Oracle Security Alert for CVE-2016-0603
This Security Alert addresses CVE-2016-0603 which can be exploited when installing Java SE 6, 7 or 8 on the Windows platform. This vulnerability has received a CVSS Base Score of 7.6.
To be successfully exploited, this vulnerability requires that an unsuspecting user be tricked into visiting a malicious web site and download files into the user’s system before installing Java SE 6, 7 or 8. Though relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user’s system.
Because the exposure exists only during the installation process, users need not upgrade existing Java SE installations to address the vulnerability. However, Java SE users who have downloaded any old version of Java SE prior to 6u113, 7u97 or 8u73 for later installation should discard these old downloads and replace them with 6u113, 7u97 or 8u73 or later.
As a reminder, Oracle recommends that Java SE home users visit Java.com to ensure that they are running the most recent version of Java SE and advises against downloading Java SE from sites other than Java.com as these sites may be malicious.
Note: The Java SE Advanced Enterprise installers are not affected.
Supported Products Affected
The security vulnerability addressed by this Security Alert affects the products listed below. Please click on the link in the Patch Availability column or in the Patch Availability Table to access the documentation for those patches.
Affected product releases and versions:
Patch Availability Table and Risk Matrix
Java SE fixes in this Security Alert are cumulative; this latest update includes all fixes from previous Critical Patch Updates and Security Alerts.
Patch Availability Table
|Product Group||Risk Matrix||Patch Availability and Installation Information|
|Oracle Java SE||Oracle Java SE Risk Matrix||
- Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
- Oracle Critical Patch Updates and Security Alerts – Frequently Asked Questions [ CPU FAQ ]
- Risk Matrix definitions [ Risk Matrix Definitions ]
- Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
- English text version of risk matrix [ Oracle Technology Network ]
|2016-February-5||Rev 1. Initial Release|
Appendix – Oracle Java SE
Oracle Java SE Executive Summary
This Security Alert contains 1 new security fix for Oracle Java SE. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Java SE Risk Matrix
|CVE#||Component||Protocol||Sub-component||Remote Exploit without Auth.?||CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)||Supported Versions Affected||Notes|
|Base Score||Access Vector||Access Complexity||Authen-tication||Confiden-tiality||Integrity||Avail-ability|
|CVE-2016-0603||Java SE||Multiple||Install||Yes||7.6||Network||High||None||Complete||Complete||Complete||Java SE: 6u111, 7u95, 8u71, 8u72||See Note 1|
- Applies to installation of Java SE on Windows only.