Vulnerabilities > CVE-2011-0869 - Remote Java Runtime Environment vulnerability in SUN JDK and JRE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 26 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to SAAJ.

  • NASL familyWindows
    descriptionThe version of HP Systems Insight Manager installed on the remote Windows host is affected by vulnerabilities in the following components : - TLS and SSL protocols - Apache Tomcat - Java - Flash Player - BlazeDS/GraniteDS - Adobe LiveCycle - Adobe Flex SDK - Systems Insight Manager
    titleHP Systems Insight Manager < 7.0 Multiple Vulnerabilities
      script_name(english:"HP Systems Insight Manager < 7.0 Multiple Vulnerabilities");
      script_require_keys("installed_sw/HP Systems Insight Manager");
  • NASL familyFedora Local Security Checks
    description 2-released/ Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    titleFedora 14 : java-1.6.0-openjdk- (2011-8003)
      script_name(english:"Fedora 14 : java-1.6.0-openjdk- (2011-8003)");
  • NASL familySuSE Local Security Checks
    descriptionOracle Java 6 Update 26 fixes several security vulnerabilities. Please refer to Oracle
    titleopenSUSE Security Update : java-1_6_0-sun (openSUSE-SU-2011:0633-1)
      script_cve_id("CVE-2011-0786", "CVE-2011-0788", "CVE-2011-0802", "CVE-2011-0814", "CVE-2011-0815", "CVE-2011-0817", "CVE-2011-0862", "CVE-2011-0863", "CVE-2011-0864", "CVE-2011-0865", "CVE-2011-0866", "CVE-2011-0867", "CVE-2011-0868", "CVE-2011-0869", "CVE-2011-0871", "CVE-2011-0872", "CVE-2011-0873");
        value:"The remote openSUSE host is missing a security update."
    "Oracle Java 6 Update 26 fixes several security vulnerabilities.
    Please refer to Oracle's site for further information:
    (CVE-2011-0862, CVE-2011-0873, CVE-2011-0815, CVE-2011-0817,
    CVE-2011-0863, CVE-2011-0864, CVE-2011-0802, CVE-2011-0814,
    CVE-2011-0871, CVE-2011-0786, CVE-2011-0788, CVE-2011-0866,
    CVE-2011-0868, CVE-2011-0872, CVE-2011-0867, CVE-2011-0869,
  • NASL familyDebian Local Security Checks
    descriptionSeveral vulnerabilities have been discovered in OpenJDK, an implementation of the Java platform. This combines the two previous openjdk-6 advisories, DSA-2311-1 and DSA-2356-1. - CVE-2011-0862 Integer overflow errors in the JPEG and font parser allow untrusted code (including applets) to elevate its privileges. - CVE-2011-0864 Hotspot, the just-in-time compiler in OpenJDK, mishandled certain byte code instructions, allowing untrusted code (including applets) to crash the virtual machine. - CVE-2011-0865 A race condition in signed object deserialization could allow untrusted code to modify signed content, apparently leaving its signature intact. - CVE-2011-0867 Untrusted code (including applets) could access information about network interfaces which was not intended to be public. (Note that the interface MAC address is still available to untrusted code.) - CVE-2011-0868 A float-to-long conversion could overflow, allowing untrusted code (including applets) to crash the virtual machine. - CVE-2011-0869 Untrusted code (including applets) could intercept HTTP requests by reconfiguring proxy settings through a SOAP connection. - CVE-2011-0871 Untrusted code (including applets) could elevate its privileges through the Swing MediaTracker code. - CVE-2011-3389 The TLS implementation does not guard properly against certain chosen-plaintext attacks when block ciphers are used in CBC mode. - CVE-2011-3521 The CORBA implementation contains a deserialization vulnerability in the IIOP implementation, allowing untrusted Java code (such as applets) to elevate its privileges. - CVE-2011-3544 The Java scripting engine lacks necessary security manager checks, allowing untrusted Java code (such as applets) to elevate its privileges. - CVE-2011-3547 The skip() method in uses a shared buffer, allowing untrusted Java code (such as applets) to access data that is skipped by other code. - CVE-2011-3548 The java.awt.AWTKeyStroke class contains a flaw which allows untrusted Java code (such as applets) to elevate its privileges. - CVE-2011-3551 The Java2D C code contains an integer overflow which results in a heap-based buffer overflow, potentially allowing untrusted Java code (such as applets) to elevate its privileges. - CVE-2011-3552 Malicous Java code can use up an excessive amount of UDP ports, leading to a denial of service. - CVE-2011-3553 JAX-WS enables stack traces for certain server responses by default, potentially leaking sensitive information. - CVE-2011-3554 JAR files in pack200 format are not properly checked for errors, potentially leading to arbitrary code execution when unpacking crafted pack200 files. - CVE-2011-3556 The RMI Registry server lacks access restrictions on certain methods, allowing a remote client to execute arbitary code. - CVE-2011-3557 The RMI Registry server fails to properly restrict privileges of untrusted Java code, allowing RMI clients to elevate their privileges on the RMI Registry server. - CVE-2011-3560 The class does not perform proper security manager checks in the setSSLSocketFactory() method, allowing untrusted Java code to bypass security policy restrictions.
