Vulnerabilities > CVE-2015-0407

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
redhat
canonical
debian
fedoraproject
oracle
nessus

Summary

Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors related to Swing.

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-0263.NASL
    descriptionUpdated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Satellite 5.7. Red Hat Product Security has rated this update as having Low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. This update corrects several security vulnerabilities in the IBM Java Runtime Environment shipped as part of Red Hat Satellite 5.7. In a typical operating environment, these are of low security risk as the runtime is not used on untrusted applets. Several flaws were fixed in the IBM Java 2 Runtime Environment. (CVE-2014-6585, CVE-2014-6587, CVE-2014-6591, CVE-2014-6593, CVE-2014-8891, CVE-2014-8892, CVE-2015-0395, CVE-2015-0403, CVE-2015-0406, CVE-2015-0407, CVE-2015-0408, CVE-2015-0410, CVE-2015-0412) Users of Red Hat Satellite 5.7 are advised to upgrade to these updated packages, which contain the IBM Java SE 6 SR16-FP3 release. For this update to take effect, Red Hat Satellite must be restarted (
    last seen2020-06-01
    modified2020-06-02
    plugin id81504
    published2015-02-25
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81504
    titleRHEL 6 : Red Hat Satellite IBM Java Runtime (RHSA-2015:0263)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2015:0263. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(81504);
      script_version("1.15");
      script_cvs_date("Date: 2019/10/24 15:35:39");
    
      script_cve_id("CVE-2014-6585", "CVE-2014-6587", "CVE-2014-6591", "CVE-2014-6593", "CVE-2014-8891", "CVE-2014-8892", "CVE-2015-0395", "CVE-2015-0403", "CVE-2015-0406", "CVE-2015-0407", "CVE-2015-0408", "CVE-2015-0410", "CVE-2015-0412");
      script_xref(name:"RHSA", value:"2015:0263");
    
      script_name(english:"RHEL 6 : Red Hat Satellite IBM Java Runtime (RHSA-2015:0263)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated java-1.6.0-ibm packages that fix several security issues are
    now available for Red Hat Satellite 5.7.
    
    Red Hat Product Security has rated this update as having Low security
    impact. Common Vulnerability Scoring System (CVSS) base scores, which
    give detailed severity ratings, are available for each vulnerability
    from the CVE links in the References section.
    
    This update corrects several security vulnerabilities in the IBM Java
    Runtime Environment shipped as part of Red Hat Satellite 5.7. In a
    typical operating environment, these are of low security risk as the
    runtime is not used on untrusted applets.
    
    Several flaws were fixed in the IBM Java 2 Runtime Environment.
    (CVE-2014-6585, CVE-2014-6587, CVE-2014-6591, CVE-2014-6593,
    CVE-2014-8891, CVE-2014-8892, CVE-2015-0395, CVE-2015-0403,
    CVE-2015-0406, CVE-2015-0407, CVE-2015-0408, CVE-2015-0410,
    CVE-2015-0412)
    
    Users of Red Hat Satellite 5.7 are advised to upgrade to these updated
    packages, which contain the IBM Java SE 6 SR16-FP3 release. For this
    update to take effect, Red Hat Satellite must be restarted
    ('/usr/sbin/rhn-satellite restart'), as well as all running instances
    of IBM Java."
      );
      # https://www.ibm.com/developerworks/java/jdk/alerts/
      script_set_attribute(
        attribute:"see_also",
        value:"https://developer.ibm.com/javasdk/support/security-vulnerabilities/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2015:0263"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-0406"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-0403"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-0408"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-0407"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-0395"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-0410"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2014-6591"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2014-6593"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2014-6587"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-0412"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2014-6585"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2014-8892"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2014-8891"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Update the affected java-1.6.0-ibm and / or java-1.6.0-ibm-devel
    packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/01/21");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/02/24");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/02/25");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2015:0263";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"java-1.6.0-ibm-1.6.0.16.3-1jpp.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.6.0-ibm-1.6.0.16.3-1jpp.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"java-1.6.0-ibm-devel-1.6.0.16.3-1jpp.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.6.0-ibm-devel-1.6.0.16.3-1jpp.1.el6")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "java-1.6.0-ibm / java-1.6.0-ibm-devel");
      }
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-0079.NASL
    descriptionUpdated java-1.7.0-oracle packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Oracle Java SE version 7 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section. (CVE-2014-3566, CVE-2014-6585, CVE-2014-6587, CVE-2014-6591, CVE-2014-6593, CVE-2014-6601, CVE-2015-0383, CVE-2015-0395, CVE-2015-0403, CVE-2015-0406, CVE-2015-0407, CVE-2015-0408, CVE-2015-0410, CVE-2015-0412, CVE-2015-0413) The CVE-2015-0383 issue was discovered by Red Hat. Note: With this update, the Oracle Java SE now disables the SSL 3.0 protocol to address the CVE-2014-3566 issue (also known as POODLE). Refer to the Red Hat Bugzilla bug linked to in the References section for instructions on how to re-enable SSL 3.0 support if needed. All users of java-1.7.0-oracle are advised to upgrade to these updated packages, which provide Oracle Java 7 Update 75 and resolve these issues. All running instances of Oracle Java must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id80931
    published2015-01-23
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/80931
    titleRHEL 5 / 6 / 7 : java-1.7.0-oracle (RHSA-2015:0079) (POODLE)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2015:0079. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(80931);
      script_version("1.15");
      script_cvs_date("Date: 2019/10/24 15:35:39");
    
      script_cve_id("CVE-2014-3566", "CVE-2014-6585", "CVE-2014-6587", "CVE-2014-6591", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0383", "CVE-2015-0395", "CVE-2015-0403", "CVE-2015-0406", "CVE-2015-0407", "CVE-2015-0408", "CVE-2015-0410", "CVE-2015-0412", "CVE-2015-0413");
      script_xref(name:"RHSA", value:"2015:0079");
    
      script_name(english:"RHEL 5 / 6 / 7 : java-1.7.0-oracle (RHSA-2015:0079) (POODLE)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated java-1.7.0-oracle packages that fix several security issues
    are now available for Oracle Java for Red Hat Enterprise Linux 5, 6,
    and 7.
    
    Red Hat Product Security has rated this update as having Critical
    security impact. Common Vulnerability Scoring System (CVSS) base
    scores, which give detailed severity ratings, are available for each
    vulnerability from the CVE links in the References section.
    
    Oracle Java SE version 7 includes the Oracle Java Runtime Environment
    and the Oracle Java Software Development Kit.
    
    This update fixes several vulnerabilities in the Oracle Java Runtime
    Environment and the Oracle Java Software Development Kit. Further
    information about these flaws can be found on the Oracle Java SE
    Critical Patch Update Advisory page, listed in the References section.
    (CVE-2014-3566, CVE-2014-6585, CVE-2014-6587, CVE-2014-6591,
    CVE-2014-6593, CVE-2014-6601, CVE-2015-0383, CVE-2015-0395,
    CVE-2015-0403, CVE-2015-0406, CVE-2015-0407, CVE-2015-0408,
    CVE-2015-0410, CVE-2015-0412, CVE-2015-0413)
    
    The CVE-2015-0383 issue was discovered by Red Hat.
    
    Note: With this update, the Oracle Java SE now disables the SSL 3.0
    protocol to address the CVE-2014-3566 issue (also known as POODLE).
    Refer to the Red Hat Bugzilla bug linked to in the References section
    for instructions on how to re-enable SSL 3.0 support if needed.
    
