Vulnerabilities > CVE-2014-0451
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT, a different vulnerability than CVE-2014-2412.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
OS | 5 | |
OS | 3 | |
Application | 8 |
Nessus
NASL family Solaris Local Security Checks NASL id SOLARIS9_125137.NASL description JavaSE 6: update 101 patch (equivalent to. Date this patch was last updated by Sun : Jul/13/15 last seen 2020-06-01 modified 2020-06-02 plugin id 27021 published 2007-10-12 reporter This script is Copyright (C) 2007-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27021 title Solaris 9 (sparc) : 125137-97 NASL family Solaris Local Security Checks NASL id SOLARIS8_125136.NASL description JavaSE 6: update 101 patch (equivalent to. Date this patch was last updated by Sun : Jul/13/15 last seen 2020-06-01 modified 2020-06-02 plugin id 27008 published 2007-10-12 reporter This script is Copyright (C) 2007-2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27008 title Solaris 8 (sparc) : 125136-97 NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-0412.NASL description Updated java-1.7.0-oracle packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Oracle Java SE version 7 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section. (CVE-2013-6629, CVE-2013-6954, CVE-2014-0429, CVE-2014-0432, CVE-2014-0446, CVE-2014-0448, CVE-2014-0449, CVE-2014-0451, CVE-2014-0452, CVE-2014-0453, CVE-2014-0454, CVE-2014-0455, CVE-2014-0456, CVE-2014-0457, CVE-2014-0458, CVE-2014-0459, CVE-2014-0460, CVE-2014-0461, CVE-2014-1876, CVE-2014-2397, CVE-2014-2398, CVE-2014-2401, CVE-2014-2402, CVE-2014-2403, CVE-2014-2409, CVE-2014-2412, CVE-2014-2413, CVE-2014-2414, CVE-2014-2420, CVE-2014-2421, CVE-2014-2422, CVE-2014-2423, CVE-2014-2427, CVE-2014-2428) All users of java-1.7.0-oracle are advised to upgrade to these updated packages, which provide Oracle Java 7 Update 55 and resolve these issues. All running instances of Oracle Java must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 73608 published 2014-04-18 reporter This script is Copyright (C) 2014-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/73608 title RHEL 5 / 6 : java-1.7.0-oracle (RHSA-2014:0412) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201502-12.NASL description The remote host is affected by the vulnerability described in GLSA-201502-12 (Oracle JRE/JDK: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Oracle’s Java SE Development Kit and Runtime Environment. Please review the CVE identifiers referenced below for details. Impact : A context-dependent attacker may be able to execute arbitrary code, disclose, update, insert, or delete certain data. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 81370 published 2015-02-16 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81370 title GLSA-201502-12 : Oracle JRE/JDK: Multiple vulnerabilities NASL family Solaris Local Security Checks NASL id SOLARIS9_X86_118669.NASL description JavaSE 5.0_x86: update 85 patch (equivalent to JDK 5.0u85), 64bit. Date this patch was last updated by Sun : Apr/13/15 last seen 2020-06-01 modified 2020-06-02 plugin id 19583 published 2005-09-06 reporter This script is Copyright (C) 2005-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19583 title Solaris 9 (x86) : 118669-86 NASL family Solaris Local Security Checks NASL id SOLARIS10_X86_118669.NASL description JavaSE 5.0_x86: update 85 patch (equivalent to JDK 5.0u85), 64bit. Date this patch was last updated by Sun : Apr/13/15 This plugin has been deprecated and either replaced with individual 118669 patch-revision plugins, or deemed non-security related. last seen 2019-02-21 modified 2018-07-30 plugin id 19580 published 2005-09-06 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=19580 title Solaris 10 (x86) : 118669-86 (deprecated) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-0509.NASL description Updated java-1.5.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. IBM J2SE version 5.0 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2014-0457, CVE-2014-2421, CVE-2014-0429, CVE-2014-0446, CVE-2014-0451, CVE-2014-2427, CVE-2014-2412, CVE-2014-0460, CVE-2013-6629, CVE-2014-2401, CVE-2014-0453, CVE-2014-2398, CVE-2014-1876) All users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM J2SE 5.0 SR16-FP6 release. All running instances of IBM Java must be restarted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 74032 published 2014-05-16 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74032 title RHEL 5 / 6 : java-1.5.0-ibm (RHSA-2014:0509) NASL family Solaris Local Security Checks NASL id SOLARIS10_X86_125138.NASL description JavaSE 6_x86: update 101 patch (equivalent. Date this patch was last updated by Sun : Jul/13/15 This plugin has been deprecated and either replaced with individual 125138 patch-revision plugins, or deemed non-security related. last seen 2019-02-21 modified 2018-07-30 plugin id 26995 published 2007-10-12 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=26995 title Solaris 10 (x86) : 125138-97 (deprecated) NASL family Solaris Local Security Checks NASL id SOLARIS9_X86_125139.NASL description JavaSE 6_x86: update 101 patch (equivalent. Date this patch was last updated by Sun : Jul/13/15 last seen 2020-06-01 modified 2020-06-02 plugin id 27034 published 2007-10-12 reporter This script is Copyright (C) 2007-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27034 title Solaris 9 (x86) : 125139-97 NASL family SuSE Local Security Checks NASL id OPENSUSE-2014-772.NASL description This openjdk update fixes the following security and non security issues : - Upgrade to 2.4.8 (bnc#887530) - Changed back from gzipped tarball to xz - Changed the keyring file to add Andrew John Hughes that signed the icedtea package - Change ZERO to AARCH64 tarball - Removed patches : - gstackbounds.patch - java-1.7.0-openjdk-ppc-zero-jdk.patch - java-1.7.0-openjdk-ppc-zero-hotspot.patch - Integrated in upstream icedtea - java-1.7.0-openjdk-makefiles-zero.patch - Does not apply on the AARCH64 tarball, since the change from DEFAULT and ZERO tarball to DEFAULT and AARCH64 - Upstream changes since 2.4.4 : - Security fixes - S8029755, CVE-2014-4209: Enhance subject class - S8030763: Validate global memory allocation - S8031340, CVE-2014-4264: Better TLS/EC management - S8031346, CVE-2014-4244: Enhance RSA key handling - S8031540: Introduce document horizon - S8032536: JVM resolves wrong method in some unusual cases - S8033055: Issues in 2d - S8033301, CVE-2014-4266: Build more informative InfoBuilder - S8034267: Probabilistic native crash - S8034272: Do not cram data into CRAM arrays - S8034985, CVE-2014-2483: Better form for Lambda Forms - S8035004, CVE-2014-4252: Provider provides less service - S8035009, CVE-2014-4218: Make Proxy representations consistent - S8035119, CVE-2014-4219: Fix exceptions to bytecode verification - S8035699, CVE-2014-4268: File choosers should be choosier - S8035788. CVE-2014-4221: Provide more consistency for lookups - S8035793, CVE-2014-4223: Maximum arity maxed out - S8036571: (process) Process process arguments carefully - S8036800: Attribute OOM to correct part of code - S8037046: Validate libraries to be loaded - S8037076, CVE-2014-2490: Check constant pool constants - S8037157: Verify <init> call - S8037162, CVE-2014-4263: More robust DH exchanges - S8037167, CVE-2014-4216: Better method signature resolution - S8039520, CVE-2014-4262: More atomicity of atomic updates - S8023046: Enhance splashscreen support - S8025005: Enhance CORBA initializations - S8025010, CVE-2014-2412: Enhance AWT contexts - S8025030, CVE-2014-2414: Enhance stream handling - S8025152, CVE-2014-0458: Enhance activation set up - S8026067: Enhance signed jar verification - S8026163, CVE-2014-2427: Enhance media provisioning - S8026188, CVE-2014-2423: Enhance envelope factory - S8026200: Enhance RowSet Factory - S8026716, CVE-2014-2402: (aio) Enhance asynchronous channel handling - S8026736, CVE-2014-2398: Enhance Javadoc pages - S8026797, CVE-2014-0451: Enhance data transfers - S8026801, CVE-2014-0452: Enhance endpoint addressing - S8027766, CVE-2014-0453: Enhance RSA processing - S8027775: Enhance ICU code. - S8027841, CVE-2014-0429: Enhance pixel manipulations - S8028385: Enhance RowSet Factory - S8029282, CVE-2014-2403: Enhance CharInfo set up - S8029286: Enhance subject delegation - S8029699: Update Poller demo - S8029730: Improve audio device additions - S8029735: Enhance service mgmt natives - S8029740, CVE-2014-0446: Enhance handling of loggers - S8029745, CVE-2014-0454: Enhance algorithm checking - S8029750: Enhance LCMS color processing (in-tree LCMS) - S8029760, CVE-2013-6629: Enhance AWT image libraries (in-tree libjpeg) - S8029844, CVE-2014-0455: Enhance argument validation - S8029854, CVE-2014-2421: Enhance JPEG decodings - S8029858, CVE-2014-0456: Enhance array copies - S8030731, CVE-2014-0460: Improve name service robustness - S8031330: Refactor ObjectFactory - S8031335, CVE-2014-0459: Better color profiling (in-tree LCMS) - S8031352, CVE-2013-6954: Enhance PNG handling (in-tree libpng) - S8031394, CVE-2014-0457: (sl) Fix exception handling in ServiceLoader - S8031395: Enhance LDAP processing - S8032686, CVE-2014-2413: Issues with method invoke - S8033618, CVE-2014-1876: Correct logging output - S8034926, CVE-2014-2397: Attribute classes properly - S8036794, CVE-2014-0461: Manage JavaScript instances - Backports - S5049299: (process) Use posix_spawn, not fork, on S10 to avoid swap exhaustion - S6571600: JNI use results in UnsatisfiedLinkError looking for libmawt.so - S7131153: GetDC called way too many times - causes bad performance. - S7190349: [macosx] Text (Label) is incorrectly drawn with a rotated g2d - S8001108: an attempt to use last seen 2020-06-05 modified 2014-12-16 plugin id 80045 published 2014-12-16 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/80045 title openSUSE Security Update : java-1_7_0-openjdk (openSUSE-SU-2014:1645-1) NASL family Scientific Linux Local Security Checks NASL id SL_20140416_JAVA_1_7_0_OPENJDK_ON_SL6_X.NASL description An input validation flaw was discovered in the medialib library in the 2D component. A specially crafted image could trigger Java Virtual Machine memory corruption when processed. A remote attacker, or an untrusted Java application or applet, could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. (CVE-2014-0429) Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions. (CVE-2014-0456, CVE-2014-2397, CVE-2014-2421) Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0457, CVE-2014-0455, CVE-2014-0461) Multiple improper permission check issues were discovered in the AWT, JAX- WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-2412, CVE-2014-0451, CVE-2014-0458, CVE-2014-2423, CVE-2014-0452, CVE-2014-2414, CVE-2014-2402, CVE-2014-0446, CVE-2014-2413, CVE-2014-0454, CVE-2014-2427, CVE-2014-0459) Multiple flaws were identified in the Java Naming and Directory Interface (JNDI) DNS client. These flaws could make it easier for a remote attacker to perform DNS spoofing attacks. (CVE-2014-0460) It was discovered that the JAXP component did not properly prevent access to arbitrary files when a SecurityManager was present. This flaw could cause a Java application using JAXP to leak sensitive information, or affect application availability. (CVE-2014-2403) It was discovered that the Security component in OpenJDK could leak some timing information when performing PKCS#1 unpadding. This could possibly lead to the disclosure of some information that was meant to be protected by encryption. (CVE-2014-0453) It was discovered that the fix for CVE-2013-5797 did not properly resolve input sanitization flaws in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting (XSS) attacks. (CVE-2014-2398) An insecure temporary file use flaw was found in the way the unpack200 utility created log files. A local attacker could possibly use this flaw to perform a symbolic link attack and overwrite arbitrary files with the privileges of the user running unpack200. (CVE-2014-1876) Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. All