{
  "threat_severity" : "Moderate",
  "public_date" : "2016-04-19T00:00:00Z",
  "bugzilla" : {
    "description" : "OpenJDK: incorrect handling of surrogate pairs in XML attribute values (JAXP, 8143167)",
    "id" : "1328040",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1328040"
  },
  "cvss" : {
    "cvss_base_score" : "4.3",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:P/I:N/A:N",
    "status" : "verified"
  },
  "details" : [ "Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect availability via vectors related to JAXP.", "It was discovered that the JAXP component in OpenJDK failed to properly handle Unicode surrogate pairs used as part of the XML attribute values. Specially crafted XML input could cause a Java application to use an excessive amount of memory when parsed." ],
  "affected_release" : [ {
    "product_name" : "Oracle Java for Red Hat Enterprise Linux 5",
    "release_date" : "2016-04-21T00:00:00Z",
    "advisory" : "RHSA-2016:0678",
    "cpe" : "cpe:/a:redhat:rhel_extras_oracle_java:5",
    "package" : "java-1.7.0-oracle-1:1.7.0.101-1jpp.1.el5_11"
  }, {
    "product_name" : "Oracle Java for Red Hat Enterprise Linux 5",
    "release_date" : "2016-04-21T00:00:00Z",
    "advisory" : "RHSA-2016:0679",
    "cpe" : "cpe:/a:redhat:rhel_extras_oracle_java:5",
    "package" : "java-1.6.0-sun-1:1.6.0.115-1jpp.1.el5_11"
  }, {
    "product_name" : "Oracle Java for Red Hat Enterprise Linux 6",
    "release_date" : "2016-04-21T00:00:00Z",
    "advisory" : "RHSA-2016:0677",
    "cpe" : "cpe:/a:redhat:rhel_extras_oracle_java:6",
    "package" : "java-1.8.0-oracle-1:1.8.0.91-1jpp.1.el6_7"
  }, {
    "product_name" : "Oracle Java for Red Hat Enterprise Linux 6",
    "release_date" : "2016-04-21T00:00:00Z",
    "advisory" : "RHSA-2016:0678",
    "cpe" : "cpe:/a:redhat:rhel_extras_oracle_java:6",
    "package" : "java-1.7.0-oracle-1:1.7.0.101-1jpp.1.el6_7"
  }, {
    "product_name" : "Oracle Java for Red Hat Enterprise Linux 6",
    "release_date" : "2016-04-21T00:00:00Z",
    "advisory" : "RHSA-2016:0679",
    "cpe" : "cpe:/a:redhat:rhel_extras_oracle_java:6",
    "package" : "java-1.6.0-sun-1:1.6.0.115-1jpp.1.el6_7"
  }, {
    "product_name" : "Oracle Java for Red Hat Enterprise Linux 7",
    "release_date" : "2016-04-21T00:00:00Z",
    "advisory" : "RHSA-2016:0677",
    "cpe" : "cpe:/a:redhat:rhel_extras_oracle_java:7",
    "package" : "java-1.8.0-oracle-1:1.8.0.91-1jpp.1.el7"
  }, {
    "product_name" : "Oracle Java for Red Hat Enterprise Linux 7",
    "release_date" : "2016-04-21T00:00:00Z",
    "advisory" : "RHSA-2016:0678",
    "cpe" : "cpe:/a:redhat:rhel_extras_oracle_java:7",
    "package" : "java-1.7.0-oracle-1:1.7.0.101-1jpp.1.el7"
  }, {
    "product_name" : "Oracle Java for Red Hat Enterprise Linux 7",
    "release_date" : "2016-04-21T00:00:00Z",
    "advisory" : "RHSA-2016:0679",
    "cpe" : "cpe:/a:redhat:rhel_extras_oracle_java:7",
    "package" : "java-1.6.0-sun-1:1.6.0.115-1jpp.1.el7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 5",
    "release_date" : "2016-04-21T00:00:00Z",
    "advisory" : "RHSA-2016:0676",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5",
    "package" : "java-1.7.0-openjdk-1:1.7.0.101-2.6.6.1.el5_11"
  }, {
    "product_name" : "Red Hat Enterprise Linux 5",
    "release_date" : "2016-05-09T00:00:00Z",
    "advisory" : "RHSA-2016:0723",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5",
    "package" : "java-1.6.0-openjdk-1:1.6.0.39-1.13.11.0.el5_11"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2016-04-20T00:00:00Z",
    "advisory" : "RHSA-2016:0651",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "java-1.8.0-openjdk-1:1.8.0.91-0.b14.el6_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2016-04-21T00:00:00Z",
    "advisory" : "RHSA-2016:0675",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "java-1.7.0-openjdk-1:1.7.0.101-2.6.6.1.el6_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2016-05-09T00:00:00Z",
    "advisory" : "RHSA-2016:0723",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "java-1.6.0-openjdk-1:1.6.0.39-1.13.11.0.el6_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2016-04-20T00:00:00Z",
    "advisory" : "RHSA-2016:0650",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "java-1.8.0-openjdk-1:1.8.0.91-0.b14.el7_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2016-04-21T00:00:00Z",
    "advisory" : "RHSA-2016:0676",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "java-1.7.0-openjdk-1:1.7.0.101-2.6.6.1.el7_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2016-05-09T00:00:00Z",
    "advisory" : "RHSA-2016:0723",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "java-1.6.0-openjdk-1:1.6.0.39-1.13.11.0.el7_2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-3425\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-3425\nhttp://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html#AppendixJAVA" ],
  "name" : "CVE-2016-3425",
  "csaw" : false
}