    All users of java-1.7.0-oracle are advised to upgrade to these updated
    packages, which provide Oracle Java 7 Update 75 and resolve these
    issues. All running instances of Oracle Java must be restarted for the
    update to take effect."
      );
      # http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?df55894d"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=1152789#c82"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2015:0079"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2014-3566"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2014-6585"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2014-6587"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2014-6591"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2014-6593"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2014-6601"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-0383"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-0395"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-0403"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-0406"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-0407"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-0408"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-0410"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-0412"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-0413"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-javafx");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-jdbc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-plugin");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-src");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6.6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2015/01/22");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/23");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = eregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^(5|6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x / 6.x / 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2015:0079";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL5", cpu:"i586", reference:"java-1.7.0-oracle-1.7.0.75-1jpp.1.el5_11")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"java-1.7.0-oracle-1.7.0.75-1jpp.1.el5_11")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"i586", reference:"java-1.7.0-oracle-devel-1.7.0.75-1jpp.1.el5_11")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"java-1.7.0-oracle-devel-1.7.0.75-1jpp.1.el5_11")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"i586", reference:"java-1.7.0-oracle-javafx-1.7.0.75-1jpp.1.el5_11")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"java-1.7.0-oracle-javafx-1.7.0.75-1jpp.1.el5_11")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"i586", reference:"java-1.7.0-oracle-jdbc-1.7.0.75-1jpp.1.el5_11")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"java-1.7.0-oracle-jdbc-1.7.0.75-1jpp.1.el5_11")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"i586", reference:"java-1.7.0-oracle-plugin-1.7.0.75-1jpp.1.el5_11")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"java-1.7.0-oracle-plugin-1.7.0.75-1jpp.1.el5_11")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"i586", reference:"java-1.7.0-oracle-src-1.7.0.75-1jpp.1.el5_11")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"java-1.7.0-oracle-src-1.7.0.75-1jpp.1.el5_11")) flag++;
    
    
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.7.0-oracle-1.7.0.75-1jpp.1.el6")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.7.0-oracle-1.7.0.75-1jpp.1.el6")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.7.0-oracle-devel-1.7.0.75-1jpp.1.el6")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.7.0-oracle-devel-1.7.0.75-1jpp.1.el6")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.7.0-oracle-javafx-1.7.0.75-1jpp.1.el6")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.7.0-oracle-javafx-1.7.0.75-1jpp.1.el6")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.7.0-oracle-jdbc-1.7.0.75-1jpp.1.el6")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.7.0-oracle-jdbc-1.7.0.75-1jpp.1.el6")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.7.0-oracle-plugin-1.7.0.75-1jpp.1.el6")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.7.0-oracle-plugin-1.7.0.75-1jpp.1.el6")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.7.0-oracle-src-1.7.0.75-1jpp.1.el6")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.7.0-oracle-src-1.7.0.75-1jpp.1.el6")) flag++;
    
    
      if (rpm_check(release:"RHEL7", cpu:"i686", reference:"java-1.7.0-oracle-1.7.0.75-1jpp.2.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.7.0-oracle-1.7.0.75-1jpp.2.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"i686", reference:"java-1.7.0-oracle-devel-1.7.0.75-1jpp.2.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.7.0-oracle-devel-1.7.0.75-1jpp.2.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.7.0-oracle-javafx-1.7.0.75-1jpp.2.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.7.0-oracle-jdbc-1.7.0.75-1jpp.2.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.7.0-oracle-plugin-1.7.0.75-1jpp.2.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.7.0-oracle-src-1.7.0.75-1jpp.2.el7")) flag++;
    
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "java-1.7.0-oracle / java-1.7.0-oracle-devel / etc");
      }
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3144.NASL
    descriptionSeveral vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the execution of arbitrary code, information disclosure or denial of service.
    last seen2020-03-17
    modified2015-01-30
    plugin id81090
    published2015-01-30
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81090
    titleDebian DSA-3144-1 : openjdk-7 - security update (POODLE)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-3144. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(81090);
      script_version("1.22");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2014-3566", "CVE-2014-6585", "CVE-2014-6587", "CVE-2014-6591", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0383", "CVE-2015-0395", "CVE-2015-0407", "CVE-2015-0408", "CVE-2015-0410", "CVE-2015-0412");
      script_bugtraq_id(70574, 72132, 72136, 72140, 72142, 72155, 72162, 72165, 72168, 72169, 72173, 72175);
      script_xref(name:"DSA", value:"3144");
    
      script_name(english:"Debian DSA-3144-1 : openjdk-7 - security update (POODLE)");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several vulnerabilities have been discovered in OpenJDK, an
    implementation of the Oracle Java platform, resulting in the execution
    of arbitrary code, information disclosure or denial of service."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/wheezy/openjdk-7"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2015/dsa-3144"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the openjdk-7 packages.
    
    For the stable distribution (wheezy), these problems have been fixed
    in version 7u75-2.5.4-1~deb7u1.
    
    For the upcoming stable distribution (jessie), these problems will be
    fixed soon."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:openjdk-7");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/10/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/01/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/30");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"7.0", prefix:"icedtea-7-jre-cacao", reference:"7u75-2.5.4-1~deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"icedtea-7-jre-jamvm", reference:"7u75-2.5.4-1~deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"openjdk-7-dbg", reference:"7u75-2.5.4-1~deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"openjdk-7-demo", reference:"7u75-2.5.4-1~deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"openjdk-7-doc", reference:"7u75-2.5.4-1~deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"openjdk-7-jdk", reference:"7u75-2.5.4-1~deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"openjdk-7-jre", reference:"7u75-2.5.4-1~deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"openjdk-7-jre-headless", reference:"7u75-2.5.4-1~deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"openjdk-7-jre-lib", reference:"7u75-2.5.4-1~deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"openjdk-7-jre-zero", reference:"7u75-2.5.4-1~deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"openjdk-7-source", reference:"7u75-2.5.4-1~deb7u1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2015-471.NASL
    descriptionA flaw was found in the way the Hotspot component in OpenJDK verified bytecode from the class files. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. (CVE-2014-6601) Multiple improper permission check issues were discovered in the JAX-WS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412 , CVE-2015-0408) A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0395) A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded. (CVE-2015-0410) A flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the-middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack. (CVE-2014-3566) Note: This update disables SSL 3.0 by default to address this issue. The jdk.tls.disabledAlgorithms security property can be used to re-enable SSL 3.0 support if needed. For additional information, refer to the Red Hat Bugzilla bug linked to in the References section. It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. (CVE-2014-6593) An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-0407) A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. (CVE-2014-6587) Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. (CVE-2014-6585 , CVE-2014-6591) Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. (CVE-2015-0383)
    last seen2020-06-01
    modified2020-06-02
    plugin id80921
    published2015-01-23
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/80921
    titleAmazon Linux AMI : java-1.7.0-openjdk (ALAS-2015-471) (POODLE)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Amazon Linux AMI Security Advisory ALAS-2015-471.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(80921);
      script_version("1.14");
      script_cvs_date("Date: 2019/11/12");
    
      script_cve_id("CVE-2014-3566", "CVE-2014-6585", "CVE-2014-6587", "CVE-2014-6591", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0383", "CVE-2015-0395", "CVE-2015-0407", "CVE-2015-0408", "CVE-2015-0410", "CVE-2015-0412");
      script_xref(name:"ALAS", value:"2015-471");
      script_xref(name:"RHSA", value:"2015:0067");
    
      script_name(english:"Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2015-471) (POODLE)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Amazon Linux AMI host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A flaw was found in the way the Hotspot component in OpenJDK verified
    bytecode from the class files. An untrusted Java application or applet
    could possibly use this flaw to bypass Java sandbox restrictions.
    (CVE-2014-6601)
    
    Multiple improper permission check issues were discovered in the
    JAX-WS, and RMI components in OpenJDK. An untrusted Java application
    or applet could use these flaws to bypass Java sandbox restrictions.
    (CVE-2015-0412 , CVE-2015-0408)
    
    A flaw was found in the way the Hotspot garbage collector handled
    phantom references. An untrusted Java application or applet could use
    this flaw to corrupt the Java Virtual Machine memory and, possibly,
    execute arbitrary code, bypassing Java sandbox restrictions.
    (CVE-2015-0395)
    
    A flaw was found in the way the DER (Distinguished Encoding Rules)
    decoder in the Security component in OpenJDK handled negative length
    values. A specially crafted, DER-encoded input could cause a Java
    application to enter an infinite loop when decoded. (CVE-2015-0410)
    
    A flaw was found in the way the SSL 3.0 protocol handled padding bytes
    when decrypting messages that were encrypted using block ciphers in
    cipher block chaining (CBC) mode. This flaw could possibly allow a
    man-in-the-middle (MITM) attacker to decrypt portions of the cipher
    text using a padding oracle attack. (CVE-2014-3566)
    
    Note: This update disables SSL 3.0 by default to address this issue.
    The jdk.tls.disabledAlgorithms security property can be used to
    re-enable SSL 3.0 support if needed. For additional information, refer
    to the Red Hat Bugzilla bug linked to in the References section.
    