running instances of OpenJDK Java must be restarted for the update to take effect. last seen 2020-03-18 modified 2014-04-17 plugin id 73590 published 2014-04-17 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73590 title Scientific Linux Security Update : java-1.7.0-openjdk on SL6.x i386/x86_64 (20140416) NASL family Solaris Local Security Checks NASL id SOLARIS8_118667.NASL description JavaSE 5.0: update 85 patch (equivalent to JDK 5.0u85), 64bit. Date this patch was last updated by Sun : Apr/13/15 last seen 2020-06-01 modified 2020-06-02 plugin id 19456 published 2005-08-18 reporter This script is Copyright (C) 2005-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19456 title Solaris 8 (sparc) : 118667-86 NASL family Windows NASL id IBM_NOTES_9_0_1_FP2.NASL description The remote host has a version of IBM Notes (formerly Lotus Notes) 9.0.x prior to 9.0.1 Fix Pack 2 (FP2) installed. It is, therefore, affected by the following vulnerabilities : - An unspecified error exists related to the TLS implementation and the IBM HTTP server that could allow certain error cases to cause 100% CPU utilization. Note this issue only affects Microsoft Windows hosts. (CVE-2014-0963) - Fixes in the Oracle Java CPU for April 2014 are included in the fixed IBM Java release, which is included in the fixed IBM Domino release. (CVE-2013-6629, CVE-2013-6954, CVE-2014-0429, CVE-2014-0446, CVE-2014-0448, CVE-2014-0449, CVE-2014-0451, CVE-2014-0452, CVE-2014-0453, CVE-2014-0454, CVE-2014-0455, CVE-2014-0457, CVE-2014-0458, CVE-2014-0459, CVE-2014-0460, CVE-2014-0461, CVE-2014-1876, CVE-2014-2398, CVE-2014-2401, CVE-2014-2402, CVE-2014-2409, CVE-2014-2412, CVE-2014-2414, CVE-2014-2420, CVE-2014-2421, CVE-2014-2423, CVE-2014-2427, CVE-2014-2428) last seen 2020-06-01 modified 2020-06-02 plugin id 77812 published 2014-09-23 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/77812 title IBM Notes 9.0.x < 9.0.1 Fix Pack 2 Multiple Vulnerabilities NASL family Windows NASL id ORACLE_JAVA_CPU_APR_2014.NASL description The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is earlier than 8 Update 5, 7 Update 55, 6 Update 75, or 5 Update 65. It is, therefore, potentially affected by security issues in the following components : - 2D - AWT - Deployment - Hotspot - JAX-WS - JAXB - JAXP - JNDI - JavaFX - Javadoc - Libraries - Scripting - Security - Sound last seen 2020-06-01 modified 2020-06-02 plugin id 73570 published 2014-04-16 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/73570 title Oracle Java SE Multiple Vulnerabilities (April 2014 CPU) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-0413.NASL description Updated java-1.7.0-oracle packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. [Updated 12th May 2014] The package list in this erratum has been updated to make the packages available in the Oracle Java for Red Hat Enterprise Linux 6 Workstation x86_64 channels on the Red Hat Network. Oracle Java SE version 7 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section. (CVE-2013-6629, CVE-2013-6954, CVE-2014-0429, CVE-2014-0432, CVE-2014-0446, CVE-2014-0448, CVE-2014-0449, CVE-2014-0451, CVE-2014-0452, CVE-2014-0453, CVE-2014-0454, CVE-2014-0455, CVE-2014-0456, CVE-2014-0457, CVE-2014-0458, CVE-2014-0459, CVE-2014-0460, CVE-2014-0461, CVE-2014-1876, CVE-2014-2397, CVE-2014-2398, CVE-2014-2401, CVE-2014-2402, CVE-2014-2403, CVE-2014-2409, CVE-2014-2412, CVE-2014-2413, CVE-2014-2414, CVE-2014-2420, CVE-2014-2421, CVE-2014-2422, CVE-2014-2423, CVE-2014-2427, CVE-2014-2428) All users of java-1.7.0-oracle are advised to upgrade to these updated packages, which provide Oracle Java 7 Update 55 and resolve these issues. All running instances of Oracle Java must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 79010 published 2014-11-08 reporter This script is Copyright (C) 2014-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/79010 title RHEL 5 / 6 : java-1.7.0-oracle (RHSA-2014:0413) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2923.NASL description Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the execution of arbitrary code, breakouts of the Java sandbox, information disclosure or denial of service. last seen 2020-03-17 modified 2014-05-06 plugin id 73868 published 2014-05-06 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73868 title Debian DSA-2923-1 : openjdk-7 - security update NASL family Solaris Local Security Checks NASL id SOLARIS8_118666.NASL description JavaSE 5.0: update 85 patch (equivalent to JDK 5.0u85). Date this patch was last updated by Sun : Apr/13/15 last seen 2020-06-01 modified 2020-06-02 plugin id 19455 published 2005-08-18 reporter This script is Copyright (C) 2005-2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19455 title Solaris 8 (sparc) : 118666-86 NASL family Solaris Local Security Checks NASL id SOLARIS9_125136.NASL description JavaSE 6: update 101 patch (equivalent to. Date this patch was last updated by Sun : Jul/13/15 last seen 2020-06-01 modified 2020-06-02 plugin id 27020 published 2007-10-12 reporter This script is Copyright (C) 2007-2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27020 title Solaris 9 (sparc) : 125136-97 NASL family SuSE Local Security Checks NASL id SUSE_11_JAVA-1_7_0-OPENJDK-140508.NASL description This java-1_7_0-openjdk update to version 2.4.7 fixes the following security and non-security issues : - Security fixes - S8023046: Enhance splashscreen support - S8025005: Enhance CORBA initializations - S8025010, CVE-2014-2412: Enhance AWT contexts - S8025030, CVE-2014-2414: Enhance stream handling - S8025152, CVE-2014-0458: Enhance activation set up - S8026067: Enhance signed jar verification - S8026163, CVE-2014-2427: Enhance media provisioning - S8026188, CVE-2014-2423: Enhance envelope factory - S8026200: Enhance RowSet Factory - S8026716, CVE-2014-2402: (aio) Enhance asynchronous channel handling - S8026736, CVE-2014-2398: Enhance Javadoc pages - S8026797, CVE-2014-0451: Enhance data transfers - S8026801, CVE-2014-0452: Enhance endpoint addressing - S8027766, CVE-2014-0453: Enhance RSA processing - S8027775: Enhance ICU code. - S8027841, CVE-2014-0429: Enhance pixel manipulations - S8028385: Enhance RowSet Factory - S8029282, CVE-2014-2403: Enhance CharInfo set up - S8029286: Enhance subject delegation - S8029699: Update Poller demo - S8029730: Improve audio device additions - S8029735: Enhance service mgmt natives - S8029740, CVE-2014-0446: Enhance handling of loggers - S8029745, CVE-2014-0454: Enhance algorithm checking - S8029750: Enhance LCMS color processing (in-tree LCMS) - S8029760, CVE-2013-6629: Enhance AWT image libraries (in-tree libjpeg) - S8029844, CVE-2014-0455: Enhance argument validation - S8029854, CVE-2014-2421: Enhance JPEG decodings - S8029858, CVE-2014-0456: Enhance array copies - S8030731, CVE-2014-0460: Improve name service robustness - S8031330: Refactor ObjectFactory - S8031335, CVE-2014-0459: Better color profiling (in-tree LCMS) - S8031352, CVE-2013-6954: Enhance PNG handling (in-tree libpng) - S8031394, CVE-2014-0457: (sl) Fix exception handling in ServiceLoader - S8031395: Enhance LDAP processing - S8032686, CVE-2014-2413: Issues with method invoke - S8033618, CVE-2014-1876: Correct logging output - S8034926, CVE-2014-2397: Attribute classes properly - S8036794, CVE-2014-0461: Manage JavaScript instances - Backports - S8004145: New improved hgforest.sh, ctrl-c now properly terminates mercurial processes. - S8007625: race with nested repos in /common/bin/hgforest.sh - S8011178: improve common/bin/hgforest.sh python detection (MacOS) - S8011342: hgforest.sh : last seen 2020-06-05 modified 2014-05-14 plugin id 74007 published 2014-05-14 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/74007 title SuSE 11.3 Security Update : OpenJDK (SAT Patch Number 9209) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2187-1.NASL description Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. (CVE-2014-0429, CVE-2014-0446, CVE-2014-0451, CVE-2014-0452, CVE-2014-0454, CVE-2014-0455, CVE-2014-0456, CVE-2014-0457, CVE-2014-0458, CVE-2014-0461, CVE-2014-2397, CVE-2014-2402, CVE-2014-2412, CVE-2014-2414, CVE-2014-2421, CVE-2014-2423, CVE-2014-2427) Two vulnerabilities were discovered in the OpenJDK JRE related to information disclosure and data integrity. An attacker could exploit these to expose sensitive data over the network. (CVE-2014-0453, CVE-2014-0460) A vulnerability was discovered in the OpenJDK JRE related to availability. An attacker could exploit this to cause a denial of service. (CVE-2014-0459) Jakub Wilk discovered that the OpenJDK JRE incorrectly handled temporary files. A local attacker could possibly use this issue to overwrite arbitrary files. In the default installation of Ubuntu, this should be prevented by the Yama link restrictions. (CVE-2014-1876) Two vulnerabilities were discovered in the OpenJDK JRE related to data integrity. (CVE-2014-2398, CVE-2014-2413) A vulnerability was discovered in the OpenJDK JRE related to information disclosure. An attacker could exploit this to expose sensitive data over the network. (CVE-2014-2403). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 73801 published 2014-05-01 reporter Ubuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73801 title Ubuntu 12.10 / 13.10 / 14.04 LTS : openjdk-7 vulnerabilities (USN-2187-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-0675.NASL description Updated java-1.7.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 7. The Red Hat Security Response Team has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. An input validation flaw was discovered in the medialib library in the 2D component. A specially crafted image could trigger Java Virtual Machine memory corruption when processed. A remote attacker, or an untrusted Java application or applet, could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. (CVE-2014-0429) Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions. (CVE-2014-0456, CVE-2014-2397, CVE-2014-2421) Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0457, CVE-2014-0455, CVE-2014-0461) Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-2412, CVE-2014-0451, CVE-2014-0458, CVE-2014-2423, CVE-2014-0452, CVE-2014-2414, CVE-2014-2402, CVE-2014-0446, CVE-2014-2413, CVE-2014-0454, CVE-2014-2427, CVE-2014-0459) Multiple flaws were identified in the Java Naming and Directory Interface (JNDI) DNS client. These flaws could make it easier for a remote attacker to perform DNS spoofing attacks. (CVE-2014-0460) It was discovered that the JAXP component did not properly prevent access to arbitrary files when a SecurityManager was present. This flaw could cause a Java application using JAXP to leak sensitive information, or affect application availability. (CVE-2014-2403) It was discovered that the Security component in OpenJDK could leak some timing information when performing PKCS#1 unpadding. This could possibly lead to the disclosure of some information that was meant to be protected by encryption. (CVE-2014-0453) It was discovered that the fix for CVE-2013-5797 did not properly resolve input sanitization flaws in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting (XSS) attacks. (CVE-2014-2398) An insecure temporary file use flaw was found in the way the unpack200 utility created log files. A local attacker could possibly use this flaw to perform a symbolic link attack and overwrite arbitrary files with the privileges of the user running unpack200. (CVE-2014-1876) Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 76889 published 2014-07-30 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76889 title RHEL 7 : java-1.7.0-openjdk (RHSA-2014:0675) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-0414.NASL description Updated java-1.6.0-sun packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. [Updated 12th May 2014] The package list in this erratum has been updated to make the packages available in the Oracle Java for Red Hat Enterprise Linux 6 Workstation x86_64 channels on the Red Hat Network. Oracle Java SE version 