    titleDebian DSA-2358-1 : openjdk-6 - several vulnerabilities (BEAST)
    "Several vulnerabilities have been discovered in OpenJDK, an
    implementation of the Java platform. This combines the two previous
    openjdk-6 advisories, DSA-2311-1 and DSA-2356-1.
      - CVE-2011-0862
        Integer overflow errors in the JPEG and font parser
        allow untrusted code (including applets) to elevate its
      - CVE-2011-0864
        Hotspot, the just-in-time compiler in OpenJDK,
        mishandled certain byte code instructions, allowing
        untrusted code (including applets) to crash the virtual
      - CVE-2011-0865
        A race condition in signed object deserialization could
        allow untrusted code to modify signed content,
        apparently leaving its signature intact.
      - CVE-2011-0867
        Untrusted code (including applets) could access
        information about network interfaces which was not
        intended to be public. (Note that the interface MAC
        address is still available to untrusted code.)
      - CVE-2011-0868
        A float-to-long conversion could overflow, allowing
        untrusted code (including applets) to crash the virtual
      - CVE-2011-0869
        Untrusted code (including applets) could intercept HTTP
        requests by reconfiguring proxy settings through a SOAP
      - CVE-2011-0871
        Untrusted code (including applets) could elevate its
        privileges through the Swing MediaTracker code.
      - CVE-2011-3389
        The TLS implementation does not guard properly against
        certain chosen-plaintext attacks when block ciphers are
        used in CBC mode.
      - CVE-2011-3521
        The CORBA implementation contains a deserialization
        vulnerability in the IIOP implementation, allowing
        untrusted Java code (such as applets) to elevate its
      - CVE-2011-3544
        The Java scripting engine lacks necessary security
        manager checks, allowing untrusted Java code (such as
        applets) to elevate its privileges.
      - CVE-2011-3547
        The skip() method in uses a shared
        buffer, allowing untrusted Java code (such as applets)
        to access data that is skipped by other code.
      - CVE-2011-3548
        The java.awt.AWTKeyStroke class contains a flaw which
        allows untrusted Java code (such as applets) to elevate
        its privileges.
      - CVE-2011-3551
        The Java2D C code contains an integer overflow which
        results in a heap-based buffer overflow, potentially
        allowing untrusted Java code (such as applets) to
        elevate its privileges.
      - CVE-2011-3552
        Malicous Java code can use up an excessive amount of UDP
        ports, leading to a denial of service.
      - CVE-2011-3553
        JAX-WS enables stack traces for certain server responses
        by default, potentially leaking sensitive information.
      - CVE-2011-3554
        JAR files in pack200 format are not properly checked for
        errors, potentially leading to arbitrary code execution
        when unpacking crafted pack200 files.
      - CVE-2011-3556
        The RMI Registry server lacks access restrictions on
        certain methods, allowing a remote client to execute
        arbitary code.
      - CVE-2011-3557
        The RMI Registry server fails to properly restrict
        privileges of untrusted Java code, allowing RMI clients
        to elevate their privileges on the RMI Registry server.