    It was discovered that the SSL/TLS implementation in the JSSE
    component in OpenJDK failed to properly check whether the
    ChangeCipherSpec was received during the SSL/TLS connection handshake.
    An MITM attacker could possibly use this flaw to force a connection to
    be established without encryption being enabled. (CVE-2014-6593)
    
    An information leak flaw was found in the Swing component in OpenJDK.
    An untrusted Java application or applet could use this flaw to bypass
    certain Java sandbox restrictions. (CVE-2015-0407)
    
    A NULL pointer dereference flaw was found in the MulticastSocket
    implementation in the Libraries component of OpenJDK. An untrusted
    Java application or applet could possibly use this flaw to bypass
    certain Java sandbox restrictions. (CVE-2014-6587)
    
    Multiple boundary check flaws were found in the font parsing code in
    the 2D component in OpenJDK. A specially crafted font file could allow
    an untrusted Java application or applet to disclose portions of the
    Java Virtual Machine memory. (CVE-2014-6585 , CVE-2014-6591)
    
    Multiple insecure temporary file use issues were found in the way the
    Hotspot component in OpenJDK created performance statistics and error
    log files. A local attacker could possibly make a victim using OpenJDK
    overwrite arbitrary files using a symlink attack. (CVE-2015-0383)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://alas.aws.amazon.com/ALAS-2015-471.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Run 'yum update java-1.7.0-openjdk' to update your system."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.7.0-openjdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-demo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-src");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/10/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/01/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/23");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Amazon Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/AmazonLinux/release");
    if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
    os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
    os_ver = os_ver[1];
    if (os_ver != "A")
    {
      if (os_ver == 'A') os_ver = 'AMI';
      audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
    }
    
    if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (rpm_check(release:"ALA", reference:"java-1.7.0-openjdk-1.7.0.75-2.5.4.0.53.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.0.53.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.0.53.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.0.53.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"java-1.7.0-openjdk-javadoc-1.7.0.75-2.5.4.0.53.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"java-1.7.0-openjdk-src-1.7.0.75-2.5.4.0.53.amzn1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "java-1.7.0-openjdk / java-1.7.0-openjdk-debuginfo / etc");
    }
    
  • NASL familyMisc.
    NASL idVCENTER_OPERATIONS_MANAGER_VMSA_2015-0003-WIN.NASL
    descriptionThe version of VMware vCenter Operations Manager installed on the remote Windows host has a bundled version of the Java JRE prior to version 1.7.0_76-b13 (aka 7.0.760.13). It is, therefore, affected by a man-in-the-middle (MitM) information disclosure vulnerability known as POODLE. The vulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. MitM attackers can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. (CVE-2014-3566) Additionally, unspecified vulnerabilities also exist in the following bundled Java components : - 2D (CVE-2014-6585, CVE-2014-6591) - Deployment (CVE-2015-0403, CVE-2015-0406) - Hotspot (CVE-2014-6601, CVE-2015-0383, CVE-2015-0395, CVE-2015-0437) - Installation (CVE-2015-0421) - JAX-WS (CVE-2015-0412) - JSSE (CVE-2014-6593) - Libraries (CVE-2014-6549, CVE-2014-6587, CVE-2015-0400) - RMI (CVE-2015-0408) - Security (CVE-2015-0410) - Serviceability (CVE-2015-0413) - Swing (CVE-2015-0407) VMware has released a patch that updates the JRE bundled with the appliance.
    last seen2020-06-01
    modified2020-06-02
    plugin id82707
    published2015-04-10
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82707
    titleVMware vCenter Operations Management Windows JRE Update 1.7.0_76-b13 (VMSA-2015-0003) (POODLE)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(82707);
      script_version("1.11");
      script_cvs_date("Date: 2018/11/15 20:50:24");
    
      script_cve_id(
        "CVE-2014-3566",
        "CVE-2014-6549",
        "CVE-2014-6585",
        "CVE-2014-6587",
        "CVE-2014-6591",
        "CVE-2014-6593",
        "CVE-2014-6601",
        "CVE-2015-0383",
        "CVE-2015-0395",
        "CVE-2015-0400",
        "CVE-2015-0403",
        "CVE-2015-0406",
        "CVE-2015-0407",
        "CVE-2015-0408",
        "CVE-2015-0410",
        "CVE-2015-0412",
        "CVE-2015-0413",
        "CVE-2015-0421",
        "CVE-2015-0437"
      );
      script_bugtraq_id(
        70574,
        72132,
        72136,
        72137,
        72140,
        72142,
        72146,
        72148,
        72150,
        72154,
        72155,
        72159,
        72162,
        72165,
        72168,
        72169,
        72173,
        72175,
        72176
      );
      script_xref(name:"CERT", value:"577193");
      script_xref(name:"VMSA", value:"2015-0003");
    
      script_name(english:"VMware vCenter Operations Management Windows JRE Update 1.7.0_76-b13 (VMSA-2015-0003) (POODLE)");
      script_summary(english:"Checks the version of VMware vCenter Operations Manager.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host has a virtualization application installed
    that is missing a vendor supplied security patch.");
      script_set_attribute(attribute:"description", value:
    "The version of VMware vCenter Operations Manager installed on the
    remote Windows host has a bundled version of the Java JRE prior to
    version 1.7.0_76-b13 (aka 7.0.760.13). It is, therefore, affected by a
    man-in-the-middle (MitM) information disclosure vulnerability known as
    POODLE. The vulnerability is due to the way SSL 3.0 handles padding
    bytes when decrypting messages encrypted using block ciphers in cipher
    block chaining (CBC) mode. MitM attackers can decrypt a selected byte
    of a cipher text in as few as 256 tries if they are able to force a
    victim application to repeatedly send the same data over newly created
    SSL 3.0 connections. (CVE-2014-3566)
    
    Additionally, unspecified vulnerabilities also exist in the following
    bundled Java components :
    
      - 2D (CVE-2014-6585, CVE-2014-6591)
    
      - Deployment (CVE-2015-0403, CVE-2015-0406)
    
      - Hotspot (CVE-2014-6601, CVE-2015-0383, CVE-2015-0395,
        CVE-2015-0437)
    
      - Installation (CVE-2015-0421)
    
      - JAX-WS (CVE-2015-0412)
    
      - JSSE (CVE-2014-6593)
    
      - Libraries (CVE-2014-6549, CVE-2014-6587, CVE-2015-0400)
    
      - RMI (CVE-2015-0408)
    
      - Security (CVE-2015-0410)
    
      - Serviceability (CVE-2015-0413)
    
      - Swing (CVE-2015-0407)
    
    VMware has released a patch that updates the JRE bundled with the
    appliance.");
      script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2015-0003.html");
      # https://www.oracle.com/technetwork/java/javase/7u76-relnotes-2389087.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ae8dfc7a");
      # https://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?75c6cafb");
      script_set_attribute(attribute:"see_also", value:"https://www.imperialviolet.org/2014/10/14/poodle.html");
      script_set_attribute(attribute:"see_also", value:"https://www.openssl.org/~bodo/ssl-poodle.pdf");
      script_set_attribute(attribute:"see_also", value:"https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00");
      script_set_attribute(attribute:"solution", value:"Apply the vendor supplied patches.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/10/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/04/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/10");
    
      script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:vcenter_operations");
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.");
    
      script_dependencies("vmware_vcenter_operations_manager_installed.nbin");
      script_require_keys("SMB/Registry/Enumerated","installed_sw/VMware vCenter Operations Manager");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("smb_func.inc");
    include("install_func.inc");
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    
    appname = "VMware vCenter Operations Manager";
    install = get_single_install(app_name : appname, exit_if_unknown_ver : TRUE);
    jrever  = install['jreversion'];
    fixed   = "7.0.760.13";
    version = install['version'];
    
    if(jrever == UNKNOWN_VER)
      audit(AUDIT_UNKNOWN_APP_VER,appname+"'s redistributed JRE");
    
    if(version !~ "^5\.(7|8)" && version !~ "^6\.")
      audit(AUDIT_NOT_INST, appname + " 5.7.x / 5.8.x / 6.x");
    
    if(ver_compare(ver:jrever,fix:fixed,strict:FALSE) < 0)
    {
      port = kb_smb_transport();
      if (report_verbosity > 0)
      {
        report = '\n' +
                 '\n  Installed Version : '+install['version']+
                 '\n  JRE Path          : '+install['jrepath']+
                 '\n  JRE Version       : '+jrever+
                 '\n  Fixed JRE Version : '+fixed+
                 '\n';
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
    }
    else audit(AUDIT_PATCH_INSTALLED, "VMware-vcops-JRE-SKIP-TLS-HP.exe",appname,version);
    