6 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory pages, listed in the References section. (CVE-2013-1500, CVE-2013-1571, CVE-2013-2407, CVE-2013-2412, CVE-2013-2437, CVE-2013-2442, CVE-2013-2443, CVE-2013-2444, CVE-2013-2445, CVE-2013-2446, CVE-2013-2447, CVE-2013-2448, CVE-2013-2450, CVE-2013-2451, CVE-2013-2452, CVE-2013-2453, CVE-2013-2454, CVE-2013-2455, CVE-2013-2456, CVE-2013-2457, CVE-2013-2459, CVE-2013-2461, CVE-2013-2463, CVE-2013-2464, CVE-2013-2465, CVE-2013-2466, CVE-2013-2468, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-3743, CVE-2013-3829, CVE-2013-4002, CVE-2013-5772, CVE-2013-5774, CVE-2013-5776, CVE-2013-5778, CVE-2013-5780, CVE-2013-5782, CVE-2013-5783, CVE-2013-5784, CVE-2013-5787, CVE-2013-5789, CVE-2013-5790, CVE-2013-5797, CVE-2013-5801, CVE-2013-5802, CVE-2013-5803, CVE-2013-5804, CVE-2013-5809, CVE-2013-5812, CVE-2013-5814, CVE-2013-5817, CVE-2013-5818, CVE-2013-5819, CVE-2013-5820, CVE-2013-5823, CVE-2013-5824, CVE-2013-5825, CVE-2013-5829, CVE-2013-5830, CVE-2013-5831, CVE-2013-5832, CVE-2013-5840, CVE-2013-5842, CVE-2013-5843, CVE-2013-5848, CVE-2013-5849, CVE-2013-5850, CVE-2013-5852, CVE-2013-5878, CVE-2013-5884, CVE-2013-5887, CVE-2013-5888, CVE-2013-5889, CVE-2013-5896, CVE-2013-5898, CVE-2013-5899, CVE-2013-5902, CVE-2013-5905, CVE-2013-5906, CVE-2013-5907, CVE-2013-5910, CVE-2013-6629, CVE-2013-6954, CVE-2014-0368, CVE-2014-0373, CVE-2014-0375, CVE-2014-0376, CVE-2014-0387, CVE-2014-0403, CVE-2014-0410, CVE-2014-0411, CVE-2014-0415, CVE-2014-0416, CVE-2014-0417, CVE-2014-0418, CVE-2014-0422, CVE-2014-0423, CVE-2014-0424, CVE-2014-0428, CVE-2014-0429, CVE-2014-0446, CVE-2014-0449, CVE-2014-0451, CVE-2014-0452, CVE-2014-0453, CVE-2014-0456, CVE-2014-0457, CVE-2014-0458, CVE-2014-0460, CVE-2014-0461, CVE-2014-1876, CVE-2014-2398, CVE-2014-2401, CVE-2014-2403, CVE-2014-2409, CVE-2014-2412, CVE-2014-2414, CVE-2014-2420, CVE-2014-2421, CVE-2014-2423, CVE-2014-2427, CVE-2014-2428) All users of java-1.6.0-sun are advised to upgrade to these updated packages, which provide Oracle Java 6 Update 75 and resolve these issues. All running instances of Oracle Java must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 79011 published 2014-11-08 reporter This script is Copyright (C) 2014-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/79011 title RHEL 5 / 6 : java-1.6.0-sun (RHSA-2014:0414) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-0406.NASL description Updated java-1.7.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. An input validation flaw was discovered in the medialib library in the 2D component. A specially crafted image could trigger Java Virtual Machine memory corruption when processed. A remote attacker, or an untrusted Java application or applet, could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. (CVE-2014-0429) Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions. (CVE-2014-0456, CVE-2014-2397, CVE-2014-2421) Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0457, CVE-2014-0455, CVE-2014-0461) Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-2412, CVE-2014-0451, CVE-2014-0458, CVE-2014-2423, CVE-2014-0452, CVE-2014-2414, CVE-2014-2402, CVE-2014-0446, CVE-2014-2413, CVE-2014-0454, CVE-2014-2427, CVE-2014-0459) Multiple flaws were identified in the Java Naming and Directory Interface (JNDI) DNS client. These flaws could make it easier for a remote attacker to perform DNS spoofing attacks. (CVE-2014-0460) It was discovered that the JAXP component did not properly prevent access to arbitrary files when a SecurityManager was present. This flaw could cause a Java application using JAXP to leak sensitive information, or affect application availability. (CVE-2014-2403) It was discovered that the Security component in OpenJDK could leak some timing information when performing PKCS#1 unpadding. This could possibly lead to the disclosure of some information that was meant to be protected by encryption. (CVE-2014-0453) It was discovered that the fix for CVE-2013-5797 did not properly resolve input sanitization flaws in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting (XSS) attacks. (CVE-2014-2398) An insecure temporary file use flaw was found in the way the unpack200 utility created log files. A local attacker could possibly use this flaw to perform a symbolic link attack and overwrite arbitrary files with the privileges of the user running unpack200. (CVE-2014-1876) Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 73585 published 2014-04-17 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73585 title RHEL 6 : java-1.7.0-openjdk (RHSA-2014:0406) NASL family Solaris Local Security Checks NASL id SOLARIS10_118666.NASL description JavaSE 5.0: update 85 patch (equivalent to JDK 5.0u85). Date this patch was last updated by Sun : Apr/13/15 This plugin has been deprecated and either replaced with individual 118666 patch-revision plugins, or deemed non-security related. last seen 2019-02-21 modified 2018-07-30 plugin id 19443 published 2005-08-18 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=19443 title Solaris 10 (sparc) : 118666-86 (deprecated) NASL family Solaris Local Security Checks NASL id SOLARIS8_X86_118668.NASL description JavaSE 5.0_x86: update 85 patch (equivalent to JDK 5.0u85). Date this patch was last updated by Sun : Apr/13/15 last seen 2020-06-01 modified 2020-06-02 plugin id 19457 published 2005-08-18 reporter This script is Copyright (C) 2005-2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19457 title Solaris 8 (x86) : 118668-86 NASL family SuSE Local Security Checks NASL id SUSE_SU-2014-0732-1.NASL description IBM Java 5 was updated to SR 16 FP 6 to fix several bugs and security issues. Further information is available at: https://www.ibm.com/developerworks/java/jdk/aix/j532/fixes.html#SR16FP 6 Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-05-20 plugin id 83625 published 2015-05-20 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83625 title SUSE SLES10 Security Update : IBM Java 5 (SUSE-SU-2014:0732-1) NASL family Misc. NASL id VMWARE_VCENTER_VMSA-2014-0008.NASL description The VMware vCenter Server installed on the remote host is version 5.0 prior to Update 3c, 5.1 prior to Update 3, or 5.5 prior to Update 2. It is, therefore, affected by multiple vulnerabilities in third party libraries : - The bundled version of Apache Struts contains a code execution flaw. Note that 5.0 Update 3c only addresses this vulnerability. (CVE-2014-0114) - The bundled tc-server / Apache Tomcat contains multiple vulnerabilities. (CVE-2013-4590, CVE-2013-4322, and CVE-2014-0050) - The bundled version of Oracle JRE is prior to 1.7.0_55 and thus is affected by multiple vulnerabilities. Note that this only affects version 5.5 of vCenter. last seen 2020-06-01 modified 2020-06-02 plugin id 77728 published 2014-09-17 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/77728 title VMware Security Updates for vCenter Server (VMSA-2014-0008) NASL family Solaris Local Security Checks NASL id SOLARIS9_X86_118668.NASL description JavaSE 5.0_x86: update 85 patch (equivalent to JDK 5.0u85). Date this patch was last updated by Sun : Apr/13/15 last seen 2020-06-01 modified 2020-06-02 plugin id 19461 published 2005-08-18 reporter This script is Copyright (C) 2005-2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19461 title Solaris 9 (x86) : 118668-86 NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2191-1.NASL description Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. (CVE-2014-0429, CVE-2014-0446, CVE-2014-0451, CVE-2014-0452, CVE-2014-0456, CVE-2014-0457, CVE-2014-0458, CVE-2014-0461, CVE-2014-0462, CVE-2014-2397, CVE-2014-2405, CVE-2014-2412, CVE-2014-2414, CVE-2014-2421, CVE-2014-2423, CVE-2014-2427) Two vulnerabilities were discovered in the OpenJDK JRE related to information disclosure and data integrity. An attacker could exploit these to expose sensitive data over the network. (CVE-2014-0453, CVE-2014-0460) A vulnerability was discovered in the OpenJDK JRE related to availability. An attacker could exploit this to cause a denial of service. (CVE-2014-0459) Jakub Wilk discovered that the OpenJDK JRE incorrectly handled temporary files. A local attacker could possibly use this issue to overwrite arbitrary files. In the default installation of Ubuntu, this should be prevented by the Yama link restrictions. (CVE-2014-1876) A vulnerability was discovered in the OpenJDK JRE related to data integrity. (CVE-2014-2398) A vulnerability was discovered in the OpenJDK JRE related to information disclosure. An attacker could exploit this to expose sensitive data over the network. (CVE-2014-2403). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 73822 published 2014-05-02 reporter Ubuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73822 title Ubuntu 10.04 LTS / 12.04 LTS : openjdk-6 vulnerabilities (USN-2191-1) NASL family Solaris Local Security Checks NASL id SOLARIS9_X86_125138.NASL description JavaSE 6_x86: update 101 patch (equivalent. Date this patch was last updated by Sun : Jul/13/15 last seen 2020-06-01 modified 2020-06-02 plugin id 27033 published 2007-10-12 reporter This script is Copyright (C) 2007-2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27033 title Solaris 9 (x86) : 125138-97 NASL family Solaris Local Security Checks NASL id SOLARIS8_X86_125139.NASL description JavaSE 6_x86: update 101 patch (equivalent. Date this patch was last updated by Sun : Jul/13/15 last seen 2020-06-01 modified 2020-06-02 plugin id 27016 published 2007-10-12 reporter This script is Copyright (C) 2007-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27016 title Solaris 8 (x86) : 125139-97 NASL family Solaris Local Security Checks NASL id SOLARIS9_118666.NASL description JavaSE 5.0: update 85 patch (equivalent to JDK 5.0u85). Date this patch was last updated by Sun : Apr/13/15 last seen 2020-06-01 modified 2020-06-02 plugin id 19459 published 2005-08-18 reporter This script is Copyright (C) 2005-2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19459 title Solaris 9 (sparc) : 118666-86 NASL family Windows NASL id IBM_DOMINO_9_0_1_FP2.NASL description The version of IBM Domino (formerly Lotus Domino) installed on the remote host is 9.0.x prior to 9.0.1 Fix Pack 2 (FP2). It is, therefore, affected by the following vulnerabilities : - An unspecified error exists related to the TLS implementation and the IBM HTTP server that could allow certain error cases to cause 100% CPU utilization. Note this issue only affects Microsoft Windows hosts. (CVE-2014-0963) - Fixes in the Oracle Java CPU for April 2014 are included in the fixed IBM Java release, which is included in the fixed IBM Domino release. (CVE-2013-6629, CVE-2013-6954, CVE-2014-0429, CVE-2014-0446, CVE-2014-0448, CVE-2014-0449, CVE-2014-0451, CVE-2014-0452, CVE-2014-0453, CVE-2014-0454, CVE-2014-0455, CVE-2014-0457, CVE-2014-0458, CVE-2014-0459, CVE-2014-0460, CVE-2014-0461, CVE-2014-1876, CVE-2014-2398, CVE-2014-2401, CVE-2014-2402, CVE-2014-2409, CVE-2014-2412, CVE-2014-2414, CVE-2014-2420, CVE-2014-2421, CVE-2014-2423, CVE-2014-2427, CVE-2014-2428) - A man-in-the-middle (MitM) information disclosure vulnerability, known as POODLE, exists due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. A MitM attacker can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. (CVE-2014-3566) last seen 2020-06-01 modified 2020-06-02 plugin id 77811 published 2014-09-23 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/77811 title IBM Domino 9.0.x < 9.0.1 Fix Pack 2 Multiple Vulnerabilities (credentialed check) (POODLE) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-0407.NASL description Updated java-1.7.