Oracle Security Alert for CVE-2016-0603


This Security Alert addresses CVE-2016-0603 which can be exploited when installing Java SE 6, 7 or 8 on the Windows platform. This vulnerability has received a CVSS Base Score of 7.6.

To be successfully exploited, this vulnerability requires that an unsuspecting user be tricked into visiting a malicious web site and download files into the user's system before installing Java SE 6, 7 or 8. Though relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user’s system.

Because the exposure exists only during the installation process, users need not upgrade existing Java SE installations to address the vulnerability. However, Java SE users who have downloaded any old version of Java SE prior to 6u113, 7u97 or 8u73 for later installation should discard these old downloads and replace them with 6u113, 7u97 or 8u73 or later.

As a reminder, Oracle recommends that Java SE  home users visit to ensure that they are running the most recent version of Java SE and advises against downloading Java SE from sites other than as these sites may be malicious.

Note: The Java SE Advanced Enterprise installers are not affected.

Supported Products Affected

The security vulnerability addressed by this Security Alert affects the products listed below.  Please click on the link in the Patch Availability column or in the Patch Availability Table to access the documentation for those patches.

Affected product releases and versions:

Java SE Patch Availability
JDK and JRE 6 Update 111 on Windows only Java SE
JDK and JRE 7 Update 95 on Windows only Java SE
JDK and JRE 8 Update 71, 72 on Windows only Java SE

Patch Availability Table and Risk Matrix

Java SE fixes in this Security Alert are cumulative; this latest update includes all fixes from previous Critical Patch Updates and Security Alerts.

Patch Availability Table

Product Group Risk Matrix Patch Availability and Installation Information
Oracle Java SE Oracle Java SE Risk Matrix


Modification History

Date Comments
2016-February-5 Rev 1. Initial Release

Appendix - Oracle Java SE


Oracle Java SE Executive Summary

This Security Alert contains 1 new security fix for Oracle Java SE.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.

Oracle Java SE Risk Matrix

CVE# Component Protocol Sub-component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-tication Confiden-tiality Integrity Avail-ability
CVE-2016-0603 Java SE Multiple Install Yes 7.6 Network High None Complete Complete Complete Java SE: 6u111, 7u95, 8u71, 8u72 See Note 1


  1. Applies to installation of Java SE on Windows only.