    
  • NASL familyMisc.
    NASL idVMWARE_WORKSPACE_PORTAL_VMSA2015-0003.NASL
    descriptionThe VMware Workspace Portal (formerly known as VMware Horizon Workspace) installed on the remote host is version 2.x prior to 2.1.1. It is, therefore, affected by a man-in-the-middle (MitM) information disclosure vulnerability known as POODLE. The vulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. MitM attackers can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. (CVE-2014-3566) Additionally, unspecified vulnerabilities also exist in the following bundled Java components : - 2D (CVE-2014-6585, CVE-2014-6591) - Deployment (CVE-2015-0403, CVE-2015-0406) - Hotspot (CVE-2014-6601, CVE-2015-0383, CVE-2015-0395, CVE-2015-0437) - Installation (CVE-2015-0421) - JAX-WS (CVE-2015-0412) - JSSE (CVE-2014-6593) - Libraries (CVE-2014-6549, CVE-2014-6587, CVE-2015-0400) - RMI (CVE-2015-0408) - Security (CVE-2015-0410) - Serviceability (CVE-2015-0413) - Swing (CVE-2015-0407)
    last seen2020-06-01
    modified2020-06-02
    plugin id82742
    published2015-04-13
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82742
    titleVMware Workspace Portal Multiple Java Vulnerabilities (VMSA-2015-0003) (POODLE)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2487-1.NASL
    descriptionSeveral vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. (CVE-2014-3566, CVE-2014-6587, CVE-2014-6601, CVE-2015-0395, CVE-2015-0408, CVE-2015-0412) Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure. An attacker could exploit these to expose sensitive data over the network. (CVE-2014-6585, CVE-2014-6591, CVE-2015-0400, CVE-2015-0407) A vulnerability was discovered in the OpenJDK JRE related to information disclosure and integrity. An attacker could exploit this to expose sensitive data over the network. (CVE-2014-6593) A vulnerability was discovered in the OpenJDK JRE related to integrity and availability. An attacker could exploit this to cause a denial of service. (CVE-2015-0383) A vulnerability was discovered in the OpenJDK JRE related to availability. An attacker could this exploit to cause a denial of service. (CVE-2015-0410) A vulnerability was discovered in the OpenJDK JRE related to data integrity. (CVE-2015-0413). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id81045
    published2015-01-28
    reporterUbuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81045
    titleUbuntu 14.04 LTS / 14.10 : openjdk-7 vulnerabilities (USN-2487-1) (POODLE)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-0085.NASL
    descriptionUpdated java-1.6.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. A flaw was found in the way the Hotspot component in OpenJDK verified bytecode from the class files. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. (CVE-2014-6601) Multiple improper permission check issues were discovered in the JAX-WS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412, CVE-2015-0408) A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0395) A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded. (CVE-2015-0410) A flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the-middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack. (CVE-2014-3566) Note: This update disables SSL 3.0 by default to address this issue. The jdk.tls.disabledAlgorithms security property can be used to re-enable SSL 3.0 support if needed. For additional information, refer to the Red Hat Bugzilla bug linked to in the References section. It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. (CVE-2014-6593) An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-0407) A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. (CVE-2014-6587) Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591) Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. (CVE-2015-0383) The CVE-2015-0383 issue was discovered by Red Hat. All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id81013
    published2015-01-27
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81013
    titleRHEL 5 / 6 / 7 : java-1.6.0-openjdk (RHSA-2015:0085) (POODLE)
  • NASL familyMisc.
    NASL idVCENTER_OPERATIONS_MANAGER_VMSA_2015-0003-LINUX.NASL
    descriptionThe version of VMware vCenter Operations Manager installed on the remote Linux host has a bundled version of the Java JRE prior to version 1.7.0_76-b13 (aka 7.0.760.13). It is, therefore, affected by a man-in-the-middle (MitM) information disclosure vulnerability known as POODLE. The vulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. MitM attackers can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. (CVE-2014-3566) Additionally, unspecified vulnerabilities also exist in the following bundled Java components : - 2D (CVE-2014-6585, CVE-2014-6591) - Deployment (CVE-2015-0403, CVE-2015-0406) - Hotspot (CVE-2014-6601, CVE-2015-0383, CVE-2015-0395, CVE-2015-0437) - Installation (CVE-2015-0421) - JAX-WS (CVE-2015-0412) - JSSE (CVE-2014-6593) - Libraries (CVE-2014-6549, CVE-2014-6587, CVE-2015-0400) - RMI (CVE-2015-0408) - Security (CVE-2015-0410) - Serviceability (CVE-2015-0413) - Swing (CVE-2015-0407) VMware has released a patch that updates the JRE bundled with the appliance.
    last seen2020-06-01
    modified2020-06-02
    plugin id82705
    published2015-04-10
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82705
    titleVMware vCenter Operations Management Linux JRE Update 1.7.0_76-b13 (VMSA-2015-0003) (POODLE)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-0136.NASL
    descriptionUpdated java-1.5.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. IBM J2SE version 5.0 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2014-6585, CVE-2014-6591, CVE-2014-6593, CVE-2014-8891, CVE-2014-8892, CVE-2015-0395, CVE-2015-0407, CVE-2015-0408, CVE-2015-0410) All users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM J2SE 5.0 SR16-FP9 release. All running instances of IBM Java must be restarted for this update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id81204
    published2015-02-06
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81204
    titleRHEL 5 / 6 : java-1.5.0-ibm (RHSA-2015:0136)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2015-0068.NASL
    descriptionFrom Red Hat Security Advisory 2015:0068 : Updated java-1.7.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. A flaw was found in the way the Hotspot component in OpenJDK verified bytecode from the class files. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. (CVE-2014-6601) Multiple improper permission check issues were discovered in the JAX-WS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412, CVE-2015-0408) A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0395) A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded. (CVE-2015-0410) A flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the-middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack. (CVE-2014-3566) Note: This update disables SSL 3.0 by default to address this issue. The jdk.tls.disabledAlgorithms security property can be used to re-enable SSL 3.0 support if needed. For additional information, refer to the Red Hat Bugzilla bug linked to in the References section. It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. (CVE-2014-6593) An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-0407) A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. (CVE-2014-6587) Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591) Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. (CVE-2015-0383) The CVE-2015-0383 issue was discovered by Red Hat. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id80900
    published2015-01-22
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/80900
    titleOracle Linux 5 : java-1.7.0-openjdk (ELSA-2015-0068) (POODLE)
  • NASL familyMisc.
    NASL idVMWARE_VCENTER_VMSA-2015-0003.NASL
    descriptionThe VMware vCenter Server installed on the remote host is version 5.0 prior to 5.0u3d, 5.1 prior to 5.1u3a, 5.5 prior to 5.5u2e, or 6.0 prior to 6.0.0a. It is, therefore, affected by a man-in-the-middle (MitM) information disclosure vulnerability known as POODLE, related to the bundled JRE component. The vulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. MitM attackers can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. Additionally, multiple unspecified vulnerabilities also exist in the following bundled JRE components : - 2D (CVE-2014-6585, CVE-2014-6591) - Deployment (CVE-2015-0403, CVE-2015-0406) - Hotspot (CVE-2014-6601, CVE-2015-0383, CVE-2015-0395, CVE-2015-0437) - Installation (CVE-2015-0421) - JAX-WS (CVE-2015-0412) - JSSE (CVE-2014-6593) - Libraries (CVE-2014-6549, CVE-2014-6587, CVE-2015-0400) - RMI (CVE-2015-0408) - Security (CVE-2015-0410) - Serviceability (CVE-2015-0413) - Swing (CVE-2015-0407)
    last seen2020-06-01
    modified2020-06-02
    plugin id83186
    published2015-05-01
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/83186
    titleVMware vCenter Server Multiple Java Vulnerabilities (VMSA-2015-0003) (POODLE)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-0264.NASL
    descriptionUpdated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Satellite 5.6. Red Hat Product Security has rated this update as having Low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. This update corrects several security vulnerabilities in the IBM Java Runtime Environment shipped as part of Red Hat Satellite 5.6. In a typical operating environment, these are of low security risk as the runtime is not used on untrusted applets. Several flaws were fixed in the IBM Java 2 Runtime Environment. (CVE-2014-3065, CVE-2014-3068, CVE-2014-3566, CVE-2014-4209, CVE-2014-4218, CVE-2014-4219, CVE-2014-4227, CVE-2014-4244, CVE-2014-4252, CVE-2014-4262, CVE-2014-4263, CVE-2014-4265, CVE-2014-4288, CVE-2014-6457, CVE-2014-6458, CVE-2014-6492, CVE-2014-6493, CVE-2014-6502, CVE-2014-6503, CVE-2014-6506, CVE-2014-6511, CVE-2014-6512, CVE-2014-6515, CVE-2014-6531, CVE-2014-6532, CVE-2014-6558, CVE-2014-6585, CVE-2014-6587, CVE-2014-6591, CVE-2014-6593, CVE-2014-8891, CVE-2014-8892, CVE-2015-0395, CVE-2015-0403, CVE-2015-0406, CVE-2015-0407, CVE-2015-0408, CVE-2015-0410, CVE-2015-0412) The CVE-2014-4262 and CVE-2014-6512 issues were discovered by Florian Weimer of Red Hat Product Security. Users of Red Hat Satellite 5.6 are advised to upgrade to these updated packages, which contain the IBM Java SE 6 SR16-FP3 release. For this update to take effect, Red Hat Satellite must be restarted (
    last seen2020-06-01