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. An input validation flaw was discovered in the medialib library in the 2D component. A specially crafted image could trigger Java Virtual Machine memory corruption when processed. A remote attacker, or an untrusted Java application or applet, could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. (CVE-2014-0429) Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions. (CVE-2014-0456, CVE-2014-2397, CVE-2014-2421) Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0457, CVE-2014-0455, CVE-2014-0461) Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-2412, CVE-2014-0451, CVE-2014-0458, CVE-2014-2423, CVE-2014-0452, CVE-2014-2414, CVE-2014-2402, CVE-2014-0446, CVE-2014-2413, CVE-2014-0454, CVE-2014-2427, CVE-2014-0459) Multiple flaws were identified in the Java Naming and Directory Interface (JNDI) DNS client. These flaws could make it easier for a remote attacker to perform DNS spoofing attacks. (CVE-2014-0460) It was discovered that the JAXP component did not properly prevent access to arbitrary files when a SecurityManager was present. This flaw could cause a Java application using JAXP to leak sensitive information, or affect application availability. (CVE-2014-2403) It was discovered that the Security component in OpenJDK could leak some timing information when performing PKCS#1 unpadding. This could possibly lead to the disclosure of some information that was meant to be protected by encryption. (CVE-2014-0453) It was discovered that the fix for CVE-2013-5797 did not properly resolve input sanitization flaws in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting (XSS) attacks. (CVE-2014-2398) An insecure temporary file use flaw was found in the way the unpack200 utility created log files. A local attacker could possibly use this flaw to perform a symbolic link attack and overwrite arbitrary files with the privileges of the user running unpack200. (CVE-2014-1876) All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 73586 published 2014-04-17 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73586 title RHEL 5 : java-1.7.0-openjdk (RHSA-2014:0407) NASL family Misc. NASL id ORACLE_JAVA_CPU_APR_2014_UNIX.NASL description The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is earlier than 8 Update 5, 7 Update 55, 6 Update 75, or 5 Update 65. It is, therefore, potentially affected by security issues in the following components : - 2D - AWT - Deployment - Hotspot - JAX-WS - JAXB - JAXP - JNDI - JavaFX - Javadoc - Libraries - Scripting - Security - Sound last seen 2020-06-01 modified 2020-06-02 plugin id 73571 published 2014-04-16 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/73571 title Oracle Java SE Multiple Vulnerabilities (April 2014 CPU) (Unix) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2014-326.NASL description An input validation flaw was discovered in the medialib library in the 2D component. A specially crafted image could trigger Java Virtual Machine memory corruption when processed. A remote attacker, or an untrusted Java application or applet, could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. (CVE-2014-0429) Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions. (CVE-2014-0456 , CVE-2014-2397 , CVE-2014-2421) Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0457 , CVE-2014-0461) Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, and Sound components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-2412 , CVE-2014-0451 , CVE-2014-0458 , CVE-2014-2423 , CVE-2014-0452 , CVE-2014-2414 , CVE-2014-0446 , CVE-2014-2427) Multiple flaws were identified in the Java Naming and Directory Interface (JNDI) DNS client. These flaws could make it easier for a remote attacker to perform DNS spoofing attacks. (CVE-2014-0460) It was discovered that the JAXP component did not properly prevent access to arbitrary files when a SecurityManager was present. This flaw could cause a Java application using JAXP to leak sensitive information, or affect application availability. (CVE-2014-2403) It was discovered that the Security component in OpenJDK could leak some timing information when performing PKCS#1 unpadding. This could possibly lead to the disclosure of some information that was meant to be protected by encryption. (CVE-2014-0453) It was discovered that the fix for CVE-2013-5797 did not properly resolve input sanitization flaws in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting (XSS) attacks. (CVE-2014-2398) An insecure temporary file use flaw was found in the way the unpack200 utility created log files. A local attacker could possibly use this flaw to perform a symbolic link attack and overwrite arbitrary files with the privileges of the user running unpack200. (CVE-2014-1876) last seen 2020-06-01 modified 2020-06-02 plugin id 73654 published 2014-04-23 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73654 title Amazon Linux AMI : java-1.6.0-openjdk (ALAS-2014-326) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-0486.NASL description Updated java-1.7.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2014-0457, CVE-2014-2421, CVE-2014-0429, CVE-2014-0461, CVE-2014-0455, CVE-2014-2428, CVE-2014-0448, CVE-2014-0454, CVE-2014-0446, CVE-2014-0452, CVE-2014-0451, CVE-2014-2402, CVE-2014-2423, CVE-2014-2427, CVE-2014-0458, CVE-2014-2414, CVE-2014-2412, CVE-2014-2409, CVE-2014-0460, CVE-2013-6954, CVE-2013-6629, CVE-2014-2401, CVE-2014-0449, CVE-2014-0459, CVE-2014-0453, CVE-2014-2398, CVE-2014-1876, CVE-2014-2420) All users of java-1.7.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 7 SR7 release. All running instances of IBM Java must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 74005 published 2014-05-14 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74005 title RHEL 5 / 6 : java-1.7.0-ibm (RHSA-2014:0486) NASL family SuSE Local Security Checks NASL id SUSE_11_JAVA-1_6_0-IBM-140514.NASL description BM Java 6 was updated to version 6 SR16 to fix several security issues and various other bugs. More information can be found at: http://www.ibm.com/developerworks/java/jdk/alerts/ last seen 2020-06-05 modified 2014-06-03 plugin id 74284 published 2014-06-03 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/74284 title SuSE 11.3 Security Update : IBM Java 6 (SAT Patch Number 9256) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-0705.NASL description Updated java-1.7.1-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 7 Supplementary. The Red Hat Security Response Team has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2013-5878, CVE-2013-5884, CVE-2013-5887, CVE-2013-5888, CVE-2013-5889, CVE-2013-5896, CVE-2013-5898, CVE-2013-5899, CVE-2013-5907, CVE-2013-5910, CVE-2013-6629, CVE-2013-6954, CVE-2014-0368, CVE-2014-0373, CVE-2014-0375, CVE-2014-0376, CVE-2014-0387, CVE-2014-0403, CVE-2014-0410, CVE-2014-0411, CVE-2014-0415, CVE-2014-0416, CVE-2014-0417, CVE-2014-0422, CVE-2014-0423, CVE-2014-0424, CVE-2014-0428, CVE-2014-0429, CVE-2014-0446, CVE-2014-0448, CVE-2014-0449, CVE-2014-0451, CVE-2014-0452, CVE-2014-0453, CVE-2014-0454, CVE-2014-0455, CVE-2014-0457, CVE-2014-0458, CVE-2014-0459, CVE-2014-0460, CVE-2014-0461, CVE-2014-1876, CVE-2014-2398, CVE-2014-2401, CVE-2014-2402, CVE-2014-2409, CVE-2014-2412, CVE-2014-2414, CVE-2014-2420, CVE-2014-2421, CVE-2014-2423, CVE-2014-2427, CVE-2014-2428) All users of java-1.7.1-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 7R1 SR1 release. All running instances of IBM Java must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 76900 published 2014-07-30 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76900 title RHEL 7 : java-1.7.1-ibm (RHSA-2014:0705) NASL family Solaris Local Security Checks NASL id SOLARIS9_118667.NASL description JavaSE 5.0: update 85 patch (equivalent to JDK 5.0u85), 64bit. Date this patch was last updated by Sun : Apr/13/15 last seen 2020-06-01 modified 2020-06-02 plugin id 19460 published 2005-08-18 reporter This script is Copyright (C) 2005-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19460 title Solaris 9 (sparc) : 118667-86 NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2014-0685.NASL description From Red Hat Security Advisory 2014:0685 : Updated java-1.6.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 7. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. An input validation flaw was discovered in the medialib library in the 2D component. A specially crafted image could trigger Java Virtual Machine memory corruption when processed. A remote attacker, or an untrusted Java application or applet, could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. (CVE-2014-0429) Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions. (CVE-2014-0456, CVE-2014-2397, CVE-2014-2421) Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0457, CVE-2014-0461) Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, and Sound components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-2412, CVE-2014-0451, CVE-2014-0458, CVE-2014-2423, CVE-2014-0452, CVE-2014-2414, CVE-2014-0446, CVE-2014-2427) Multiple flaws were identified in the Java Naming and Directory Interface (JNDI) DNS client. These flaws could make it easier for a remote attacker to perform DNS spoofing attacks. (CVE-2014-0460) It was discovered that the JAXP component did not properly prevent access to arbitrary files when a SecurityManager was present. This flaw could cause a Java application using JAXP to leak sensitive information, or affect application availability. (CVE-2014-2403) It was discovered that the Security component in OpenJDK could leak some timing information when performing PKCS#1 unpadding. This could possibly lead to the disclosure of some information that was meant to be protected by encryption. (CVE-2014-0453) It was discovered that the fix for CVE-2013-5797 did not properly resolve input sanitization flaws in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting (XSS) attacks. (CVE-2014-2398) An insecure temporary file use flaw was found in the way the unpack200 utility created log files. A local attacker could possibly use this flaw to perform a symbolic link attack and overwrite arbitrary files with the privileges of the user running unpack200. (CVE-2014-1876) All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 76732 published 2014-07-24 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76732 title Oracle Linux 7 : java-1.6.0-openjdk (ELSA-2014-0685) NASL family SuSE Local Security Checks NASL id OPENSUSE-2014-773.NASL description This openjdk update fixes the following security and non security issues : - Upgrade to 2.4.8 (bnc#887530) - Changed back from gzipped tarball to xz - Changed the keyring file to add Andrew John Hughes that signed the icedtea package - Change ZERO to AARCH64 tarball - Removed patches : - gstackbounds.patch - java-1.7.0-openjdk-ppc-zero-jdk.patch - java-1.7.0-openjdk-ppc-zero-hotspot.patch - Integrated in upstream icedtea - java-1.7.0-openjdk-makefiles-zero.patch - Does not apply on the AARCH64 tarball, since the change from DEFAULT and ZERO tarball to DEFAULT and AARCH64 - Upstream changes since 2.4.4 : - Security fixes - S8029755, CVE-2014-4209: Enhance subject class - S8030763: Validate global memory allocation - S8031340, CVE-2014-4264: Better TLS/EC management - S8031346, CVE-2014-4244: Enhance RSA key handling - S8031540: Introduce document horizon - S8032536: JVM resolves wrong method in some unusual cases - S8033055: Issues in 2d - S8033301, CVE-2014-4266: Build more informative InfoBuilder - S8034267: Probabilistic native crash - S8034272: Do not cram data into CRAM arrays - S8034985, CVE-2014-2483: Better form for Lambda Forms - S8035004, CVE-2014-4252: Provider provides less service - S8035009, CVE-2014-4218: Make Proxy representations consistent - S8035119, CVE-2014-4219: Fix exceptions to bytecode verification - S8035699, CVE-2014-4268: File choosers should be choosier - S8035788. CVE-2014-4221: Provide more consistency for lookups - S8035793, CVE-2014-4223: Maximum arity maxed out - S8036571: (process) Process process arguments carefully - S8036800: Attribute OOM to correct part of code - S8037046: Validate libraries to be loaded - S8037076, CVE-2014-2490: Check constant pool constants - S8037157: Verify <init> call - S8037162, CVE-2014-4263: More robust DH exchanges - S8037167, CVE-2014-4216: Better method signature resolution - S8039520, CVE-2014-4262: More atomicity of atomic updates - S8023046: Enhance splashscreen support - S8025005: Enhance CORBA initializations - S8025010, CVE-2014-2412: Enhance AWT contexts - S8025030, CVE-2014-2414: Enhance stream handling - S8025152, CVE-2014-0458: Enhance activation set up - S8026067: Enhance signed jar verification - S8026163, CVE-2014-2427: Enhance media provisioning - S8026188, CVE-2014-2423: Enhance envelope factory - S8026200: Enhance RowSet Factory - S8026716, CVE-2014-2402: (aio) Enhance asynchronous channel handling - S8026736, CVE-2014-2398: Enhance Javadoc pages - S8026797, CVE-2014-0451: Enhance data transfers - S8026801, CVE-2014-0452: Enhance endpoint addressing - S8027766, CVE-2014-0453: Enhance RSA processing - S8027775: Enhance ICU code. - S8027841, CVE-2014-0429: Enhance pixel manipulations - S8028385: Enhance RowSet Factory - S8029282, CVE-2014-2403: Enhance CharInfo set up - S8029286: Enhance subject delegation - S8029699: Update Poller demo - S8029730: Improve audio device additions - S8029735: Enhance service mgmt natives - S8029740, CVE-2014-0446: Enhance handling of loggers - S8029745, CVE-2014-0454: Enhance algorithm checking - S8029750: Enhance LCMS color processing (in-tree LCMS) - S8029760, CVE-2013-6629: Enhance AWT image libraries (in-tree libjpeg) - S8029844, CVE-2014-0455: Enhance argument validation - S8029854, CVE-2014-2421: Enhance JPEG decodings - S8029858, CVE-2014-0456: Enhance array copies - S8030731, CVE-2014-0460: Improve name service robustness - S8031330: Refactor ObjectFactory - S8031335, CVE-2014-0459: Better color profiling (in-tree LCMS) - S8031352, CVE-2013-6954: Enhance PNG handling (in-tree libpng) - S8031394, CVE-2014-0457: (sl) Fix exception handling in ServiceLoader - S8031395: Enhance LDAP processing - S8032686, CVE-2014-2413: Issues with method invoke - S8033618, CVE-2014-1876: Correct logging output - S8034926, CVE-2014-2397: Attribute classes properly - S8036794, CVE-2014-0461: Manage JavaScript instances - Backports - S5049299: (process) Use posix_spawn, not fork, on S10 to avoid swap exhaustion - S6571600: JNI use results in UnsatisfiedLinkError looking for libmawt.so - S7131153: GetDC called way too many times - causes bad performance. - S7190349: [macosx] Text (Label) is incorrectly drawn with a rotated g2d - S8001108: an attempt to use last seen 2020-06-05 modified 2014-12-16 plugin id 80046 published 2014-12-16 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/80046 title openSUSE Security Update : java-1_7_0-openjdk (openSUSE-SU-2014:1638-1) NASL family Solaris Local Security Checks NASL id SOLARIS10_125137.NASL description JavaSE 6: update 101 patch (equivalent to. Date this patch was last updated by Sun : Jul/13/15 This plugin has been deprecated and either replaced with individual 125137 patch-revision plugins, or deemed non-security related. last seen 2019-02-21 modified 2018-07-30 plugin id 26985 published 2007-10-12 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=26985 title Solaris 10 (sparc) : 125137-97 (deprecated) NASL family Scientific Linux Local Security Checks NASL id SL_20140416_JAVA_1_7_0_OPENJDK_ON_SL5_X.NASL description An input validation flaw was discovered in the medialib library in the 2D component. A specially crafted image could trigger Java Virtual Machine memory corruption when processed. A remote attacker, or an untrusted Java application or applet, could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. (CVE-2014-0429) Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions. (CVE-2014-0456, CVE-2014-2397, CVE-2014-2421) Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0457, CVE-2014-0455, CVE-2014-0461) Multiple improper permission check issues were discovered in the AWT, JAX- WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-2412, CVE-2014-0451, CVE-2014-0458, CVE-2014-2423, CVE-2014-0452, CVE-2014-2414, CVE-2014-2402, CVE-2014-0446, CVE-2014-2413, CVE-2014-0454, CVE-2014-2427, CVE-2014-0459) Multiple flaws were identified in the Java Naming and Directory Interface (JNDI) DNS client. These flaws could make it easier for a remote attacker to perform DNS spoofing attacks. (CVE-2014-0460) It was discovered that the JAXP component did not properly prevent access to arbitrary files when a SecurityManager was present. This flaw could cause a Java application using JAXP to leak sensitive information, or affect application availability. (CVE-2014-2403) It was discovered that the Security component in OpenJDK could leak some timing information when performing PKCS#1 unpadding. This could possibly lead to the disclosure of some information that was meant to be protected by encryption. (CVE-2014-0453) It was discovered that the fix for CVE-2013-5797 did not properly resolve input sanitization flaws in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting (XSS) attacks. (CVE-2014-2398) An insecure temporary file use flaw was found in the way the unpack200 utility created log files. A local attacker could possibly use this flaw to perform a symbolic link attack and overwrite arbitrary files with the privileges of the user running unpack200. (CVE-2014-1876) All running instances of OpenJDK Java must be restarted for the update to take effect. last seen 2020-03-18 modified 2014-04-17 plugin id 73589 published 2014-04-17 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73589 title Scientific Linux Security Update : java-1.7.0-openjdk on SL5.x i386/x86_64 (20140416) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2014-100.NASL description Updated java-1.7.0-openjdk packages fix security vulnerabilities : An input validation flaw was discovered in the medialib library in the 2D component. A specially crafted image could trigger Java Virtual Machine memory corruption when processed. A remote attacker, or an untrusted Java application or applet, could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine (CVE-2014-0429). Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions (CVE-2014-0456, CVE-2014-2397, CVE-2014-2421). Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions (CVE-2014-0457, CVE-2014-0455, CVE-2014-0461). Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions (CVE-2014-2412, CVE-2014-0451, CVE-2014-0458, CVE-2014-2423, CVE-2014-0452, CVE-2014-2414, CVE-2014-2402, CVE-2014-0446, CVE-2014-2413, CVE-2014-0454, CVE-2014-2427, CVE-2014-0459). Multiple flaws were identified in the Java Naming and Directory Interface (JNDI) DNS client. These flaws could make it easier for a remote attacker to perform DNS spoofing attacks (CVE-2014-0460). It was discovered that the JAXP component did not properly prevent access to arbitrary files when a SecurityManager was present. This flaw could cause a Java application using JAXP to leak sensitive information, or affect application availability (CVE-2014-2403). It was discovered that the Security component in OpenJDK could leak some timing information when performing PKCS#1 unpadding. This could possibly lead to the disclosure of some information that was meant to be protected by encryption (CVE-2014-0453). It was discovered that the fix for CVE-2013-5797 did not properly resolve input sanitization flaws in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting (XSS) attacks (CVE-2014-2398). An insecure temporary file use flaw was found in the way the unpack200 utility created log files. A local attacker could possibly use this flaw to perform a symbolic link attack and overwrite arbitrary files with the privileges of the user running unpack200 (CVE-2014-1876). Note that the CVE-2014-0459 issue is in the lcms2 library, which has been patched to correct this flaw. last seen 2020-06-01 modified 2020-06-02 plugin id 74078 published 2014-05-19 reporter This script is Copyright (C) 2014-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/74078 title Mandriva Linux Security Advisory : java-1.7.0-openjdk (MDVSA-2014:100) NASL family Solaris Local Security Checks NASL id SOLARIS8_X86_125138.NASL description JavaSE 6_x86: update 101 patch (equivalent. Date this patch was last updated by Sun : Jul/13/15 last seen 2020-06-01 modified 2020-06-02 plugin id 27015 published 2007-10-12 reporter This script is Copyright (C) 2007-2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27015 title Solaris 8 (x86) : 125138-97 NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-0685.NASL description Updated java-1.6.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 7. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. An input validation flaw was discovered in the medialib library in the 2D component. A specially crafted image could trigger Java Virtual Machine memory corruption when processed. A remote attacker, or an untrusted Java application or applet, could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. (CVE-2014-0429) Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions. (CVE-2014-0456, CVE-2014-2397, CVE-2014-2421) Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0457, CVE-2014-0461) Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, and Sound components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-2412, CVE-2014-0451, CVE-2014-0458, CVE-2014-2423, CVE-2014-0452, CVE-2014-2414, CVE-2014-0446, CVE-2014-2427) Multiple flaws were identified in the Java Naming and Directory Interface (JNDI) DNS client. These flaws could make it easier for a remote attacker to perform DNS spoofing attacks. (CVE-2014-0460) It was discovered that the JAXP component did not properly prevent access to arbitrary files when a SecurityManager was present. This flaw could cause a Java application using JAXP to leak sensitive information, or affect application availability. (CVE-2014-2403) It was discovered that the Security component in OpenJDK could leak some timing information when performing PKCS#1 unpadding. This could possibly lead to the disclosure of some information that was meant to be protected by encryption. (CVE-2014-0453) It was discovered that the fix for CVE-2013-5797 did not properly resolve input sanitization flaws in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting (XSS) attacks. (CVE-2014-2398) An insecure temporary file use flaw was found in the way the unpack200 utility created log files. A local attacker could possibly use this flaw to perform a symbolic link attack and overwrite arbitrary files with the privileges of the user running unpack200. (CVE-2014-1876) All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 76894 published 2014-07-30 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76894 title RHEL 7 : java-1.6.0-openjdk (RHSA-2014:0685) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2912.NASL description Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the execution of arbitrary code, breakouts of the Java sandbox, information disclosure or denial of service. last seen 2020-03-17 modified 2014-04-25 plugin id 73691 published 2014-04-25 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73691 title Debian DSA-2912-1 : openjdk-6 - security update NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2014-0406.NASL description Updated java-1.7.