{ "threat_severity" : "Critical", "public_date" : "2016-04-19T00:00:00Z", "bugzilla" : { "description" : "OpenJDK: unrestricted deserialization of authentication credentials (JMX, 8144430)", "id" : "1328210", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1328210" }, "cvss" : { "cvss_base_score" : "6.8", "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status" : "verified" }, "details" : [ "Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX.", "It was discovered that the RMI server implementation in the JMX component in OpenJDK did not restrict which classes can be deserialized when deserializing authentication credentials. A remote, unauthenticated attacker able to connect to a JMX port could possibly use this flaw to trigger deserialization flaws." ], "affected_release" : [ { "product_name" : "Oracle Java for Red Hat Enterprise Linux 5", "release_date" : "2016-04-21T00:00:00Z", "advisory" : "RHSA-2016:0678", "cpe" : "cpe:/a:redhat:rhel_extras_oracle_java:5", "package" : "java-1.7.0-oracle-1:1.7.0.101-1jpp.1.el5_11" }, { "product_name" : "Oracle Java for Red Hat Enterprise Linux 5", "release_date" : "2016-04-21T00:00:00Z", "advisory" : "RHSA-2016:0679", "cpe" : "cpe:/a:redhat:rhel_extras_oracle_java:5", "package" : "java-1.6.0-sun-1:1.6.0.115-1jpp.1.el5_11" }, { "product_name" : "Oracle Java for Red Hat Enterprise Linux 6", "release_date" : "2016-04-21T00:00:00Z", "advisory" : "RHSA-2016:0677", "cpe" : "cpe:/a:redhat:rhel_extras_oracle_java:6", "package" : "java-1.8.0-oracle-1:1.8.0.91-1jpp.1.el6_7" }, { "product_name" : "Oracle Java for Red Hat Enterprise Linux 6", "release_date" : "2016-04-21T00:00:00Z", "advisory" : "RHSA-2016:0678", "cpe" : "cpe:/a:redhat:rhel_extras_oracle_java:6", "package" : "java-1.7.0-oracle-1:1.7.0.101-1jpp.1.el6_7" }, { "product_name" : "Oracle Java for Red Hat Enterprise Linux 6", "release_date" : "2016-04-21T00:00:00Z", "advisory" : "RHSA-2016:0679", "cpe" : "cpe:/a:redhat:rhel_extras_oracle_java:6", "package" : "java-1.6.0-sun-1:1.6.0.115-1jpp.1.el6_7" }, { "product_name" : "Oracle Java for Red Hat Enterprise Linux 7", "release_date" : "2016-04-21T00:00:00Z", "advisory" : "RHSA-2016:0677", "cpe" : "cpe:/a:redhat:rhel_extras_oracle_java:7", "package" : "java-1.8.0-oracle-1:1.8.0.91-1jpp.1.el7" }, { "product_name" : "Oracle Java for Red Hat Enterprise Linux 7", "release_date" : "2016-04-21T00:00:00Z", "advisory" : "RHSA-2016:0678", "cpe" : "cpe:/a:redhat:rhel_extras_oracle_java:7", "package" : "java-1.7.0-oracle-1:1.7.0.101-1jpp.1.el7" }, { "product_name" : "Oracle Java for Red Hat Enterprise Linux 7", "release_date" : "2016-04-21T00:00:00Z", "advisory" : "RHSA-2016:0679", "cpe" : "cpe:/a:redhat:rhel_extras_oracle_java:7", "package" : "java-1.6.0-sun-1:1.6.0.115-1jpp.1.el7" }, { "product_name" : "Red Hat Enterprise Linux 5", "release_date" : "2016-04-21T00:00:00Z", "advisory" : "RHSA-2016:0676", "cpe" : "cpe:/o:redhat:enterprise_linux:5", "package" : "java-1.7.0-openjdk-1:1.7.0.101-2.6.6.1.el5_11" }, { "product_name" : "Red Hat Enterprise Linux 5", "release_date" : "2016-05-09T00:00:00Z", "advisory" : "RHSA-2016:0723", "cpe" : "cpe:/o:redhat:enterprise_linux:5", "package" : "java-1.6.0-openjdk-1:1.6.0.39-1.13.11.0.el5_11" }, { "product_name" : "Red Hat Enterprise Linux 5 Supplementary", "release_date" : "2016-04-29T00:00:00Z", "advisory" : "RHSA-2016:0702", "cpe" : "cpe:/a:redhat:rhel_extras:5", "package" : "java-1.7.0-ibm-1:1.7.0.9.40-1jpp.1.el5" }, { "product_name" : "Red Hat Enterprise Linux 5 Supplementary", "release_date" : "2016-05-02T00:00:00Z", "advisory" : "RHSA-2016:0708", "cpe" : "cpe:/a:redhat:rhel_extras:5", "package" : "java-1.6.0-ibm-1:1.6.0.16.25-1jpp.1.el5" }, { "product_name" : "Red Hat Enterprise Linux 6", "release_date" : "2016-04-20T00:00:00Z", "advisory" : "RHSA-2016:0651", "cpe" : "cpe:/o:redhat:enterprise_linux:6", "package" : "java-1.8.0-openjdk-1:1.8.0.91-0.b14.el6_7" }, { "product_name" : "Red Hat Enterprise Linux 