    modified2020-06-02
    plugin id81505
    published2015-02-25
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81505
    titleRHEL 5 / 6 : Red Hat Satellite IBM Java Runtime (RHSA-2015:0264) (POODLE)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2015-198.NASL
    descriptionMultiple vulnerabilities has been discovered and corrected in java-1.8.0-openjdk : Multiple flaws were found in the way the Hotspot component in OpenJDK verified bytecode from the class files, and in the way this component generated code for bytecode. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions (CVE-2014-6601, CVE-2015-0437). Multiple improper permission check issues were discovered in the JAX-WS, Libraries, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions (CVE-2015-0412, CVE-2014-6549, CVE-2015-0408). A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions (CVE-2015-0395). A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded (CVE-2015-0410). A flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the-middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack (CVE-2014-3566). Note: This update disables SSL 3.0 by default to address this issue. The jdk.tls.disabledAlgorithms security property can be used to re-enable SSL 3.0 support if needed. For additional information, refer to the Red Hat Bugzilla bug linked to in the References section. It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled (CVE-2014-6593). An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions (CVE-2015-0407). A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions (CVE-2014-6587). Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory (CVE-2014-6585, CVE-2014-6591). Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack (CVE-2015-0383). The updated packages provides a solution for these security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id82684
    published2015-04-10
    reporterThis script is Copyright (C) 2015-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82684
    titleMandriva Linux Security Advisory : java-1.8.0-openjdk (MDVSA-2015:198)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2015-91.NASL
    descriptionOpenJDK was updated to 2.5.4 - OpenJDK 7u75 to fix security issues and bugs : - Security fixes - S8046656: Update protocol support - S8047125, CVE-2015-0395: (ref) More phantom object references - S8047130: Fewer escapes from escape analysis - S8048035, CVE-2015-0400: Ensure proper proxy protocols - S8049253: Better GC validation - S8050807, CVE-2015-0383: Better performing performance data handling - S8054367, CVE-2015-0412: More references for endpoints - S8055304, CVE-2015-0407: More boxing for DirectoryComboBoxModel - S8055309, CVE-2015-0408: RMI needs better transportation considerations - S8055479: TLAB stability - S8055489, CVE-2014-6585: Better substitution formats - S8056264, CVE-2014-6587: Multicast support improvements - S8056276, CVE-2014-6591: Fontmanager feature improvements - S8057555, CVE-2014-6593: Less cryptic cipher suite management - S8058982, CVE-2014-6601: Better verification of an exceptional invokespecial - S8059485, CVE-2015-0410: Resolve parsing ambiguity - S8061210, CVE-2014-3566: Issues in TLS
    last seen2020-06-05
    modified2015-02-03
    plugin id81141
    published2015-02-03
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81141
    titleopenSUSE Security Update : java-1_7_0-openjdk (openSUSE-SU-2015:0190-1) (POODLE)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2015-480.NASL
    descriptionA flaw was found in the way the Hotspot component in OpenJDK verified bytecode from the class files. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. (CVE-2014-6601) Multiple improper permission check issues were discovered in the JAX-WS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412 , CVE-2015-0408) A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0395) A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded. (CVE-2015-0410) A flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the-middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack. (CVE-2014-3566) Note: This update disables SSL 3.0 by default to address this issue. The jdk.tls.disabledAlgorithms security property can be used to re-enable SSL 3.0 support if needed. For additional information, refer to the Red Hat Bugzilla bug linked to in the References section. It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. (CVE-2014-6593) An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-0407) A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. (CVE-2014-6587) Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. (CVE-2014-6585 , CVE-2014-6591) Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. (CVE-2015-0383) The CVE-2015-0383 issue was discovered by Red Hat.
    last seen2020-06-01
    modified2020-06-02
    plugin id81326
    published2015-02-13
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81326
    titleAmazon Linux AMI : java-1.6.0-openjdk (ALAS-2015-480) (POODLE)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2015-0068.NASL
    descriptionUpdated java-1.7.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. A flaw was found in the way the Hotspot component in OpenJDK verified bytecode from the class files. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. (CVE-2014-6601) Multiple improper permission check issues were discovered in the JAX-WS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412, CVE-2015-0408) A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0395) A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded. (CVE-2015-0410) A flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the-middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack. (CVE-2014-3566) Note: This update disables SSL 3.0 by default to address this issue. The jdk.tls.disabledAlgorithms security property can be used to re-enable SSL 3.0 support if needed. For additional information, refer to the Red Hat Bugzilla bug linked to in the References section. It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. (CVE-2014-6593) An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-0407) A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. (CVE-2014-6587) Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591) Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. (CVE-2015-0383) The CVE-2015-0383 issue was discovered by Red Hat. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id80869
    published2015-01-21
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/80869
    titleCentOS 5 : java-1.7.0-openjdk (CESA-2015:0068) (POODLE)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3147.NASL
    descriptionSeveral vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the execution of arbitrary code, information disclosure or denial of service.
    last seen2020-03-17
    modified2015-02-02
    plugin id81111
    published2015-02-02
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81111
    titleDebian DSA-3147-1 : openjdk-6 - security update (POODLE)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2015-0069.NASL
    descriptionUpdated java-1.8.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Multiple flaws were found in the way the Hotspot component in OpenJDK verified bytecode from the class files, and in the way this component generated code for bytecode. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions. (CVE-2014-6601, CVE-2015-0437) Multiple improper permission check issues were discovered in the JAX-WS, Libraries, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412, CVE-2014-6549, CVE-2015-0408) A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0395) A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded. (CVE-2015-0410) A flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the-middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack. (CVE-2014-3566) Note: This update disables SSL 3.0 by default to address this issue. The jdk.tls.disabledAlgorithms security property can be used to re-enable SSL 3.0 support if needed. For additional information, refer to the Red Hat Bugzilla bug linked to in the References section. It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. (CVE-2014-6593) An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-0407) A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. (CVE-2014-6587) Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591) Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. (CVE-2015-0383) The CVE-2015-0383 issue was discovered by Red Hat. All users of java-1.8.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id80870
    published2015-01-21
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/80870
    titleCentOS 6 : java-1.8.0-openjdk (CESA-2015:0069) (POODLE)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2015-0067.NASL
    descriptionUpdated java-1.7.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. A flaw was found in the way the Hotspot component in OpenJDK verified bytecode from the class files. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. (CVE-2014-6601) Multiple improper permission check issues were discovered in the JAX-WS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412, CVE-2015-0408) A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0395) A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded. (CVE-2015-0410) A flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the-middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack. (CVE-2014-3566) Note: This update disables SSL 3.0 by default to address this issue. The jdk.tls.disabledAlgorithms security property can be used to re-enable SSL 3.0 support if needed. For additional information, refer to the Red Hat Bugzilla bug linked to in the References section. It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. (CVE-2014-6593) An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-0407) A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. (CVE-2014-6587) Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591) Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. (CVE-2015-0383) The CVE-2015-0383 issue was discovered by Red Hat. Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id80868
    published2015-01-21
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/80868
    titleCentOS 6 / 7 : java-1.7.0-openjdk (CESA-2015:0067) (POODLE)
  • NASL familyWindows
    NASL idVMWARE_VCENTER_CHARGEBACK_MANAGER_VMSA_2015_0003.NASL
