Vulnerabilities > CVE-2011-4461 - Cryptographic Issues vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Signature Spoofing by Key Recreation An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1429-1.NASL description It was discovered that Jetty computed hash values for form parameters without restricting the ability to trigger hash collisions predictably. This could allow a remote attacker to cause a denial of service by sending many crafted parameters. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 58892 published 2012-04-27 reporter Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/58892 title Ubuntu 10.04 LTS / 11.04 : jetty vulnerability (USN-1429-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-1429-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(58892); script_version("1.10"); script_cvs_date("Date: 2019/09/19 12:54:27"); script_cve_id("CVE-2011-4461"); script_bugtraq_id(51199); script_xref(name:"USN", value:"1429-1"); script_name(english:"Ubuntu 10.04 LTS / 11.04 : jetty vulnerability (USN-1429-1)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "It was discovered that Jetty computed hash values for form parameters without restricting the ability to trigger hash collisions predictably. This could allow a remote attacker to cause a denial of service by sending many crafted parameters. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/1429-1/" ); script_set_attribute( attribute:"solution", value:"Update the affected libjetty-java package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libjetty-java"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:10.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:11.04"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/12/30"); script_set_attribute(attribute:"patch_publication_date", value:"2012/04/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/04/27"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(10\.04|11\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 10.04 / 11.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"10.04", pkgname:"libjetty-java", pkgver:"6.1.22-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"11.04", pkgname:"libjetty-java", pkgver:"6.1.24-6ubuntu0.11.04.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libjetty-java"); }NASL family Fedora Local Security Checks NASL id FEDORA_2012-0730.NASL description Back-port of upstream jetty patches for CVE-2011-4461 - hash table collisions DoS. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2012-03-26 plugin id 58461 published 2012-03-26 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/58461 title Fedora 16 : jetty-6.1.26-8.fc16 (2012-0730) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2012-0730. # include("compat.inc"); if (description) { script_id(58461); script_version("1.12"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2011-4461"); script_bugtraq_id(51199); script_xref(name:"FEDORA", value:"2012-0730"); script_name(english:"Fedora 16 : jetty-6.1.26-8.fc16 (2012-0730)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Back-port of upstream jetty patches for CVE-2011-4461 - hash table collisions DoS. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=781677" ); # https://lists.fedoraproject.org/pipermail/package-announce/2012-March/076411.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?1388f9e1" ); script_set_attribute(attribute:"solution", value:"Update the affected jetty package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:jetty"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:16"); script_set_attribute(attribute:"patch_publication_date", value:"2012/01/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/03/26"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^16([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 16.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC16", reference:"jetty-6.1.26-8.fc16")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "jetty"); }NASL family SuSE Local Security Checks NASL id SUSE_11_4_JETTY5-120215.NASL description jetty5 was prone to a remotely exploitable Denial of Service flaw via hash collisions (CVE-2011-4461). last seen 2020-06-05 modified 2014-06-13 plugin id 75875 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75875 title openSUSE Security Update : jetty5 (openSUSE-SU-2012:0262-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update jetty5-5813. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(75875); script_version("1.9"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2011-4461"); script_name(english:"openSUSE Security Update : jetty5 (openSUSE-SU-2012:0262-1)"); script_summary(english:"Check for the jetty5-5813 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "jetty5 was prone to a remotely exploitable Denial of Service flaw via hash collisions (CVE-2011-4461)." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=739121" ); script_set_attribute( attribute:"see_also", value:"https://lists.opensuse.org/opensuse-updates/2012-02/msg00050.html" ); script_set_attribute( attribute:"solution", value:"Update the affected jetty5 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:jetty5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:jetty5-demo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:jetty5-javadoc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:jetty5-manual"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.4"); script_set_attribute(attribute:"patch_publication_date", value:"2012/02/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE11\.4)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.4", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if ( rpm_check(release:"SUSE11.4", reference:"jetty5-5.1.14-11.12.1") ) flag++; if ( rpm_check(release:"SUSE11.4", reference:"jetty5-demo-5.1.14-11.12.1") ) flag++; if ( rpm_check(release:"SUSE11.4", reference:"jetty5-javadoc-5.1.14-11.12.1") ) flag++; if ( rpm_check(release:"SUSE11.4", reference:"jetty5-manual-5.1.14-11.12.