6", "release_date" : "2016-04-21T00:00:00Z", "advisory" : "RHSA-2016:0675", "cpe" : "cpe:/o:redhat:enterprise_linux:6", "package" : "java-1.7.0-openjdk-1:1.7.0.101-2.6.6.1.el6_7" }, { "product_name" : "Red Hat Enterprise Linux 6", "release_date" : "2016-05-09T00:00:00Z", "advisory" : "RHSA-2016:0723", "cpe" : "cpe:/o:redhat:enterprise_linux:6", "package" : "java-1.6.0-openjdk-1:1.6.0.39-1.13.11.0.el6_7" }, { "product_name" : "Red Hat Enterprise Linux 6 Supplementary", "release_date" : "2016-04-29T00:00:00Z", "advisory" : "RHSA-2016:0701", "cpe" : "cpe:/a:redhat:rhel_extras:6", "package" : "java-1.7.1-ibm-1:1.7.1.3.40-1jpp.1.el6_7" }, { "product_name" : "Red Hat Enterprise Linux 6 Supplementary", "release_date" : "2016-05-02T00:00:00Z", "advisory" : "RHSA-2016:0708", "cpe" : "cpe:/a:redhat:rhel_extras:6", "package" : "java-1.6.0-ibm-1:1.6.0.16.25-1jpp.1.el6_7" }, { "product_name" : "Red Hat Enterprise Linux 6 Supplementary", "release_date" : "2016-05-11T00:00:00Z", "advisory" : "RHSA-2016:1039", "cpe" : "cpe:/a:redhat:rhel_extras:6", "package" : "java-1.8.0-ibm-1:1.8.0.3.0-1jpp.1.el6" }, { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2016-04-20T00:00:00Z", "advisory" : "RHSA-2016:0650", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "java-1.8.0-openjdk-1:1.8.0.91-0.b14.el7_2" }, { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2016-04-21T00:00:00Z", "advisory" : "RHSA-2016:0676", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "java-1.7.0-openjdk-1:1.7.0.101-2.6.6.1.el7_2" }, { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2016-05-09T00:00:00Z", "advisory" : "RHSA-2016:0723", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "java-1.6.0-openjdk-1:1.6.0.39-1.13.11.0.el7_2" }, { "product_name" : "Red Hat Enterprise Linux 7 Supplementary", "release_date" : "2016-04-29T00:00:00Z", "advisory" : "RHSA-2016:0701", "cpe" : "cpe:/a:redhat:rhel_extras:7", "package" : "java-1.7.1-ibm-1:1.7.1.3.40-1jpp.1.el7" }, { "product_name" : "Red Hat Enterprise Linux 7 Supplementary", "release_date" : "2016-05-03T00:00:00Z", "advisory" : "RHSA-2016:0716", "cpe" : "cpe:/a:redhat:rhel_extras:7", "package" : "java-1.8.0-ibm-1:1.8.0.3.0-1jpp.1.el7" }, { "product_name" : "Red Hat Satellite 5.6", "release_date" : "2016-07-18T00:00:00Z", "advisory" : "RHSA-2016:1430", "cpe" : "cpe:/a:redhat:network_satellite:5.6::el5", "package" : "java-1.7.0-ibm-1:1.7.0.9.40-1jpp.1.el5" }, { "product_name" : "Red Hat Satellite 5.6", "release_date" : "2016-07-18T00:00:00Z", "advisory" : "RHSA-2016:1430", "cpe" : "cpe:/a:redhat:network_satellite:5.6::el5", "package" : "java-1.7.1-ibm-1:1.7.1.3.40-1jpp.1.el6_7" }, { "product_name" : "Red Hat Satellite 5.6", "release_date" : "2016-07-18T00:00:00Z", "advisory" : "RHSA-2016:1430", "cpe" : "cpe:/a:redhat:network_satellite:5.6::el5", "package" : "spacewalk-java-0:2.0.2-109.el5sat" }, { "product_name" : "Red Hat Satellite 5.6", "release_date" : "2017-05-09T00:00:00Z", "advisory" : "RHSA-2017:1216", "cpe" : "cpe:/a:redhat:network_satellite:5.6::el6", "package" : "java-1.7.1-ibm-1:1.7.1.4.1-1jpp.1.el6_8" }, { "product_name" : "Red Hat Satellite 5.7", "release_date" : "2016-07-18T00:00:00Z", "advisory" : "RHSA-2016:1430", "cpe" : "cpe:/a:redhat:network_satellite:5.7::el6", "package" : "java-1.7.1-ibm-1:1.7.1.3.40-1jpp.1.el6_7" }, { "product_name" : "Red Hat Satellite 5.7", "release_date" : "2016-07-18T00:00:00Z", "advisory" : "RHSA-2016:1430", "cpe" : "cpe:/a:redhat:network_satellite:5.7::el6", "package" : "spacewalk-java-0:2.3.8-146.el6sat" }, { "product_name" : "Red Hat Satellite 5.7", "release_date" : "2017-05-09T00:00:00Z", "advisory" : "RHSA-2017:1216", "cpe" : "cpe:/a:redhat:network_satellite:5.7::el6", "package" : "java-1.7.1-ibm-1:1.7.1.4.1-1jpp.1.el6_8" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-3427\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-3427\nhttp://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html#AppendixJAVA\nhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog" ], "name" : "CVE-2016-3427", "csaw" : false }