      - CVE-2011-3560
        The class does not
        perform proper security manager checks in the
        setSSLSocketFactory() method, allowing untrusted Java
        code to bypass security policy restrictions."
    "Upgrade the openjdk-6 packages.
    For the oldstable distribution (lenny), these problems have been fixed
    in version 6b18-1.8.10-0~lenny2."
  • NASL familyFedora Local Security Checks
    description 2-released/ Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    titleFedora 15 : java-1.6.0-openjdk- (2011-8028)
  • NASL familyScientific Linux Local Security Checks
    descriptionThese packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. Integer overflow flaws were found in the way Java2D parsed JPEG images and user-supplied fonts. An attacker could use these flaws to execute arbitrary code with the privileges of the user running an untrusted applet or application. (CVE-2011-0862) It was found that the MediaTracker implementation created Component instances with unnecessary access privileges. A remote attacker could use this flaw to elevate their privileges by utilizing an untrusted applet or application that uses Swing. (CVE-2011-0871) A flaw was found in the HotSpot component in OpenJDK. Certain bytecode instructions confused the memory management within the Java Virtual Machine (JVM), resulting in an applet or application crashing. (CVE-2011-0864) An information leak flaw was found in the NetworkInterface class. An untrusted applet or application could use this flaw to access information about available network interfaces that should only be available to privileged code. (CVE-2011-0867) An incorrect float-to-long conversion, leading to an overflow, was found in the way certain objects (such as images and text) were transformed in Java2D. A remote attacker could use this flaw to crash an untrusted applet or application that uses Java2D. (CVE-2011-0868) It was found that untrusted applets and applications could misuse a SOAP connection to incorrectly set global HTTP proxy settings instead of setting them in a local scope. This flaw could be used to intercept HTTP requests. (CVE-2011-0869) A flaw was found in the way signed objects were deserialized. If trusted and untrusted code were running in the same Java Virtual Machine (JVM), and both were deserializing the same signed object, the untrusted code could modify said object by using this flaw to bypass the validation checks on signed objects. (CVE-2011-0865) Note: All of the above flaws can only be remotely triggered in OpenJDK by calling the
    titleScientific Linux Security Update : java-1.6.0-openjdk on SL5.x i386/x86_64
      script_summary(english:"Checks rpm output for the updated packages");
    "The remote Scientific Linux host is missing one or more security
    "These packages provide the OpenJDK 6 Java Runtime Environment and the
    OpenJDK 6 Software Development Kit.
    Integer overflow flaws were found in the way Java2D parsed JPEG images
    and user-supplied fonts. An attacker could use these flaws to execute
    arbitrary code with the privileges of the user running an untrusted
    applet or application. (CVE-2011-0862)
    It was found that the MediaTracker implementation created Component
    instances with unnecessary access privileges. A remote attacker could
    use this flaw to elevate their privileges by utilizing an untrusted
    applet or application that uses Swing. (CVE-2011-0871)
    A flaw was found in the HotSpot component in OpenJDK. Certain bytecode
    instructions confused the memory management within the Java Virtual
    Machine (JVM), resulting in an applet or application crashing.
    An information leak flaw was found in the NetworkInterface class. An
    untrusted applet or application could use this flaw to access
    information about available network interfaces that should only be
    available to privileged code. (CVE-2011-0867)
    An incorrect float-to-long conversion, leading to an overflow, was
    found in the way certain objects (such as images and text) were
    transformed in Java2D. A remote attacker could use this flaw to crash
    an untrusted applet or application that uses Java2D. (CVE-2011-0868)
    It was found that untrusted applets and applications could misuse a
    SOAP connection to incorrectly set global HTTP proxy settings instead
    of setting them in a local scope. This flaw could be used to intercept
    HTTP requests. (CVE-2011-0869)
    A flaw was found in the way signed objects were deserialized. If
    trusted and untrusted code were running in the same Java Virtual
    Machine (JVM), and both were deserializing the same signed object, the
    untrusted code could modify said object by using this flaw to bypass
    the validation checks on signed objects. (CVE-2011-0865)
    Note: All of the above flaws can only be remotely triggered in OpenJDK
    by calling the 'appletviewer' application.
