Vulnerabilities > CVE-2014-0464 - Unspecified vulnerability in Oracle JDK and JRE

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
oracle
nessus

Summary

Unspecified vulnerability in Oracle Java SE 8 allows remote attackers to affect confidentiality via unknown vectors related to Scripting, a different vulnerability than CVE-2014-0463.

Vulnerable Configurations

Part Description Count
Application
Oracle
2

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201502-12.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201502-12 (Oracle JRE/JDK: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Oracle’s Java SE Development Kit and Runtime Environment. Please review the CVE identifiers referenced below for details. Impact : A context-dependent attacker may be able to execute arbitrary code, disclose, update, insert, or delete certain data. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id81370
    published2015-02-16
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81370
    titleGLSA-201502-12 : Oracle JRE/JDK: Multiple vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 201502-12.
    #
    # The advisory text is Copyright (C) 2001-2019 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(81370);
      script_version("1.4");
      script_cvs_date("Date: 2019/08/12 17:35:38");
    
      script_cve_id("CVE-2014-0429", "CVE-2014-0432", "CVE-2014-0446", "CVE-2014-0448", "CVE-2014-0449", "CVE-2014-0451", "CVE-2014-0452", "CVE-2014-0453", "CVE-2014-0454", "CVE-2014-0455", "CVE-2014-0456", "CVE-2014-0457", "CVE-2014-0458", "CVE-2014-0459", "CVE-2014-0460", "CVE-2014-0461", "CVE-2014-0463", "CVE-2014-0464", "CVE-2014-2397", "CVE-2014-2398", "CVE-2014-2401", "CVE-2014-2402", "CVE-2014-2403", "CVE-2014-2409", "CVE-2014-2410", "CVE-2014-2412", "CVE-2014-2413", "CVE-2014-2414", "CVE-2014-2420", "CVE-2014-2421", "CVE-2014-2422", "CVE-2014-2423", "CVE-2014-2427", "CVE-2014-2428", "CVE-2014-2483", "CVE-2014-2490", "CVE-2014-4208", "CVE-2014-4209", "CVE-2014-4216", "CVE-2014-4218", "CVE-2014-4219", "CVE-2014-4220", "CVE-2014-4221", "CVE-2014-4223", "CVE-2014-4227", "CVE-2014-4244", "CVE-2014-4247", "CVE-2014-4252", "CVE-2014-4262", "CVE-2014-4263", "CVE-2014-4264", "CVE-2014-4265", "CVE-2014-4266", "CVE-2014-4268", "CVE-2014-4288", "CVE-2014-6456", "CVE-2014-6457", "CVE-2014-6458", "CVE-2014-6466", "CVE-2014-6468", "CVE-2014-6476", "CVE-2014-6485", "CVE-2014-6492", "CVE-2014-6493", "CVE-2014-6502", "CVE-2014-6503", "CVE-2014-6504", "CVE-2014-6506", "CVE-2014-6511", "CVE-2014-6512", "CVE-2014-6513", "CVE-2014-6515", "CVE-2014-6517", "CVE-2014-6519", "CVE-2014-6527", "CVE-2014-6531", "CVE-2014-6532", "CVE-2014-6558", "CVE-2014-6562");
      script_bugtraq_id(66856, 66866, 66870, 66873, 66877, 66879, 66881, 66883, 66886, 66887, 66891, 66893, 66894, 66897, 66898, 66899, 66902, 66903, 66904, 66905, 66907, 66908, 66909, 66910, 66911, 66912, 66913, 66914, 66915, 66916, 66917, 66918, 66919, 66920, 68562, 68571, 68576, 68580, 68583, 68590, 68596, 68599, 68603, 68608, 68612, 68615, 68620, 68624, 68626, 68632, 68636, 68639, 68642, 68645, 70456, 70460, 70468, 70470, 70484, 70488, 70507, 70518, 70519, 70522, 70523, 70531, 70533, 70538, 70544, 70548, 70552, 70556, 70560, 70564, 70565, 70567, 70569, 70570, 70572);
      script_xref(name:"GLSA", value:"201502-12");
    
      script_name(english:"GLSA-201502-12 : Oracle JRE/JDK: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-201502-12
    (Oracle JRE/JDK: Multiple vulnerabilities)
    
        Multiple vulnerabilities have been discovered in Oracle’s Java SE
          Development Kit and Runtime Environment. Please review the CVE
          identifiers referenced below for details.
      
