red Hat Enterprise Linux Server | =7.7 | |
Red Hat Enterprise Linux Workstation | =5.0 | |
Red Hat Enterprise Linux Workstation | =6.0 | |
Red Hat Enterprise Linux Workstation | =7.0 | |
SUSE Linux Enterprise Module for Legacy | =12 | |
SUSE Manager Server | =2.1 | |
SUSE Manager Proxy | =2.1 | |
openSUSE OpenStack Cloud | =5 | |
SUSE Linux | =42.1 | |
openSUSE | =13.1 | |
openSUSE | =13.2 | |
SUSE Linux Enterprise Desktop | =12 | |
SUSE Linux Enterprise Desktop | =12-sp1 | |
SUSE Linux Enterprise Server | =10-sp4 | |
SUSE Linux Enterprise Server | =11-sp2 | |
SUSE Linux Enterprise Server | =11-sp3 | |
SUSE Linux Enterprise Server | =11-sp4 | |
SUSE Linux Enterprise Server | =12 | |
SUSE Linux Enterprise Server | =12-sp1 | |
SUSE Linux Enterprise Software Development Kit | =11-sp4 | |
SUSE Linux Enterprise Software Development Kit | =12-sp1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2016-3427 is classified as a critical vulnerability due to its potential impact on confidentiality, integrity, and availability.
To fix CVE-2016-3427, update to the latest recommended Java version as per the vendor's security advisories.
CVE-2016-3427 affects multiple Java versions including Oracle JDK 6, 7, and 8, along with JRockit.
Yes, CVE-2016-3427 can be exploited by remote attackers through vulnerabilities related to Java Management Extensions (JMX).
CVE-2016-3427 is classified as a denial of service vulnerability that can lead to various security impacts.