    descriptionThe version of VMware vCenter Chargeback Manager installed on the remote host is affected by a man-in-the-middle (MitM) information disclosure vulnerability known as POODLE. The vulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. MitM attackers can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. (CVE-2014-3566) Additionally, unspecified vulnerabilities also exist in the following bundled Java components : - 2D (CVE-2014-6585, CVE-2014-6591) - Deployment (CVE-2015-0403, CVE-2015-0406) - Hotspot (CVE-2014-6601, CVE-2015-0383, CVE-2015-0395, CVE-2015-0437) - Installation (CVE-2015-0421) - JAX-WS (CVE-2015-0412) - JSSE (CVE-2014-6593) - Libraries (CVE-2014-6549, CVE-2014-6587, CVE-2015-0400) - RMI (CVE-2015-0408) - Security (CVE-2015-0410) - Serviceability (CVE-2015-0413) - Swing (CVE-2015-0407)
    last seen2020-06-01
    modified2020-06-02
    plugin id82899
    published2015-04-20
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82899
    titleVMware vCenter Chargeback Manager Multiple Java Vulnerabilities (VMSA-2015-0003) (POODLE)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-0067.NASL
    descriptionUpdated java-1.7.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. A flaw was found in the way the Hotspot component in OpenJDK verified bytecode from the class files. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. (CVE-2014-6601) Multiple improper permission check issues were discovered in the JAX-WS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412, CVE-2015-0408) A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0395) A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded. (CVE-2015-0410) A flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the-middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack. (CVE-2014-3566) Note: This update disables SSL 3.0 by default to address this issue. The jdk.tls.disabledAlgorithms security property can be used to re-enable SSL 3.0 support if needed. For additional information, refer to the Red Hat Bugzilla bug linked to in the References section. It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. (CVE-2014-6593) An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-0407) A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. (CVE-2014-6587) Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591) Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. (CVE-2015-0383) The CVE-2015-0383 issue was discovered by Red Hat. Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id80880
    published2015-01-21
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/80880
    titleRHEL 6 / 7 : java-1.7.0-openjdk (RHSA-2015:0067) (POODLE)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-0069.NASL
    descriptionUpdated java-1.8.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Multiple flaws were found in the way the Hotspot component in OpenJDK verified bytecode from the class files, and in the way this component generated code for bytecode. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions. (CVE-2014-6601, CVE-2015-0437) Multiple improper permission check issues were discovered in the JAX-WS, Libraries, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412, CVE-2014-6549, CVE-2015-0408) A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0395) A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded. (CVE-2015-0410) A flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the-middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack. (CVE-2014-3566) Note: This update disables SSL 3.0 by default to address this issue. The jdk.tls.disabledAlgorithms security property can be used to re-enable SSL 3.0 support if needed. For additional information, refer to the Red Hat Bugzilla bug linked to in the References section. It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. (CVE-2014-6593) An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-0407) A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. (CVE-2014-6587) Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591) Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. (CVE-2015-0383) The CVE-2015-0383 issue was discovered by Red Hat. All users of java-1.8.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id80882
    published2015-01-21
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/80882
    titleRHEL 6 : java-1.8.0-openjdk (RHSA-2015:0069) (POODLE)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20150121_JAVA_1_7_0_OPENJDK_ON_SL6_X.NASL
    descriptionA flaw was found in the way the Hotspot component in OpenJDK verified bytecode from the class files. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. (CVE-2014-6601) Multiple improper permission check issues were discovered in the JAX-WS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412, CVE-2015-0408) A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0395) A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded. (CVE-2015-0410) A flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the- middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack. (CVE-2014-3566) It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. (CVE-2014-6593) An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-0407) A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. (CVE-2014-6587) Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591) Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. (CVE-2015-0383) Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen2020-03-18
    modified2015-01-22
    plugin id80903
    published2015-01-22
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/80903
    titleScientific Linux Security Update : java-1.7.0-openjdk on SL6.x, SL7.x i386/x86_64 (20150121) (POODLE)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2015-0085.NASL
    descriptionUpdated java-1.6.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. A flaw was found in the way the Hotspot component in OpenJDK verified bytecode from the class files. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. (CVE-2014-6601) Multiple improper permission check issues were discovered in the JAX-WS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412, CVE-2015-0408) A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0395) A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded. (CVE-2015-0410) A flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the-middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack. (CVE-2014-3566) Note: This update disables SSL 3.0 by default to address this issue. The jdk.tls.disabledAlgorithms security property can be used to re-enable SSL 3.0 support if needed. For additional information, refer to the Red Hat Bugzilla bug linked to in the References section. It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. (CVE-2014-6593) An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-0407) A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. (CVE-2014-6587) Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591) Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. (CVE-2015-0383) The CVE-2015-0383 issue was discovered by Red Hat. All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id81005
    published2015-01-27
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81005
    titleCentOS 5 / 6 / 7 : java-1.6.0-openjdk (CESA-2015:0085) (POODLE)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-0068.NASL
    descriptionUpdated java-1.7.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. A flaw was found in the way the Hotspot component in OpenJDK verified bytecode from the class files. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. (CVE-2014-6601) Multiple improper permission check issues were discovered in the JAX-WS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412, CVE-2015-0408) A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0395) A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded. (CVE-2015-0410) A flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the-middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack. (CVE-2014-3566) Note: This update disables SSL 3.0 by default to address this issue. The jdk.tls.disabledAlgorithms security property can be used to re-enable SSL 3.0 support if needed. For additional information, refer to the Red Hat Bugzilla bug linked to in the References section. It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. (CVE-2014-6593) An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-0407) A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. (CVE-2014-6587) Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591) Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. (CVE-2015-0383) The CVE-2015-0383 issue was discovered by Red Hat. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id80881
    published2015-01-21
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/80881
    titleRHEL 5 : java-1.7.0-openjdk (RHSA-2015:0068) (POODLE)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2015-472.NASL
    descriptionMultiple flaws were found in the way the Hotspot component in OpenJDK verified bytecode from the class files, and in the way this component generated code for bytecode. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions. (CVE-2014-6601 , CVE-2015-0437) Multiple improper permission check issues were discovered in the JAX-WS, Libraries, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412 , CVE-2014-6549 , CVE-2015-0408) A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0395) A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded. (CVE-2015-0410) A flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the-middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack. (CVE-2014-3566) Note: This update disables SSL 3.0 by default to address this issue. The jdk.tls.disabledAlgorithms security property can be used to re-enable SSL 3.0 support if needed. For additional information, refer to the Red Hat Bugzilla bug linked to in the References section. It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. (CVE-2014-6593) An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-0407) A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. (CVE-2014-6587) Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. (CVE-2014-6585 , CVE-2014-6591) Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. (CVE-2015-0383)
    last seen2020-06-01
    modified2020-06-02
    plugin id80922
    published2015-01-23
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/80922
    titleAmazon Linux AMI : java-1.8.0-openjdk (ALAS-2015-472) (POODLE)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2015-0069.NASL