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. An input validation flaw was discovered in the medialib library in the 2D component. A specially crafted image could trigger Java Virtual Machine memory corruption when processed. A remote attacker, or an untrusted Java application or applet, could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. (CVE-2014-0429) Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions. (CVE-2014-0456, CVE-2014-2397, CVE-2014-2421) Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0457, CVE-2014-0455, CVE-2014-0461) Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-2412, CVE-2014-0451, CVE-2014-0458, CVE-2014-2423, CVE-2014-0452, CVE-2014-2414, CVE-2014-2402, CVE-2014-0446, CVE-2014-2413, CVE-2014-0454, CVE-2014-2427, CVE-2014-0459) Multiple flaws were identified in the Java Naming and Directory Interface (JNDI) DNS client. These flaws could make it easier for a remote attacker to perform DNS spoofing attacks. (CVE-2014-0460) It was discovered that the JAXP component did not properly prevent access to arbitrary files when a SecurityManager was present. This flaw could cause a Java application using JAXP to leak sensitive information, or affect application availability. (CVE-2014-2403) It was discovered that the Security component in OpenJDK could leak some timing information when performing PKCS#1 unpadding. This could possibly lead to the disclosure of some information that was meant to be protected by encryption. (CVE-2014-0453) It was discovered that the fix for CVE-2013-5797 did not properly resolve input sanitization flaws in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting (XSS) attacks. (CVE-2014-2398) An insecure temporary file use flaw was found in the way the unpack200 utility created log files. A local attacker could possibly use this flaw to perform a symbolic link attack and overwrite arbitrary files with the privileges of the user running unpack200. (CVE-2014-1876) Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 73578 published 2014-04-17 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73578 title CentOS 6 : java-1.7.0-openjdk (CESA-2014:0406) NASL family Scientific Linux Local Security Checks NASL id SL_20140416_JAVA_1_6_0_OPENJDK_ON_SL5_X.NASL description An input validation flaw was discovered in the medialib library in the 2D component. A specially crafted image could trigger Java Virtual Machine memory corruption when processed. A remote attacker, or an untrusted Java application or applet, could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. (CVE-2014-0429) Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions. (CVE-2014-0456, CVE-2014-2397, CVE-2014-2421) Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0457, CVE-2014-0461) Multiple improper permission check issues were discovered in the AWT, JAX- WS, JAXB, Libraries, and Sound components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-2412, CVE-2014-0451, CVE-2014-0458, CVE-2014-2423, CVE-2014-0452, CVE-2014-2414, CVE-2014-0446, CVE-2014-2427) Multiple flaws were identified in the Java Naming and Directory Interface (JNDI) DNS client. These flaws could make it easier for a remote attacker to perform DNS spoofing attacks. (CVE-2014-0460) It was discovered that the JAXP component did not properly prevent access to arbitrary files when a SecurityManager was present. This flaw could cause a Java application using JAXP to leak sensitive information, or affect application availability. (CVE-2014-2403) It was discovered that the Security component in OpenJDK could leak some timing information when performing PKCS#1 unpadding. This could possibly lead to the disclosure of some information that was meant to be protected by encryption. (CVE-2014-0453) It was discovered that the fix for CVE-2013-5797 did not properly resolve input sanitization flaws in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting (XSS) attacks. (CVE-2014-2398) An insecure temporary file use flaw was found in the way the unpack200 utility created log files. A local attacker could possibly use this flaw to perform a symbolic link attack and overwrite arbitrary files with the privileges of the user running unpack200. (CVE-2014-1876) This update also fixes the following bug : - The OpenJDK update to IcedTea version 1.13 introduced a regression related to the handling of the jdk_version_info variable. This variable was not properly zeroed out before being passed to the Java Virtual Machine, resulting in a memory leak in the java.lang.ref.Finalizer class. This update fixes this issue, and memory leaks no longer occur. All running instances of OpenJDK Java must be restarted for the update to take effect. last seen 2020-03-18 modified 2014-04-17 plugin id 73588 published 2014-04-17 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73588 title Scientific Linux Security Update : java-1.6.0-openjdk on SL5.x, SL6.x i386/x86_64 (20140416) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2014-0675.NASL description From Red Hat Security Advisory 2014:0675 : Updated java-1.7.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 7. The Red Hat Security Response Team has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. An input validation flaw was discovered in the medialib library in the 2D component. A specially crafted image could trigger Java Virtual Machine memory corruption when processed. A remote attacker, or an untrusted Java application or applet, could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. (CVE-2014-0429) Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions. (CVE-2014-0456, CVE-2014-2397, CVE-2014-2421) Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0457, CVE-2014-0455, CVE-2014-0461) Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-2412, CVE-2014-0451, CVE-2014-0458, CVE-2014-2423, CVE-2014-0452, CVE-2014-2414, CVE-2014-2402, CVE-2014-0446, CVE-2014-2413, CVE-2014-0454, CVE-2014-2427, CVE-2014-0459) Multiple flaws were identified in the Java Naming and Directory Interface (JNDI) DNS client. These flaws could make it easier for a remote attacker to perform DNS spoofing attacks. (CVE-2014-0460) It was discovered that the JAXP component did not properly prevent access to arbitrary files when a SecurityManager was present. This flaw could cause a Java application using JAXP to leak sensitive information, or affect application availability. (CVE-2014-2403) It was discovered that the Security component in OpenJDK could leak some timing information when performing PKCS#1 unpadding. This could possibly lead to the disclosure of some information that was meant to be protected by encryption. (CVE-2014-0453) It was discovered that the fix for CVE-2013-5797 did not properly resolve input sanitization flaws in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting (XSS) attacks. (CVE-2014-2398) An insecure temporary file use flaw was found in the way the unpack200 utility created log files. A local attacker could possibly use this flaw to perform a symbolic link attack and overwrite arbitrary files with the privileges of the user running unpack200. (CVE-2014-1876) Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 76727 published 2014-07-24 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76727 title Oracle Linux 7 : java-1.7.0-openjdk (ELSA-2014-0675) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201406-32.NASL description The remote host is affected by the vulnerability described in GLSA-201406-32 (IcedTea JDK: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in the IcedTea JDK. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, obtain sensitive information, bypass intended security policies, or have other unspecified impact. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 76303 published 2014-06-30 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76303 title GLSA-201406-32 : IcedTea JDK: Multiple vulnerabilities (BEAST) (ROBOT) NASL family Solaris Local Security Checks NASL id SOLARIS10_X86_125139.NASL description JavaSE 6_x86: update 101 patch (equivalent. Date this patch was last updated by Sun : Jul/13/15 This plugin has been deprecated and either replaced with individual 125139 patch-revision plugins, or deemed non-security related. last seen 2019-02-21 modified 2018-07-30 plugin id 26996 published 2007-10-12 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=26996 title Solaris 10 (x86) : 125139-97 (deprecated) NASL family SuSE Local Security Checks NASL id SUSE_11_JAVA-1_7_0-IBM-140515.NASL description IBM Java 7 was updated to version SR7, which received security and bug fixes. More information is available at: http://www.ibm.com/developerworks/java/jdk/aix/j764/Java7_64.fixes.htm l#SR7 last seen 2020-06-05 modified 2014-06-01 plugin id 74254 published 2014-06-01 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/74254 title SuSE 11.3 Security Update : IBM Java 7 (SAT Patch Number 9263) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2014-0408.NASL description From Red Hat Security Advisory 2014:0408 : Updated java-1.6.0-openjdk packages that fix various security issues and one bug are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. An input validation flaw was discovered in the medialib library in the 2D component. A specially crafted image could trigger Java Virtual Machine memory corruption when processed. A remote attacker, or an untrusted Java application or applet, could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. (CVE-2014-0429) Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions. (CVE-2014-0456, CVE-2014-2397, CVE-2014-2421) Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0457, CVE-2014-0461) Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, and Sound components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-2412, CVE-2014-0451, CVE-2014-0458, CVE-2014-2423, CVE-2014-0452, CVE-2014-2414, CVE-2014-0446, CVE-2014-2427) Multiple flaws were identified in the Java Naming and Directory Interface (JNDI) DNS client. These flaws could make it easier for a remote attacker to perform DNS spoofing attacks. (CVE-2014-0460) It was discovered that the JAXP component did not properly prevent access to arbitrary files when a SecurityManager was present. This flaw could cause a Java application using JAXP to leak sensitive information, or affect application availability. (CVE-2014-2403) It was discovered that the Security component in OpenJDK could leak some timing information when performing PKCS#1 unpadding. This could possibly lead to the disclosure of some information that was meant to be protected by encryption. (CVE-2014-0453) It was discovered that the fix for CVE-2013-5797 did not properly resolve input sanitization flaws in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting (XSS) attacks. (CVE-2014-2398) An insecure temporary file use flaw was found in the way the unpack200 utility created log files. A local attacker could possibly use this flaw to perform a symbolic link attack and overwrite arbitrary files with the privileges of the user running unpack200. (CVE-2014-1876) This update also fixes the following bug : * The OpenJDK update to IcedTea version 1.13 introduced a regression related to the handling of the jdk_version_info variable. This variable was not properly zeroed out before being passed to the Java Virtual Machine, resulting in a memory leak in the java.lang.ref.Finalizer class. This update fixes this issue, and memory leaks no longer occur. (BZ#1085373) All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 73584 published 2014-04-17 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73584 title Oracle Linux 5 / 6 : java-1.6.0-openjdk (ELSA-2014-0408) NASL family Solaris Local Security Checks NASL id SOLARIS8_125137.NASL description JavaSE 6: update 101 patch (equivalent to. Date this patch was last updated by Sun : Jul/13/15 last seen 2020-06-01 modified 2020-06-02 plugin id 27009 published 2007-10-12 reporter This script is Copyright (C) 2007-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27009 title Solaris 8 (sparc) : 125137-97 NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-0408.NASL description Updated java-1.6.0-openjdk packages that fix various security issues and one bug are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. An input validation flaw was discovered in the medialib library in the 2D component. A specially crafted image could trigger Java Virtual Machine memory corruption when processed. A remote attacker, or an untrusted Java application or applet, could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. (CVE-2014-0429) Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions. (CVE-2014-0456, CVE-2014-2397, CVE-2014-2421) Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0457, CVE-2014-0461) Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, and Sound components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-2412, CVE-2014-0451, CVE-2014-0458, CVE-2014-2423, CVE-2014-0452, CVE-2014-2414, CVE-2014-0446, CVE-2014-2427) Multiple flaws were identified in the Java Naming and Directory Interface (JNDI) DNS client. These flaws