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "jetty5 / jetty5-demo / jetty5-javadoc / jetty5-manual"); }NASL family Misc. NASL id ORACLE_ENTERPRISE_MANAGER_JAN_2015_CPU.NASL description The version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by vulnerabilities in the following subcomponents of the Enterprise Manager Base Platform component : - Agent - UI Framework - Process Management & Notification Note that the product was formerly known as the Enterprise Manager Grid Control. last seen 2020-06-01 modified 2020-06-02 plugin id 80966 published 2015-01-26 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80966 title Oracle Enterprise Manager Cloud Control Multiple Vulnerabilities (January 2015 CPU) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(80966); script_version("1.10"); script_cvs_date("Date: 2018/11/15 20:50:23"); script_cve_id("CVE-2011-4461", "CVE-2014-4212", "CVE-2015-0426"); script_bugtraq_id(51199, 68638, 72235); script_name(english:"Oracle Enterprise Manager Cloud Control Multiple Vulnerabilities (January 2015 CPU)"); script_summary(english:"Checks for the patch ID."); script_set_attribute(attribute:"synopsis", value: "The remote host has an enterprise management application installed that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by vulnerabilities in the following subcomponents of the Enterprise Manager Base Platform component : - Agent - UI Framework - Process Management & Notification Note that the product was formerly known as the Enterprise Manager Grid Control."); # https://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixEM script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4ef3ddfc"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the January 2015 Oracle Critical Patch Update advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/01/20"); script_set_attribute(attribute:"patch_publication_date", value:"2015/01/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/26"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:enterprise_manager"); script_set_attribute(attribute:"plugin_type", value:"local"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc."); script_dependencies("oracle_enterprise_manager_installed.nbin"); script_require_keys("installed_sw/Oracle Enterprise Manager Cloud Control"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("oracle_rdbms_cpu_func.inc"); include("install_func.inc"); product = "Oracle Enterprise Manager Cloud Control"; install = get_single_install(app_name:product, exit_if_unknown_ver:TRUE); version = install['version']; emchome = install['path']; patches = make_array(); if (version !~ "^12\.1\.0\.(3(\.[0-2])?$|4(\.[01])?$)") audit(AUDIT_HOST_NOT, 'affected'); wls_home = str_replace(find:'oms', replace:'', string:emchome); if (emchome =~ '^[A-Za-z]:.*') { wls_home = ereg_replace(string:emchome, pattern:'^([A-Za-z]:.*\\\\)oms(\\\\)?$', replace:"\1"); separator = '\\'; } else { wls_home = ereg_replace(string:emchome, pattern:'^(/.*/)oms(/)?$', replace:"\1"); separator = "/"; } if (version =~ "^12\.1\.0\.3(\.[0-2])?$") { patches["oracle.as.webtiercd.top"]["patchid"] = "17988318"; patches["oracle.as.webtiercd.top"]["path"] = wls_home + "Oracle_WT" + separator; patches["oracle.sysman.common.core"]["patchid"] = "17617669"; patches["oracle.sysman.common.core"]["path"] = wls_home + "oracle_common" + separator; patches["oracle.sysman.top.agent"]["patchid"] = "19930706"; ohomes = make_list(); res = query_scratchpad("SELECT path FROM oracle_homes"); if (empty_or_null(res)) exit(1, 'Unable to obtain Oracle Homes'); foreach ohome (res) ohomes = make_list(ohomes, ohome['path']); foreach ohome (ohomes) { res = find_oracle_component_in_ohome(ohome:ohome, compid:'oracle.sysman.top.agent'); if (!empty_or_null(res)) { patches["oracle.sysman.top.agent"]["path"] = ohome; break; } } } else if (version =~ "^12\.1\.0\.4(\.[01])?$") { patches["oracle.as.webtiercd.top"]["patchid"] = "19345576"; patches["oracle.as.webtiercd.top"]["path"] = wls_home + "Oracle_WT" ; patches["oracle.sysman.common.core"]["patchid"] = "17617649"; patches["oracle.sysman.common.core"]["path"] = wls_home + "oracle_common"; } # Now look for the affected components missing = make_list(); foreach comp (keys(patches)) { ohome = patches[comp]["path"]; patchesinstalled = find_patches_in_ohomes(ohomes:make_list(ohome)); if (isnull(patchesinstalled)) { missing = make_list(missing, patches[comp]["patchid"]); } else { patched = FALSE; foreach patchid (keys(patchesinstalled[ohome])) { if (patchid == patches[comp]["patchid"]) { patched = TRUE; } else { foreach bugid (patchesinstalled[ohome][patchid]['bugs']) { if (bugid == patches[comp]["patchid"]) { patched = TRUE; } } } } if (!patched) { missing = make_list(missing, patches[comp]["patchid"]); } } } if (max_index(keys(missing)) == 0) audit(AUDIT_HOST_NOT, 'affected'); if (report_verbosity > 0) { report += '\n Product : ' + product + '\n Version : ' + version + '\n Missing patch : ' + join(missing, sep:',') + '\n'; security_warning(port:0, extra:report); } else security_warning(0);NASL family Fedora Local Security Checks NASL id FEDORA_2012-0752.NASL description Back-port of upstream jetty patches for CVE-2011-4461, hash DOS. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2012-03-26 plugin id 58462 published 2012-03-26 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/58462 title Fedora 15 : jetty-6.1.26-7.fc15 (2012-0752) NASL family SuSE Local Security Checks NASL id OPENSUSE-2012-128.NASL description jetty5 was prone to a remotely exploitable Denial of Service flaw via hash collisions last seen 2020-06-05 modified 2014-06-13 plugin id 74553 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/74553 title openSUSE Security Update : jetty5 (openSUSE-2012-128)
Seebug
| bulletinFamily | exploit |
| description | No description provided by source. |
| id | SSV:26121 |
| last seen | 2017-11-19 |
| modified | 2011-12-29 |
| published | 2011-12-29 |
| reporter | Root |
| source | https://www.seebug.org/vuldb/ssvid-26121 |
| title | Multiple Programming Language Implementations Vulnerable to Hash Table Collision Attacks |
References
- http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html
- http://marc.info/?l=bugtraq&m=143387688830075&w=2
- http://secunia.com/advisories/47408
- http://secunia.com/advisories/48981
- http://www.kb.cert.org/vuls/id/903934
- http://www.nruns.com/_downloads/advisory28122011.pdf
- http://www.ocert.org/advisories/ocert-2011-003.html
- http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
- http://www.securitytracker.com/id?1026475
- http://www.ubuntu.com/usn/USN-1429-1
- https://exchange.xforce.ibmcloud.com/vulnerabilities/72017
- https://security.netapp.com/advisory/ntap-20190307-0004/