    Impact :
    
        A context-dependent attacker may be able to execute arbitrary code,
          disclose, update, insert, or delete certain data.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/201502-12"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All Oracle JRE 1.7 users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose
          '>=dev-java/oracle-jre-bin-1.7.0.71'
        All Oracle JDK 1.7 users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose
          '>=dev-java/oracle-jdk-bin-1.7.0.71'
        All users of the precompiled 32-bit Oracle JRE should upgrade to the
          latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose
          '>=app-emulation/emul-linux-x86-java-1.7.0.71'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:emul-linux-x86-java");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:oracle-jdk-bin");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:oracle-jre-bin");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/04/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/02/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/02/16");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"dev-java/oracle-jre-bin", unaffected:make_list("ge 1.7.0.71"), vulnerable:make_list("lt 1.7.0.71"))) flag++;
    if (qpkg_check(package:"dev-java/oracle-jdk-bin", unaffected:make_list("ge 1.7.0.71"), vulnerable:make_list("lt 1.7.0.71"))) flag++;
    if (qpkg_check(package:"app-emulation/emul-linux-x86-java", unaffected:make_list("ge 1.7.0.71"), vulnerable:make_list("lt 1.7.0.71"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Oracle JRE/JDK");
    }
    
  • NASL familyWindows
    NASL idORACLE_JAVA_CPU_APR_2014.NASL
    descriptionThe version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is earlier than 8 Update 5, 7 Update 55, 6 Update 75, or 5 Update 65. It is, therefore, potentially affected by security issues in the following components : - 2D - AWT - Deployment - Hotspot - JAX-WS - JAXB - JAXP - JNDI - JavaFX - Javadoc - Libraries - Scripting - Security - Sound
    last seen2020-06-01
    modified2020-06-02
    plugin id73570
    published2014-04-16
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/73570
    titleOracle Java SE Multiple Vulnerabilities (April 2014 CPU)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include('compat.inc');
    
    if (description)
    {
      script_id(73570);
      script_version("1.17");
      script_cvs_date("Date: 2018/11/15 20:50:28");
    
      script_cve_id(
        "CVE-2013-6629",
        "CVE-2013-6954",
        "CVE-2014-0429",
        "CVE-2014-0432",
        "CVE-2014-0446",
        "CVE-2014-0448",
        "CVE-2014-0449",
        "CVE-2014-0451",
        "CVE-2014-0452",
        "CVE-2014-0453",
        "CVE-2014-0454",
        "CVE-2014-0455",
        "CVE-2014-0456",
        "CVE-2014-0457",
        "CVE-2014-0458",
        "CVE-2014-0459",
        "CVE-2014-0460",
        "CVE-2014-0461",
        "CVE-2014-0463",
        "CVE-2014-0464",
        "CVE-2014-1876",
        "CVE-2014-2397",
        "CVE-2014-2398",
        "CVE-2014-2401",
        "CVE-2014-2402",
        "CVE-2014-2403",
        "CVE-2014-2409",
        "CVE-2014-2410",
        "CVE-2014-2412",
        "CVE-2014-2413",
        "CVE-2014-2414",
        "CVE-2014-2420",
        "CVE-2014-2421",
        "CVE-2014-2422",
        "CVE-2014-2423",
        "CVE-2014-2427",
        "CVE-2014-2428"
      );
      script_bugtraq_id(
        63676,
        64493,
        65568,
        66856,
        66866,
        66870,
        66873,
        66877,
        66879,
        66881,
        66883,
        66886,
        66887,
        66891,
        66893,
        66894,
        66897,
        66898,
        66899,
        66902,
        66903,
        66904,
        66905,
        66907,
        66908,
        66909,
        66910,
        66911,
        66912,
        66913,
        66914,
        66915,
        66916,
        66917,
        66918,
        66919,
        66920
      );
    