could make it easier for a remote attacker to perform DNS spoofing attacks. (CVE-2014-0460) It was discovered that the JAXP component did not properly prevent access to arbitrary files when a SecurityManager was present. This flaw could cause a Java application using JAXP to leak sensitive information, or affect application availability. (CVE-2014-2403) It was discovered that the Security component in OpenJDK could leak some timing information when performing PKCS#1 unpadding. This could possibly lead to the disclosure of some information that was meant to be protected by encryption. (CVE-2014-0453) It was discovered that the fix for CVE-2013-5797 did not properly resolve input sanitization flaws in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting (XSS) attacks. (CVE-2014-2398) An insecure temporary file use flaw was found in the way the unpack200 utility created log files. A local attacker could possibly use this flaw to perform a symbolic link attack and overwrite arbitrary files with the privileges of the user running unpack200. (CVE-2014-1876) This update also fixes the following bug : * The OpenJDK update to IcedTea version 1.13 introduced a regression related to the handling of the jdk_version_info variable. This variable was not properly zeroed out before being passed to the Java Virtual Machine, resulting in a memory leak in the java.lang.ref.Finalizer class. This update fixes this issue, and memory leaks no longer occur. (BZ#1085373) All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 73587 published 2014-04-17 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73587 title RHEL 5 / 6 : java-1.6.0-openjdk (RHSA-2014:0408) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2014-0408.NASL description Updated java-1.6.0-openjdk packages that fix various security issues and one bug are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. An input validation flaw was discovered in the medialib library in the 2D component. A specially crafted image could trigger Java Virtual Machine memory corruption when processed. A remote attacker, or an untrusted Java application or applet, could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. (CVE-2014-0429) Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions. (CVE-2014-0456, CVE-2014-2397, CVE-2014-2421) Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0457, CVE-2014-0461) Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, and Sound components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-2412, CVE-2014-0451, CVE-2014-0458, CVE-2014-2423, CVE-2014-0452, CVE-2014-2414, CVE-2014-0446, CVE-2014-2427) Multiple flaws were identified in the Java Naming and Directory Interface (JNDI) DNS client. These flaws could make it easier for a remote attacker to perform DNS spoofing attacks. (CVE-2014-0460) It was discovered that the JAXP component did not properly prevent access to arbitrary files when a SecurityManager was present. This flaw could cause a Java application using JAXP to leak sensitive information, or affect application availability. (CVE-2014-2403) It was discovered that the Security component in OpenJDK could leak some timing information when performing PKCS#1 unpadding. This could possibly lead to the disclosure of some information that was meant to be protected by encryption. (CVE-2014-0453) It was discovered that the fix for CVE-2013-5797 did not properly resolve input sanitization flaws in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting (XSS) attacks. (CVE-2014-2398) An insecure temporary file use flaw was found in the way the unpack200 utility created log files. A local attacker could possibly use this flaw to perform a symbolic link attack and overwrite arbitrary files with the privileges of the user running unpack200. (CVE-2014-1876) This update also fixes the following bug : * The OpenJDK update to IcedTea version 1.13 introduced a regression related to the handling of the jdk_version_info variable. This variable was not properly zeroed out before being passed to the Java Virtual Machine, resulting in a memory leak in the java.lang.ref.Finalizer class. This update fixes this issue, and memory leaks no longer occur. (BZ#1085373) All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 73580 published 2014-04-17 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73580 title CentOS 5 / 6 : java-1.6.0-openjdk (CESA-2014:0408) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2014-0407.NASL description Updated java-1.7.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. An input validation flaw was discovered in the medialib library in the 2D component. A specially crafted image could trigger Java Virtual Machine memory corruption when processed. A remote attacker, or an untrusted Java application or applet, could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. (CVE-2014-0429) Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions. (CVE-2014-0456, CVE-2014-2397, CVE-2014-2421) Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0457, CVE-2014-0455, CVE-2014-0461) Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-2412, CVE-2014-0451, CVE-2014-0458, CVE-2014-2423, CVE-2014-0452, CVE-2014-2414, CVE-2014-2402, CVE-2014-0446, CVE-2014-2413, CVE-2014-0454, CVE-2014-2427, CVE-2014-0459) Multiple flaws were identified in the Java Naming and Directory Interface (JNDI) DNS client. These flaws could make it easier for a remote attacker to perform DNS spoofing attacks. (CVE-2014-0460) It was discovered that the JAXP component did not properly prevent access to arbitrary files when a SecurityManager was present. This flaw could cause a Java application using JAXP to leak sensitive information, or affect application availability. (CVE-2014-2403) It was discovered that the Security component in OpenJDK could leak some timing information when performing PKCS#1 unpadding. This could possibly lead to the disclosure of some information that was meant to be protected by encryption. (CVE-2014-0453) It was discovered that the fix for CVE-2013-5797 did not properly resolve input sanitization flaws in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting (XSS) attacks. (CVE-2014-2398) An insecure temporary file use flaw was found in the way the unpack200 utility created log files. A local attacker could possibly use this flaw to perform a symbolic link attack and overwrite arbitrary files with the privileges of the user running unpack200. (CVE-2014-1876) All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 73579 published 2014-04-17 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73579 title CentOS 5 : java-1.7.0-openjdk (CESA-2014:0407) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-0508.NASL description Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2014-0457, CVE-2014-2421, CVE-2014-0429, CVE-2014-0461, CVE-2014-2428, CVE-2014-0446, CVE-2014-0452, CVE-2014-0451, CVE-2014-2423, CVE-2014-2427, CVE-2014-0458, CVE-2014-2414, CVE-2014-2412, CVE-2014-2409, CVE-2014-0460, CVE-2013-6954, CVE-2013-6629, CVE-2014-2401, CVE-2014-0449, CVE-2014-0453, CVE-2014-2398, CVE-2014-1876, CVE-2014-2420) All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 6 SR16 release. All running instances of IBM Java must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 74031 published 2014-05-16 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74031 title RHEL 5 / 6 : java-1.6.0-ibm (RHSA-2014:0508) NASL family Solaris Local Security Checks NASL id SOLARIS10_118667.NASL description JavaSE 5.0: update 85 patch (equivalent to JDK 5.0u85), 64bit. Date this patch was last updated by Sun : Apr/13/15 This plugin has been deprecated and either replaced with individual 118667 patch-revision plugins, or deemed non-security related. last seen 2019-02-21 modified 2018-07-30 plugin id 19444 published 2005-08-18 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=19444 title Solaris 10 (sparc) : 118667-86 (deprecated) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-0982.NASL description Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Network Satellite Server 5.4, 5.5, and 5.6. The Red Hat Security Response Team has rated this update as having Low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. This update corrects several security vulnerabilities in the IBM Java Runtime Environment shipped as part of Red Hat Network Satellite Server 5.4, 5.5, and 5.6. In a typical operating environment, these are of low security risk as the runtime is not used on untrusted applets. Several flaws were fixed in the IBM Java 2 Runtime Environment. (CVE-2013-5878, CVE-2013-5884, CVE-2013-5887, CVE-2013-5888, CVE-2013-5889, CVE-2013-5896, CVE-2013-5898, CVE-2013-5899, CVE-2013-5907, CVE-2013-5910, CVE-2013-6629, CVE-2013-6954, CVE-2014-0368, CVE-2014-0373, CVE-2014-0375, CVE-2014-0376, CVE-2014-0387, CVE-2014-0403, CVE-2014-0410, CVE-2014-0411, CVE-2014-0415, CVE-2014-0416, CVE-2014-0417, CVE-2014-0422, CVE-2014-0423, CVE-2014-0424, CVE-2014-0428, CVE-2014-0429, CVE-2014-0446, CVE-2014-0449, CVE-2014-0451, CVE-2014-0452, CVE-2014-0453, CVE-2014-0457, CVE-2014-0458, CVE-2014-0460, CVE-2014-0461, CVE-2014-0878, CVE-2014-1876, CVE-2014-2398, CVE-2014-2401, CVE-2014-2409, CVE-2014-2412, CVE-2014-2414, CVE-2014-2420, CVE-2014-2421, CVE-2014-2423, CVE-2014-2427, CVE-2014-2428) Users of Red Hat Network Satellite Server 5.4, 5.5, and 5.6 are advised to upgrade to these updated packages, which contain the IBM Java SE 6 SR16 release. For this update to take effect, Red Hat Network Satellite Server must be restarted ( last seen 2020-06-01 modified 2020-06-02 plugin id 79039 published 2014-11-08 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79039 title RHEL 5 / 6 : IBM Java Runtime in Satellite Server (RHSA-2014:0982) NASL family Solaris Local Security Checks NASL id SOLARIS10_X86_118668.NASL description JavaSE 5.0_x86: update 85 patch (equivalent to JDK 5.0u85). Date this patch was last updated by Sun : Apr/13/15 This plugin has been deprecated and either replaced with individual 118668 patch-revision plugins, or deemed non-security related. last seen 2019-02-21 modified 2018-07-30 plugin id 19450 published 2005-08-18 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=19450 title Solaris 10 (x86) : 118668-86 (deprecated) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2014-327.NASL description An input validation flaw was discovered in the medialib library in the 2D component. A specially crafted image could trigger Java Virtual Machine memory corruption when processed. A remote attacker, or an untrusted Java application or applet, could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. (CVE-2014-0429) Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions. (CVE-2014-0456 , CVE-2014-2397 , CVE-2014-2421) Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0457 , CVE-2014-0455 , CVE-2014-0461) Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-2412 , CVE-2014-0451 , CVE-2014-0458 , CVE-2014-2423 , CVE-2014-0452 , CVE-2014-2414 , CVE-2014-2402 , CVE-2014-0446 , CVE-2014-2413 , CVE-2014-0454 , CVE-2014-2427 , CVE-2014-0459) Multiple flaws were identified in the Java Naming and Directory Interface (JNDI) DNS client. These flaws could make it easier for a remote attacker to perform DNS spoofing attacks. (CVE-2014-0460) It was discovered that the JAXP component did not properly prevent access to arbitrary files when a SecurityManager was present. This flaw could cause a Java application using JAXP to leak sensitive information, or affect application availability. (CVE-2014-2403) It was discovered that the Security component in OpenJDK could leak some timing information when performing PKCS#1 unpadding. This could possibly lead to the disclosure of some information that was meant to be protected by encryption. (CVE-2014-0453) It was discovered that the fix for CVE-2013-5797 did not properly resolve input sanitization flaws in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting (XSS) attacks. (CVE-2014-2398) An insecure temporary file use flaw was found in the way the unpack200 utility created log files. A local