    All users of java-1.6.0-openjdk are advised to upgrade to these
    updated packages, which provide OpenJDK 6 b20 / IcedTea 1.9.8 and
    resolve these issues. All running instances of OpenJDK Java must be
    restarted for the update to take effect."
  • NASL familyMandriva Local Security Checks
    last seen2020-06-01
      script_summary(english:"Checks rpm output for the updated packages");
    "The remote Mandriva Linux host is missing one or more security
    "Multiple vulnerabilities were discovered and corrected in
    java-1.6.0-openjdk :
    Unspecified vulnerability in the Java Runtime Environment (JRE)
    component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and
    earlier, and 1.4.2_31 and earlier allows remote untrusted Java Web
    Start applications and untrusted Java applets to affect integrity via
    unknown vectors related to Deserialization (CVE-2011-0865).
    Multiple unspecified vulnerabilities in the Java Runtime Environment
    (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update
    29 and earlier, and 1.4.2_31 and earlier allow remote attackers to
    affect confidentiality, integrity, and availability via unknown
    vectors related to 2D (CVE-2011-0862).
    Unspecified vulnerability in the Java Runtime Environment (JRE)
    component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and
    earlier, and 1.4.2_31 and earlier allows remote untrusted Java Web
    Start applications and untrusted Java applets to affect
    confidentiality via unknown vectors related to Networking
    Unspecified vulnerability in the Java Runtime Environment (JRE)
    component in Oracle Java SE 6 Update 26 and earlier allows remote
    untrusted Java Web Start applications and untrusted Java applets to
    affect confidentiality via unknown vectors related to SAAJ
    Unspecified vulnerability in the Java Runtime Environment (JRE)
    component in Oracle Java SE 6 Update 25 and earlier allows remote
    attackers to affect confidentiality via unknown vectors related to 2D
    Unspecified vulnerability in the Java Runtime Environment (JRE)
    component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and
    earlier, and 1.4.2_31 and earlier allows remote untrusted Java Web
    Start applications and untrusted Java applets to affect
    confidentiality, integrity, and availability via unknown vectors
    related to HotSpot (CVE-2011-0864).
    Unspecified vulnerability in the Java Runtime Environment (JRE)
    component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and
    earlier, and 1.4.2_31 and earlier allows remote untrusted Java Web
    Start applications and untrusted Java applets to affect
    confidentiality, integrity, and availability via unknown vectors
    related to Swing (CVE-2011-0871).
    Packages for 2009.0 are provided as of the Extended Maintenance
    Program. Please visit this link to learn more: products_id=490
    The updated packages have been upgraded to versions which is not
    vulnerable to these issues."
  • NASL familyUbuntu Local Security Checks
    titleUbuntu 10.04 LTS / 10.10 / 11.04 : openjdk-6, openjdk-6b18 vulnerabilities (USN-1154-1)
    NASL idSUSE_11_3_JAVA-1_6_0-SUN-110608.NASL
    titleopenSUSE Security Update : java-1_6_0-sun (openSUSE-SU-2011:0633-1)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201111-02.NASL
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    titleGLSA-201111-02 : Oracle JRE/JDK: Multiple vulnerabilities (BEAST)
  • NASL familyRed Hat Local Security Checks
    last seen2020-06-01
  • NASL familySuSE Local Security Checks
    last seen2020-06-01
  • NASL familyMacOS X Local Security Checks
    plugin id55459
    NASL idSUSE_11_JAVA-1_6_0-IBM-110713.NASL
(CVE-2011-0788) - An unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, when running on Windows, allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2011-0786. (CVE-2011-0802) - An unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Sound, a different vulnerability than CVE-2011-0802. (CVE-2011-0814) - An unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to AWT. (CVE-2011-0815) - Multiple unspecified vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allow remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. (CVE-2011-0862) - An unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to Networking. (CVE-2011-0867) - An unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 26 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to SAAJ. (CVE-2011-0869) - An unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, when running on Windows, allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. (CVE-2011-0817) - An unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. (CVE-2011-0863) - An unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier allows remote attackers to affect confidentiality via unknown vectors related to 2D. (CVE-2011-0868) - An unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Swing. (CVE-2011-0871) - An unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier allows remote attackers to affect availability via unknown vectors related to NIO. (CVE-2011-0872) - An unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, and 5.0 Update 29 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. (CVE-2011-0873)