    descriptionFrom Red Hat Security Advisory 2015:0069 : Updated java-1.8.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Multiple flaws were found in the way the Hotspot component in OpenJDK verified bytecode from the class files, and in the way this component generated code for bytecode. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions. (CVE-2014-6601, CVE-2015-0437) Multiple improper permission check issues were discovered in the JAX-WS, Libraries, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412, CVE-2014-6549, CVE-2015-0408) A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0395) A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded. (CVE-2015-0410) A flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the-middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack. (CVE-2014-3566) Note: This update disables SSL 3.0 by default to address this issue. The jdk.tls.disabledAlgorithms security property can be used to re-enable SSL 3.0 support if needed. For additional information, refer to the Red Hat Bugzilla bug linked to in the References section. It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. (CVE-2014-6593) An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-0407) A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. (CVE-2014-6587) Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591) Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. (CVE-2015-0383) The CVE-2015-0383 issue was discovered by Red Hat. All users of java-1.8.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id80901
    published2015-01-22
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/80901
    titleOracle Linux 6 : java-1.8.0-openjdk (ELSA-2015-0069) (POODLE)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20150121_JAVA_1_7_0_OPENJDK_ON_SL5_X.NASL
    descriptionA flaw was found in the way the Hotspot component in OpenJDK verified bytecode from the class files. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. (CVE-2014-6601) Multiple improper permission check issues were discovered in the JAX-WS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412, CVE-2015-0408) A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0395) A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded. (CVE-2015-0410) A flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the- middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack. (CVE-2014-3566) It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. (CVE-2014-6593) An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-0407) A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. (CVE-2014-6587) Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591) Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. (CVE-2015-0383) All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen2020-03-18
    modified2015-01-22
    plugin id80902
    published2015-01-22
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/80902
    titleScientific Linux Security Update : java-1.7.0-openjdk on SL5.x i386/x86_64 (20150121) (POODLE)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-0134.NASL
    descriptionUpdated java-1.7.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 Supplementary. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2014-6549, CVE-2014-6585, CVE-2014-6587, CVE-2014-6591, CVE-2014-6593, CVE-2014-8891, CVE-2014-8892, CVE-2015-0403, CVE-2015-0406, CVE-2015-0407, CVE-2015-0408, CVE-2015-0410, CVE-2015-0412) All users of java-1.7.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 7 SR8-FP10 release. All running instances of IBM Java must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id81202
    published2015-02-06
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81202
    titleRHEL 5 : java-1.7.0-ibm (RHSA-2015:0134)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-0080.NASL
    descriptionUpdated java-1.8.0-oracle packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Oracle Java SE version 8 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section. (CVE-2014-3566, CVE-2014-6549, CVE-2014-6585, CVE-2014-6587, CVE-2014-6591, CVE-2014-6593, CVE-2014-6601, CVE-2015-0383, CVE-2015-0395, CVE-2015-0403, CVE-2015-0406, CVE-2015-0407, CVE-2015-0408, CVE-2015-0410, CVE-2015-0412, CVE-2015-0413, CVE-2015-0421, CVE-2015-0437) The CVE-2015-0383 issue was discovered by Red Hat. Note: With this update, the Oracle Java SE now disables the SSL 3.0 protocol to address the CVE-2014-3566 issue (also known as POODLE). Refer to the Red Hat Bugzilla bug linked to in the References section for instructions on how to re-enable SSL 3.0 support if needed. All users of java-1.8.0-oracle are advised to upgrade to these updated packages, which provide Oracle Java 8 Update 31 and resolve these issues. All running instances of Oracle Java must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id80932
    published2015-01-23
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/80932
    titleRHEL 6 : java-1.8.0-oracle (RHSA-2015:0080) (POODLE)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20150121_JAVA_1_8_0_OPENJDK_ON_SL6_X.NASL
    descriptionMultiple flaws were found in the way the Hotspot component in OpenJDK verified bytecode from the class files, and in the way this component generated code for bytecode. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions. (CVE-2014-6601, CVE-2015-0437) Multiple improper permission check issues were discovered in the JAX-WS, Libraries, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412, CVE-2014-6549, CVE-2015-0408) A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0395) A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded. (CVE-2015-0410) A flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the- middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack. (CVE-2014-3566) It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. (CVE-2014-6593) An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-0407) A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. (CVE-2014-6587) Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591) Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. (CVE-2015-0383) All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen2020-03-18
    modified2015-01-22
    plugin id80904
    published2015-01-22
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/80904
    titleScientific Linux Security Update : java-1.8.0-openjdk on SL6.x i386/x86_64 (20150121) (POODLE)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2015-0085.NASL
    descriptionFrom Red Hat Security Advisory 2015:0085 : Updated java-1.6.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. A flaw was found in the way the Hotspot component in OpenJDK verified bytecode from the class files. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. (CVE-2014-6601) Multiple improper permission check issues were discovered in the JAX-WS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412, CVE-2015-0408) A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0395) A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded. (CVE-2015-0410) A flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the-middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack. (CVE-2014-3566) Note: This update disables SSL 3.0 by default to address this issue. The jdk.tls.disabledAlgorithms security property can be used to re-enable SSL 3.0 support if needed. For additional information, refer to the Red Hat Bugzilla bug linked to in the References section. It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. (CVE-2014-6593) An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-0407) A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. (CVE-2014-6587) Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591) Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. (CVE-2015-0383) The CVE-2015-0383 issue was discovered by Red Hat. All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id81011
    published2015-01-27
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81011
    titleOracle Linux 5 / 6 / 7 : java-1.6.0-openjdk (ELSA-2015-0085) (POODLE)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2015-033.NASL
    descriptionUpdated java-1.7.0 packages fix security vulnerabilities : A flaw was found in the way the Hotspot component in OpenJDK verified bytecode from the class files. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions (CVE-2014-6601). Multiple improper permission check issues were discovered in the JAX-WS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions (CVE-2015-0412, CVE-2015-0408). A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions (CVE-2015-0395). A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded (CVE-2015-0410). It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled (CVE-2014-6593). An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions (CVE-2015-0407). A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions (CVE-2014-6587). Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory (CVE-2014-6585, CVE-2014-6591). Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack (CVE-2015-0383). Note: This update disables SSL 3.0 by default to mitigate the POODLE issue, also known as CVE-2014-3566. The jdk.tls.disabledAlgorithms security property can be used to re-enable SSL 3.0 support if needed. For additional information, refer to the Red Hat Bugzilla bug linked to in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id81233
    published2015-02-09
    reporterThis script is Copyright (C) 2015-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/81233
    titleMandriva Linux Security Advisory : java-1.7.0-openjdk (MDVSA-2015:033)
  • NASL familyWindows
    NASL idVMWARE_HORIZON_VIEW_VMSA-2015-0003.NASL