      script_name(english:"Oracle Java SE Multiple Vulnerabilities (April 2014 CPU)");
      script_summary(english:"Checks version of the JRE");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host contains a programming platform that is
    potentially affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Oracle (formerly Sun) Java SE or Java for Business
    installed on the remote host is earlier than 8 Update 5, 7 Update 55,
    6 Update 75, or 5 Update 65.  It is, therefore, potentially affected
    by security issues in the following components :
    
      - 2D
      - AWT
      - Deployment
      - Hotspot
      - JAX-WS
      - JAXB
      - JAXP
      - JNDI
      - JavaFX
      - Javadoc
      - Libraries
      - Scripting
      - Security
      - Sound"
      );
      # http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html#AppendixJAVA
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1e3ee66a");
      # Java SE JDK and JRE 8 Update 5
      # https://www.oracle.com/technetwork/java/javase/8train-relnotes-latest-2153846.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f65f6f6e");
      # Java SE JDK and JRE 7 Update 55
      # http://www.oracle.com/technetwork/java/javase/7u55-relnotes-2177812.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?39cb260f");
      # Java SE JDK and JRE 6 Update 75
      # http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?726f7054");
      #Java SE JDK and JRE 5.0 Update 65
      # https://www.oracle.com/technetwork/java/javase/documentation/overview-137139.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?84f3023c");
      script_set_attribute(attribute:"solution", value:
    "Update to JDK / JRE 8 Update 5, 7 Update 55, 6 Update 75, or
    5 Update 65 or later and, if necessary, remove any affected versions.
    
    Note that an Extended Support contract with Oracle is needed to obtain
    JDK / JRE 5 Update 65 or later or 6 Update 75 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/04/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/04/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/04/16");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jre");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jdk");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");
    
      script_dependencies("sun_java_jre_installed.nasl");
      script_require_keys("SMB/Java/JRE/Installed");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    # Check each installed JRE.
    installs = get_kb_list_or_exit("SMB/Java/JRE/*");
    
    info = "";
    vuln = 0;
    installed_versions = "";
    
    foreach install (list_uniq(keys(installs)))
    {
      ver = install - "SMB/Java/JRE/";
      if (ver !~ "^[0-9.]+") continue;
    
      installed_versions = installed_versions + " & " + ver;
    
      # Fixes : (JDK|JRE) 8 Update 5 / 7 Update 55 / 6 Update 75 / 5 Update 65
      if (
        ver =~ '^1\\.5\\.0_([0-9]|[0-5][0-9]|6[0-4])([^0-9]|$)' ||
        ver =~ '^1\\.6\\.0_([0-9]|[0-6][0-9]|7[0-4])([^0-9]|$)' ||
        ver =~ '^1\\.7\\.0_([0-9]|[0-4][0-9]|5[0-4])([^0-9]|$)' ||
        ver =~ '^1\\.8\\.0_[0-4]([^0-9]|$)'
      )
      {
        dirs = make_list(get_kb_list(install));
        vuln += max_index(dirs);
    
        foreach dir (dirs)
          info += '\n  Path              : ' + dir;
    
        info += '\n  Installed version : ' + ver;
        info += '\n  Fixed version     : 1.5.0_65 / 1.6.0_75 / 1.7.0_55 / 1.8.0_5\n';
      }
    }
    