  • NASL familyDebian Local Security Checks
    plugin id56307
    NASL idJUNIPER_NSM_PSN_2012_08_689.NASL
    plugin id69874
    descriptionFrom Red Hat Security Advisory 2011:0856 : Updated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. Integer overflow flaws were found in the way Java2D parsed JPEG images and user-supplied fonts. An attacker could use these flaws to execute arbitrary code with the privileges of the user running an untrusted applet or application. (CVE-2011-0862) It was found that the MediaTracker implementation created Component instances with unnecessary access privileges. A remote attacker could use this flaw to elevate their privileges by utilizing an untrusted applet or application that uses Swing. (CVE-2011-0871) A flaw was found in the HotSpot component in OpenJDK. Certain bytecode instructions confused the memory management within the Java Virtual Machine (JVM), resulting in an applet or application crashing. (CVE-2011-0864) An information leak flaw was found in the NetworkInterface class. An untrusted applet or application could use this flaw to access information about available network interfaces that should only be available to privileged code. (CVE-2011-0867) An incorrect float-to-long conversion, leading to an overflow, was found in the way certain objects (such as images and text) were transformed in Java2D. A remote attacker could use this flaw to crash an untrusted applet or application that uses Java2D. (CVE-2011-0868) It was found that untrusted applets and applications could misuse a SOAP connection to incorrectly set global HTTP proxy settings instead of setting them in a local scope. This flaw could be used to intercept HTTP requests. (CVE-2011-0869) A flaw was found in the way signed objects were deserialized. If trusted and untrusted code were running in the same Java Virtual Machine (JVM), and both were deserializing the same signed object, the untrusted code could modify said object by using this flaw to bypass the validation checks on signed objects. (CVE-2011-0865) All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    descriptionFrom Red Hat Security Advisory 2011:0857 : Updated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. Integer overflow flaws were found in the way Java2D parsed JPEG images and user-supplied fonts. An attacker could use these flaws to execute arbitrary code with the privileges of the user running an untrusted applet or application. (CVE-2011-0862) It was found that the MediaTracker implementation created Component instances with unnecessary access privileges. A remote attacker could use this flaw to elevate their privileges by utilizing an untrusted applet or application that uses Swing. (CVE-2011-0871) A flaw was found in the HotSpot component in OpenJDK. Certain bytecode instructions confused the memory management within the Java Virtual Machine (JVM), resulting in an applet or application crashing. (CVE-2011-0864) An information leak flaw was found in the NetworkInterface class. An untrusted applet or application could use this flaw to access information about available network interfaces that should only be available to privileged code. (CVE-2011-0867) An incorrect float-to-long conversion, leading to an overflow, was found in the way certain objects (such as images and text) were transformed in Java2D. A remote attacker could use this flaw to crash an untrusted applet or application that uses Java2D. (CVE-2011-0868) It was found that untrusted applets and applications could misuse a SOAP connection to incorrectly set global HTTP proxy settings instead of setting them in a local scope. This flaw could be used to intercept HTTP requests. (CVE-2011-0869) A flaw was found in the way signed objects were deserialized. If trusted and untrusted code were running in the same Java Virtual Machine (JVM), and both were deserializing the same signed object, the untrusted code could modify said object by using this flaw to bypass the validation checks on signed objects. (CVE-2011-0865) Note: All of the above flaws can only be remotely triggered in OpenJDK by calling the
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    descriptionOracle Java 6 Update 26 fixes several security vulnerabilities. Please refer to Oracle
  • NASL familyScientific Linux Local Security Checks
    last seen2020-06-01
    NASL idGENTOO_GLSA-201406-32.NASL
    plugin id76303
    descriptionThe version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is earlier than 6 Update 26 / 5.0 Update 30 / 1.4.2_32. Such versions are potentially affected by security issues in the following components : - AWT - Deployment - Deserialization - Hotspot - Java Runtime Environment - Networking - NIO - SAAJ - Sound - Swing
    reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
