STEAM-ADVISORY NO. 201407171201 PURDUE UNIVERSITY SECURITY STEAM-CIRT Thursday, July 17th, 2014 12:25pm ==OVERVIEW== Oracle released the Critical Patch Update for July 2014 to address many vulnerabilities in a large number of its products. Java SE was updated to correct twenty (20) security vulnerabilities. ITSP recommends that you apply this Java update as soon as possible. ==SYSTEMS AFFECTED== All systems that have Java SE installed are impacted. This includes most desktops and laptops on the Purdue network. Only the versions of Java SE released on July 15th, 2014 have the known security vulnerabilities corrected. All other versions are considered vulnerable and unsafe to use. ==DETAILS== On July 15, 2014 Oracle released its monthly critical patch update for many of its products. This release included twenty (20) corrected security vulnerabilities for Java SE. All twenty are remotely exploitable without authentication. This means that a Java applet from any website can compromise the security of a computer. Eight (8) of the vulnerabilities have Common Vulnerability Scoring Standard (CVSS) score at or above 9.3 (out of 10). The high scores indicate that several of the vulnerabilities can be exploited and allow attackers to completely compromise the system. These security issues are significant and easily exploited by attackers. ==SOLUTIONS== Oracle has corrected the issues and released new versions of Java SE for immediate deployment and installation. The following versions have the security vulnerabilities corrected: Java SE 8u11 (version 8, update 11) Java SE 7u65 (version 7, update 65) For system administrators, ITSP recommends that you quickly test and deploy the corrected versions of Java as soon as possible. For Purdue ePO-managed systems, some additional protection may be provided by McAfee SiteAdvisor. This protection is limited to blocking access to known malicious web sites that may harbor Java exploits. SiteAdvisor should not be considered a complete solution though. For self-supported users, update your Java version by downloading the latest Java SE installation package from the Oracle Java website (see below). If you do not need to run Java applets through your web browser, you can use the Java Control Panel to uncheck the "Enable Java content in the browser" option in the Security tab. This will limit exposure to web-based Java exploits. ==FURTHER INFORMATION AND RESOURCES== oracle .com /technetwork/topics/security/cpujul2014-1972956.html oracle .com /technetwork/java/javase/downloads/index.html (copy/paste and remove the spaces) ==STEAM-CIRT CONTACT INFORMATION== For questions concerning this advisory, please send email to: firstname.lastname@example.org. Report computer-related abuse to steam-cirt: purdue .edu /securePurdue/incidentReportForm.cfm purdue .edu /securepurdue/steam (copy/paste and remove the spaces)
Posted by ITSP on July 17, 2014, in Advisory Alerts.