attacker could possibly use this flaw to perform a symbolic link attack and overwrite arbitrary files with the privileges of the user running unpack200. (CVE-2014-1876) last seen 2020-06-01 modified 2020-06-02 plugin id 73655 published 2014-04-23 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73655 title Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2014-327) NASL family Solaris Local Security Checks NASL id SOLARIS10_125136.NASL description JavaSE 6: update 101 patch (equivalent to. Date this patch was last updated by Sun : Jul/13/15 This plugin has been deprecated and either replaced with individual 125136 patch-revision plugins, or deemed non-security related. last seen 2019-02-21 modified 2018-07-30 plugin id 26984 published 2007-10-12 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=26984 title Solaris 10 (sparc) : 125136-97 (deprecated) NASL family Windows NASL id VMWARE_VCENTER_UPDATE_MGR_VMSA-2014-0008.NASL description The version of VMware vCenter Update Manager installed on the remote Windows host is 5.5 prior to Update 2. It is, therefore, affected by multiple vulnerabilities related to the bundled version of Oracle JRE prior to 1.7.0_55. last seen 2020-06-01 modified 2020-06-02 plugin id 77727 published 2014-09-17 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/77727 title VMware vCenter Update Manager Multiple Java Vulnerabilities (VMSA-2014-0008) NASL family Misc. NASL id DOMINO_9_0_1_FP2.NASL description According to its version, the IBM Domino (formerly IBM Lotus Domino) application on the remote host is 9.x prior to 9.0.1 Fix Pack 2 (FP2). It is, therefore, affected by the following vulnerabilities : - An unspecified error exists related to the TLS implementation and the IBM HTTP server that could allow certain error cases to cause 100% CPU utilization. Note that this issue only affects Microsoft Windows hosts. (CVE-2014-0963) - Fixes in the Oracle Java CPU for April 2014 are included in the fixed IBM Java release, which is included in the fixed IBM Domino release. (CVE-2013-6629, CVE-2013-6954, CVE-2014-0429, CVE-2014-0446, CVE-2014-0448, CVE-2014-0449, CVE-2014-0451, CVE-2014-0452, CVE-2014-0453, CVE-2014-0454, CVE-2014-0455, CVE-2014-0457, CVE-2014-0458, CVE-2014-0459, CVE-2014-0460, CVE-2014-0461, CVE-2014-1876, CVE-2014-2398, CVE-2014-2401, CVE-2014-2402, CVE-2014-2409, CVE-2014-2412, CVE-2014-2414, CVE-2014-2420, CVE-2014-2421, CVE-2014-2423, CVE-2014-2427, CVE-2014-2428) last seen 2020-06-01 modified 2020-06-02 plugin id 77810 published 2014-09-23 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/77810 title IBM Domino 9.x < 9.0.1 Fix Pack 2 Multiple Vulnerabilities (uncredentialed check) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2014-0406.NASL description From Red Hat Security Advisory 2014:0406 : Updated java-1.7.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. An input validation flaw was discovered in the medialib library in the 2D component. A specially crafted image could trigger Java Virtual Machine memory corruption when processed. A remote attacker, or an untrusted Java application or applet, could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. (CVE-2014-0429) Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions. (CVE-2014-0456, CVE-2014-2397, CVE-2014-2421) Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0457, CVE-2014-0455, CVE-2014-0461) Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-2412, CVE-2014-0451, CVE-2014-0458, CVE-2014-2423, CVE-2014-0452, CVE-2014-2414, CVE-2014-2402, CVE-2014-0446, CVE-2014-2413, CVE-2014-0454, CVE-2014-2427, CVE-2014-0459) Multiple flaws were identified in the Java Naming and Directory Interface (JNDI) DNS client. These flaws could make it easier for a remote attacker to perform DNS spoofing attacks. (CVE-2014-0460) It was discovered that the JAXP component did not properly prevent access to arbitrary files when a SecurityManager was present. This flaw could cause a Java application using JAXP to leak sensitive information, or affect application availability. (CVE-2014-2403) It was discovered that the Security component in OpenJDK could leak some timing information when performing PKCS#1 unpadding. This could possibly lead to the disclosure of some information that was meant to be protected by encryption. (CVE-2014-0453) It was discovered that the fix for CVE-2013-5797 did not properly resolve input sanitization flaws in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting (XSS) attacks. (CVE-2014-2398) An insecure temporary file use flaw was found in the way the unpack200 utility created log files. A local attacker could possibly use this flaw to perform a symbolic link attack and overwrite arbitrary files with the privileges of the user running unpack200. (CVE-2014-1876) Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 73583 published 2014-04-17 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73583 title Oracle Linux 6 : java-1.7.0-openjdk (ELSA-2014-0406) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2014-0407.NASL description From Red Hat Security Advisory 2014:0407 : Updated java-1.7.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. An input validation flaw was discovered in the medialib library in the 2D component. A specially crafted image could trigger Java Virtual Machine memory corruption when processed. A remote attacker, or an untrusted Java application or applet, could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. (CVE-2014-0429) Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions. (CVE-2014-0456, CVE-2014-2397, CVE-2014-2421) Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0457, CVE-2014-0455, CVE-2014-0461) Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-2412, CVE-2014-0451, CVE-2014-0458, CVE-2014-2423, CVE-2014-0452, CVE-2014-2414, CVE-2014-2402, CVE-2014-0446, CVE-2014-2413, CVE-2014-0454, CVE-2014-2427, CVE-2014-0459) Multiple flaws were identified in the Java Naming and Directory Interface (JNDI) DNS client. These flaws could make it easier for a remote attacker to perform DNS spoofing attacks. (CVE-2014-0460) It was discovered that the JAXP component did not properly prevent access to arbitrary files when a SecurityManager was present. This flaw could cause a Java application using JAXP to leak sensitive information, or affect application availability. (CVE-2014-2403) It was discovered that the Security component in OpenJDK could leak some timing information when performing PKCS#1 unpadding. This could possibly lead to the disclosure of some information that was meant to be protected by encryption. (CVE-2014-0453) It was discovered that the fix for CVE-2013-5797 did not properly resolve input sanitization flaws in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting (XSS) attacks. (CVE-2014-2398) An insecure temporary file use flaw was found in the way the unpack200 utility created log files. A local attacker could possibly use this flaw to perform a symbolic link attack and overwrite arbitrary files with the privileges of the user running unpack200. (CVE-2014-1876) All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 73605 published 2014-04-18 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73605 title Oracle Linux 5 : java-1.7.0-openjdk (ELSA-2014-0407) NASL family AIX Local Security Checks NASL id AIX_JAVA_APR2014_ADVISORY.NASL description The version of Java SDK installed on the remote host is potentially affected by the following vulnerabilities : - There is an information disclosure flaw in libjpeg and libjpeg-turbo allowing remote attackers access to uninitialized memory via crafted JPEG images. (CVE-2013-6629) - A vulnerability in libpng allows denial of service attacks via a flaw in pngtran.c pngset.c. (CVE-2013-6954) - Vulnerabilities in Oracle Java allow remote code execution via flaws in 2D image handling. (CVE-2014-0429, CVE-2014-2401, CVE-2014-2421) - A vulnerability in Oracle Java allows remote code execution via a flaw in logger handling. (CVE-2014-0446) - Vulnerabilities in Oracle Java allow remote code execution via flaws in the Deployment subcomponent. (CVE-2014-0448, CVE-2014-0449, CVE-2014-2409, CVE-2014-2420, CVE-2014-2428) - A vulnerability in Oracle Java allows a remote attacker to bypass security features through flaws in AWT. (CVE-2014-0451, CVE-2014-2412) - A vulnerability in Oracle Java allows a remote attacker to bypass security features through flaws in W3CEndpointReference.java. (CVE-2014-0452) - An information disclosure vulnerability in Oracle Java RSAPadding allows a remote attacker to view timing information protected by encryption. (CVE-2014-0452) - A vulnerability in Oracle Java allows a remote attacker to modify the SIGNATURE_PRIMITIVE_SET through flaws in SignatureAndHalshAlgorithm and AlgorithmChecker. (CVE-2014-0454) - A vulnerability in Oracle Java allows remote code execution via a flaw in MethodHandles.java. (CVE-2014-0455) - A vulnerability in Oracle Java allows remote code execution via a flaw in exception handling. (CVE-2014-0457) - Vulnerabilities in Oracle Java allow a remote attacker to bypass security features through flaws in JAX-WS. (CVE-2014-0458, CVE-2014-2423) - An unspecified vulnerability exists in Oracle Java via sandboxed applications. (CVE-2014-0459) - A vulnerability in Oracle Java allows remote attackers to conduct spoofing attacks via a flaw in the DnsClient component. (CVE-2014-0460) - A vulnerability in Oracle Java allows remote code execution via a flaw in ScriptEngineManager.java. (CVE-2014-0461) - A vulnerability in Oracle Java allows a remote attacker to bypass security features through flaws in the random number generation of cryptographic protection. (CVE-2014-0878) - A privilege escalation vulnerability in Oracle Java allows remote attacks to overwrite arbitrary files via a flaw in unpack200. (CVE-2014-1876) - A vulnerability in Oracle Java allows remote code execution via a flaw in Javadoc. (CVE-2014-2398) - A vulnerability in Oracle Java allows a remote attacker to bypass security features through flaws in asynchronous channel handling across threads. (CVE-2014-2402) - Vulnerabilities in Oracle Java allow a remote attacker to bypass security features through flaws in JAXB. (CVE-2014-2414) - A vulnerability in Oracle Java allows a remote attacker to bypass security features through flaws in Java sound libraries. (CVE-2014-2427) last seen 2020-06-01 modified 2020-06-02 plugin id 76870 published 2014-07-28 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/76870 title AIX Java Advisory : java_apr2014_advisory.asc NASL family Solaris Local Security Checks NASL id SOLARIS8_X86_118669.NASL description JavaSE 5.0_x86: update 85 patch (equivalent to JDK 5.0u85), 64bit. Date this patch was last updated by Sun : Apr/13/15 last seen 2020-06-01 modified 2020-06-02 plugin id 19582 published 2005-09-06 reporter This script is Copyright (C) 2005-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19582 title Solaris 8 (x86) : 118669-86
Redhat
advisories |
| ||||||||||||||||
rpms |
|
The Hacker News
id | THN:F163E519BC7D66DC74B0794EF8746E50 |
last seen | 2018-01-27 |
modified | 2014-04-17 |
published | 2014-04-16 |
reporter | Wang Wei |
source | https://thehackernews.com/2014/04/oracle-releases-critical-update-to.html |
title | Oracle releases Critical Update to Patch 104 Vulnerabilities |
References
- http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html
- http://www.debian.org/security/2014/dsa-2912
- http://www.ubuntu.com/usn/USN-2191-1
- http://secunia.com/advisories/58415
- http://www.ubuntu.com/usn/USN-2187-1
- http://www-01.ibm.com/support/docview.wss?uid=swg21672080
- http://security.gentoo.org/glsa/glsa-201406-32.xml
- http://security.gentoo.org/glsa/glsa-201502-12.xml
- http://marc.info/?l=bugtraq&m=140852974709252&w=2
- http://marc.info/?l=bugtraq&m=140852886808946&w=2
- http://www.securityfocus.com/bid/66879
- http://rhn.redhat.com/errata/RHSA-2014-0685.html
- http://rhn.redhat.com/errata/RHSA-2014-0675.html
- https://access.redhat.com/errata/RHSA-2014:0414
- https://access.redhat.com/errata/RHSA-2014:0413