    # Report if any were found to be vulnerable.
    if (info)
    {
      port = get_kb_item("SMB/transport");
      if (!port) port = 445;
    
      if (report_verbosity > 0)
      {
        if (vuln > 1) s = "s of Java are";
        else s = " of Java is";
    
        report =
          '\n' +
          'The following vulnerable instance'+s+' installed on the\n' +
          'remote host :\n' +
          info;
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
      exit(0);
    }
    else
    {
      installed_versions = substr(installed_versions, 3);
      if (" & " >< installed_versions)
        exit(0, "The Java "+installed_versions+" installs on the remote host are not affected.");
      else
        audit(AUDIT_INST_VER_NOT_VULN, "Java", installed_versions);
    }
    
  • NASL familyMisc.
    NASL idORACLE_JAVA_CPU_APR_2014_UNIX.NASL
    descriptionThe version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is earlier than 8 Update 5, 7 Update 55, 6 Update 75, or 5 Update 65. It is, therefore, potentially affected by security issues in the following components : - 2D - AWT - Deployment - Hotspot - JAX-WS - JAXB - JAXP - JNDI - JavaFX - Javadoc - Libraries - Scripting - Security - Sound
    last seen2020-06-01
    modified2020-06-02
    plugin id73571
    published2014-04-16
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/73571
    titleOracle Java SE Multiple Vulnerabilities (April 2014 CPU) (Unix)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include('compat.inc');
    
    if (description)
    {
      script_id(73571);
      script_version("1.16");
      script_cvs_date("Date: 2018/11/15 20:50:23");
    
      script_cve_id(
        "CVE-2013-6629",
        "CVE-2013-6954",
        "CVE-2014-0429",
        "CVE-2014-0432",
        "CVE-2014-0446",
        "CVE-2014-0448",
        "CVE-2014-0449",
        "CVE-2014-0451",
        "CVE-2014-0452",
        "CVE-2014-0453",
        "CVE-2014-0454",
        "CVE-2014-0455",
        "CVE-2014-0456",
        "CVE-2014-0457",
        "CVE-2014-0458",
        "CVE-2014-0459",
        "CVE-2014-0460",
        "CVE-2014-0461",
        "CVE-2014-0463",
        "CVE-2014-0464",
        "CVE-2014-1876",
        "CVE-2014-2397",
        "CVE-2014-2398",
        "CVE-2014-2401",
        "CVE-2014-2402",
        "CVE-2014-2403",
        "CVE-2014-2409",
        "CVE-2014-2410",
        "CVE-2014-2412",
        "CVE-2014-2413",
        "CVE-2014-2414",
        "CVE-2014-2420",
        "CVE-2014-2421",
        "CVE-2014-2422",
        "CVE-2014-2423",
        "CVE-2014-2427",
        "CVE-2014-2428"
      );
      script_bugtraq_id(
        63676,
        64493,
        65568,
        66856,
        66866,
        66870,
        66873,
        66877,
        66879,
        66881,
        66883,
        66886,
        66887,
        66891,
        66893,
        66894,
        66897,
        66898,
        66899,
        66902,
        66903,
        66904,
        66905,
        66907,
        66908,
        66909,
        66910,
        66911,
        66912,
        66913,
        66914,
        66915,
        66916,
        66917,
        66918,
        66919,
        66920
      );
    
    
      script_name(english:"Oracle Java SE Multiple Vulnerabilities (April 2014 CPU) (Unix)");
      script_summary(english:"Checks version of the JRE");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Unix host contains a programming platform that is
    potentially affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Oracle (formerly Sun) Java SE or Java for Business
    installed on the remote host is earlier than 8 Update 5, 7 Update 55,
    6 Update 75, or 5 Update 65.  It is, therefore, potentially affected by security
    issues in the following components :
    