    descriptionUpdated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. Integer overflow flaws were found in the way Java2D parsed JPEG images and user-supplied fonts. An attacker could use these flaws to execute arbitrary code with the privileges of the user running an untrusted applet or application. (CVE-2011-0862) It was found that the MediaTracker implementation created Component instances with unnecessary access privileges. A remote attacker could use this flaw to elevate their privileges by utilizing an untrusted applet or application that uses Swing. (CVE-2011-0871) A flaw was found in the HotSpot component in OpenJDK. Certain bytecode instructions confused the memory management within the Java Virtual Machine (JVM), resulting in an applet or application crashing. (CVE-2011-0864) An information leak flaw was found in the NetworkInterface class. An untrusted applet or application could use this flaw to access information about available network interfaces that should only be available to privileged code. (CVE-2011-0867) An incorrect float-to-long conversion, leading to an overflow, was found in the way certain objects (such as images and text) were transformed in Java2D. A remote attacker could use this flaw to crash an untrusted applet or application that uses Java2D. (CVE-2011-0868) It was found that untrusted applets and applications could misuse a SOAP connection to incorrectly set global HTTP proxy settings instead of setting them in a local scope. This flaw could be used to intercept HTTP requests. (CVE-2011-0869) A flaw was found in the way signed objects were deserialized. If trusted and untrusted code were running in the same Java Virtual Machine (JVM), and both were deserializing the same signed object, the untrusted code could modify said object by using this flaw to bypass the validation checks on signed objects. (CVE-2011-0865) Note: All of the above flaws can only be remotely triggered in OpenJDK by calling the
  • NASL familyScientific Linux Local Security Checks
    last seen2020-06-01
  • NASL familySuSE Local Security Checks
    last seen2020-06-01
  • NASL familyRed Hat Local Security Checks
    last seen2020-06-01
  • NASL familyFedora Local Security Checks
    last seen2020-06-01
    NASL idSUSE_JAVA-1_6_0-SUN-7569.NASL
    plugin id57211
    NASL idREDHAT-RHSA-2013-1455.NASL
    plugin id78975
    NASL idSUSE_JAVA-1_6_0-IBM-7627.NASL
(CVE-2011-0788) - An unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, when running on Windows, allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2011-0786. (CVE-2011-0802) - An unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Sound, a different vulnerability than CVE-2011-0802. (CVE-2011-0814) - An unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to AWT. (CVE-2011-0815) - Multiple unspecified vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allow remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. (CVE-2011-0862) - An unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to Networking. (CVE-2011-0867) - An unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 26 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to SAAJ. (CVE-2011-0869) - An unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, when running on Windows, allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. (CVE-2011-0817) - An unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. (CVE-2011-0863) - An unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier allows remote attackers to affect confidentiality via unknown vectors related to 2D. (CVE-2011-0868) - An unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Swing. (CVE-2011-0871) - An unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier allows remote attackers to affect availability via unknown vectors related to NIO. (CVE-2011-0872) - An unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, and 5.0 Update 29 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. (CVE-2011-0873)
    NASL idSUSE_JAVA-1_6_0-IBM-7626.NASL
(CVE-2011-0788) - An unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, when running on Windows, allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2011-0786. (CVE-2011-0802) - An unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Sound, a different vulnerability than CVE-2011-0802. (CVE-2011-0814) - An unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to AWT. (CVE-2011-0815) - Multiple unspecified vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allow remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. (CVE-2011-0862) - An unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to Networking. (CVE-2011-0867) - An unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 26 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to SAAJ. (CVE-2011-0869) - An unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, when running on Windows, allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. (CVE-2011-0817) - An unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. (CVE-2011-0863) - An unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier allows remote attackers to affect confidentiality via unknown vectors related to 2D. (CVE-2011-0868) - An unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Swing. (CVE-2011-0871) - An unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier allows remote attackers to affect availability via unknown vectors related to NIO. (CVE-2011-0872) - An unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, and 5.0 Update 29 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. (CVE-2011-0873)
    • commentJava SE Development Kit 6 is installed
    descriptionUnspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 26 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to SAAJ.