      - 2D
      - AWT
      - Deployment
      - Hotspot
      - JAX-WS
      - JAXB
      - JAXP
      - JNDI
      - JavaFX
      - Javadoc
      - Libraries
      - Scripting
      - Security
      - Sound"
      );
      # http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html#AppendixJAVA
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1e3ee66a");
      # Java SE JDK and JRE 8 Update 5
      # https://www.oracle.com/technetwork/java/javase/8train-relnotes-latest-2153846.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f65f6f6e");
      # Java SE JDK and JRE 7 Update 55
      # https://www.oracle.com/technetwork/java/javase/7u55-relnotes-2177812.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?39cb260f");
      # Java SE JDK and JRE 6 Update 75
      # http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?726f7054");
      #Java SE JDK and JRE 5.0 Update 65
      # https://www.oracle.com/technetwork/java/javase/documentation/overview-137139.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?84f3023c");
      script_set_attribute(attribute:"solution", value:
    "Update to JDK / JRE 8 Update 5, 7 Update 55, 6 Update 75, or
    5 Update 65 or later and, if necessary, remove any affected versions.
    
    Note that an Extended Support contract with Oracle is needed to obtain
    JDK / JRE 5 Update 65 or later or 6 Update 75 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/04/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/04/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/04/16");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jre");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jdk");
      script_set_attribute(attribute:"agent", value:"unix");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");
    
      script_dependencies("sun_java_jre_installed_unix.nasl");
      script_require_keys("Host/Java/JRE/Installed");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    # Check each installed JRE.
    installs = get_kb_list_or_exit("Host/Java/JRE/Unmanaged/*");
    
    info = "";
    vuln = 0;
    vuln2 = 0;
    installed_versions = "";
    granular = "";
    
    foreach install (list_uniq(keys(installs)))
    {
      ver = install - "Host/Java/JRE/Unmanaged/";
      if (ver !~ "^[0-9.]+") continue;
    
      installed_versions = installed_versions + " & " + ver;
    
      if (
        ver =~ '^1\\.5\\.0_([0-9]|[0-5][0-9]|6[0-4])([^0-9]|$)' ||
        ver =~ '^1\\.6\\.0_([0-9]|[0-6][0-9]|7[0-4])([^0-9]|$)' ||
        ver =~ '^1\\.7\\.0_([0-9]|[0-4][0-9]|5[0-4])([^0-9]|$)' ||
        ver =~ '^1\\.8\\.0_[0-4]([^0-9]|$)'
      )
      {
        dirs = make_list(get_kb_list(install));
        vuln += max_index(dirs);
    
        foreach dir (dirs)
          info += '\n  Path              : ' + dir;
    
        info += '\n  Installed version : ' + ver;
        info += '\n  Fixed version     : 1.5.0_65 / 1.6.0_75 / 1.7.0_55 / 1.8.0_5\n';
      }
      else if (ver =~ "^[\d\.]+$")
      {
        dirs = make_list(get_kb_list(install));
        foreach dir (dirs)
          granular += "The Oracle Java version "+ver+" at "+dir+" is not granular enough to make a determination."+'\n';
      }
      else
      {
        dirs = make_list(get_kb_list(install));
        vuln2 += max_index(dirs);
      }
    
    }
    
    # Report if any were found to be vulnerable.
    if (info)
    {
      if (report_verbosity > 0)
      {
        if (vuln > 1) s = "s of Java are";
        else s = " of Java is";
    
        report =
          '\n' +
          'The following vulnerable instance'+s+' installed on the\n' +
          'remote host :\n' +
          info;
        security_hole(port:0, extra:report);
      }
      else security_hole(0);
      if (granular) exit(0, granular);
    }
    else
    {
      if (granular) exit(0, granular);
    
      installed_versions = substr(installed_versions, 3);
      if (vuln2 > 1)
        exit(0, "The Java "+installed_versions+" installs on the remote host are not affected.");
      else
        exit(0, "The Java "+installed_versions+" install on the remote host is not affected.");
    }
    

The Hacker News

idTHN:F163E519BC7D66DC74B0794EF8746E50
last seen2018-01-27
modified2014-04-17
published2014-04-16
reporterWang Wei
sourcehttps://thehackernews.com/2014/04/oracle-releases-critical-update-to.html
titleOracle releases Critical Update to Patch 104 Vulnerabilities