    descriptionThe VMware Horizon View installed on the remote Windows host is version 5.x prior to 5.3.4 or version 6.x prior to 6.1. It is, therefore, affected by the following vulnerabilities : - A man-in-the-middle (MitM) information disclosure vulnerability, known as POODLE, exists due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. A MitM attacker can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. (CVE-2014-3566) - An XML external entity (XXE) injection vulnerability exists in the included Flex BlazeDS component due to an incorrect configuration of the XML parser that allows external XML entities to be accepted from untrusted sources. An unauthenticated, remote attacker can exploit this vulnerability, via a via a crafted AMF message, to gain access to sensitive information. (CVE-2015-3269) - A flaw exists in the bundled Adobe ColdFusion and LiveCycle Data Services components related to request handling between a user and the server. A remote attacker can exploit this, via a specially crafted request, to bypass access restrictions (e.g. host or network ACLs), conduct port scanning of internal networks, enumerate internal hosts, or possibly invoke additional protocols (e.g. Gopher, TFTP). (CVE-2015-5255) Additionally, unspecified vulnerabilities also exist in the following bundled Java components : - 2D (CVE-2014-6585, CVE-2014-6591) - Deployment (CVE-2015-0403, CVE-2015-0406) - Hotspot (CVE-2014-6601, CVE-2015-0383, CVE-2015-0395, CVE-2015-0437) - Installation (CVE-2015-0421) - JAX-WS (CVE-2015-0412) - JSSE (CVE-2014-6593) - Libraries (CVE-2014-6549, CVE-2014-6587, CVE-2015-0400) - RMI (CVE-2015-0408) - Security (CVE-2015-0410) - Serviceability (CVE-2015-0413) - Swing (CVE-2015-0407)
    last seen2020-06-01
    modified2020-06-02
    plugin id82741
    published2015-04-13
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82741
    titleVMware Horizon View Multiple Vulnerabilities (VMSA-2015-0003) (VMSA-2015-0008) (POODLE)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-0086.NASL
    descriptionUpdated java-1.6.0-sun packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Oracle Java SE version 6 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section. (CVE-2014-3566, CVE-2014-6585, CVE-2014-6587, CVE-2014-6591, CVE-2014-6593, CVE-2014-6601, CVE-2015-0383, CVE-2015-0395, CVE-2015-0403, CVE-2015-0406, CVE-2015-0407, CVE-2015-0408, CVE-2015-0410, CVE-2015-0412) The CVE-2015-0383 issue was discovered by Red Hat. Note: With this update, the Oracle Java SE now disables the SSL 3.0 protocol to address the CVE-2014-3566 issue (also known as POODLE). Refer to the Red Hat Bugzilla bug linked to in the References section for instructions on how to re-enable SSL 3.0 support if needed. All users of java-1.6.0-sun are advised to upgrade to these updated packages, which provide Oracle Java 6 Update 91 and resolve these issues. All running instances of Oracle Java must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id81014
    published2015-01-27
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81014
    titleRHEL 5 / 6 / 7 : java-1.6.0-sun (RHSA-2015:0086) (POODLE)
  • NASL familyAIX Local Security Checks
    NASL idAIX_JAVA_FEB2015_ADVISORY.NASL
    descriptionThe version of Java SDK installed on the remote host is affected by the following vulnerabilities : - A man-in-the-middle (MitM) information disclosure vulnerability known as POODLE. The vulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. MitM attackers can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. (CVE-2014-3566) - Information disclosure flaws exist in the font parsing code in the 2D component in OpenJDK. A specially crafted font file can exploit boundary check flaws and allow an untrusted Java applet or application to disclose portions of the Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591) - A NULL pointer dereference flaw exists in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java applet or application can use this flaw to bypass certain Java sandbox restrictions. (CVE-2014-6587) - The SSL/TLS implementation in the JSSE component in OpenJDK fails to properly check whether the ChangeCipherSpec was received during a SSL/TLS connection handshake. An MitM attacker can use this flaw to force a connection to be established without encryption being enabled. (CVE-2014-6593) - An unspecified privilege escalation vulnerability exists in IBM Java Virtual Machine. (CVE-2014-8891) - An unspecified information disclosure vulnerability exists in the Libraries component of Oracle Java SE. (CVE-2015-0400) - An unspecified information disclosure vulnerability exists in the Deployment component of Oracle Java SE. (CVE-2015-0403) - Unspecified denial of service and information disclosure vulnerabilities exist in the Deployment component of Oracle Java SE. (CVE-2015-0406) - An information disclosure vulnerability exists in the Swing component in OpenJDK. An untrusted Java applet or application can use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-0407) - Multiple improper permission check vulnerabilities exist in the JAX-WS, Libraries, and RMI components in OpenJDK. An untrusted Java applet or application can use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412, CVE-2014-6549, CVE-2015-0408) - A denial of service vulnerability exists in the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK when handling negative length values. A specially crafted, DER-encoded input can cause a Java application to enter an infinite loop when decoded. (CVE-2015-0410)
    last seen2020-06-01
    modified2020-06-02
    plugin id81491
    published2015-02-24
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/81491
    titleAIX Java Advisory : java_feb2015_advisory.asc (POODLE)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-0503-1.NASL
    descriptionThis update fixes 13 security issues. These security issues were fixed : - CVE-2015-0395: Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot (bnc#914041). - CVE-2015-0400: Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allowed remote attackers to affect confidentiality via unknown vectors related to Libraries (bnc#914041). - CVE-2015-0383: Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit R27.8.4 and R28.3.4 allowed local users to affect integrity and availability via unknown vectors related to Hotspot (bnc#914041). - CVE-2015-0412: Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allowed remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS (bnc#914041). - CVE-2015-0407: Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allowed remote attackers to affect confidentiality via unknown vectors related to Swing (bnc#914041). - CVE-2015-0408: Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allowed remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI (bnc#914041). - CVE-2014-6585: Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allowed remote attackers to affect confidentiality via unknown vectors reelated to 2D, a different vulnerability than CVE-2014-6591 (bnc#914041). - CVE-2014-6587: Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allowed local users to affect confidentiality, integrity, and availability via unknown vectors related to Libraries (bnc#914041). - CVE-2014-6591: Unspecified vulnerability in the Java SE component in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allowed remote attackers to affect confidentiality via unknown vectors related to 2D, a different vulnerability than CVE-2014-6585 (bnc#914041). - CVE-2014-6593: Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit 27.8.4 and 28.3.4 allowed remote attackers to affect confidentiality and integrity via vectors related to JSSE (bnc#914041). - CVE-2014-6601: Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot (bnc#914041). - CVE-2015-0410: Unspecified vulnerability in the Java SE, Java SE Embedded, JRockit component in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit R27.8.4 and R28.3.4 allowed remote attackers to affect availability via unknown vectors related to Security (bnc#914041). - CVE-2014-3566: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, used nondeterministic CBC padding, which made it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the
    last seen2020-06-01
    modified2020-06-02
    plugin id83699
    published2015-05-20
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/83699
    titleSUSE SLED12 / SLES12 Security Update : java-1_7_0-openjdk (SUSE-SU-2015:0503-1) (POODLE)
  • NASL familyMisc.
    NASL idVCENTER_OPERATIONS_MANAGER_VMSA_2015-0003-VAPP.NASL
    descriptionThe version of VMware vCenter Operations Manager installed on the remote host has a bundled version of the Java JRE prior to version 1.7.0_76-b13 (aka 7.0.760). It is, therefore, affected by a man-in-the-middle (MitM) information disclosure vulnerability known as POODLE. The vulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. MitM attackers can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. (CVE-2014-3566) Additionally, unspecified vulnerabilities also exist in the following bundled Java components : - 2D (CVE-2014-6585, CVE-2014-6591) - Deployment (CVE-2015-0403, CVE-2015-0406) - Hotspot (CVE-2014-6601, CVE-2015-0383, CVE-2015-0395, CVE-2015-0437) - Installation (CVE-2015-0421) - JAX-WS (CVE-2015-0412) - JSSE (CVE-2014-6593) - Libraries (CVE-2014-6549, CVE-2014-6587, CVE-2015-0400) - RMI (CVE-2015-0408) - Security (CVE-2015-0410) - Serviceability (CVE-2015-0413) - Swing (CVE-2015-0407) VMware has released a patch that updates the JRE bundled with the appliance.
    last seen2020-06-01
    modified2020-06-02
    plugin id82706
    published2015-04-10
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82706
    titleVMware vCenter Operations Management vApp JRE Update 1.7.0_76-b13 (VMSA-2015-0003) (POODLE)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2486-1.NASL
    descriptionSeveral vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. (CVE-2014-3566, CVE-2014-6587, CVE-2014-6601, CVE-2015-0395, CVE-2015-0408, CVE-2015-0412) Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure. An attacker could exploit these to expose sensitive data over the network. (CVE-2014-6585, CVE-2014-6591, CVE-2015-0400, CVE-2015-0407) A vulnerability was discovered in the OpenJDK JRE related to information disclosure and integrity. An attacker could exploit this to expose sensitive data over the network. (CVE-2014-6593) A vulnerability was discovered in the OpenJDK JRE related to integrity and availability. An attacker could exploit this to cause a denial of service. (CVE-2015-0383) A vulnerability was discovered in the OpenJDK JRE related to availability. An attacker could this exploit to cause a denial of service. (CVE-2015-0410). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id81043
    published2015-01-28
    reporterUbuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81043
    titleUbuntu 10.04 LTS / 12.04 LTS : openjdk-6 vulnerabilities (USN-2486-1) (POODLE)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-0133.NASL
    descriptionUpdated java-1.7.1-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 6 and 7 Supplementary. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2014-6549, CVE-2014-6585, CVE-2014-6587, CVE-2014-6591, CVE-2014-6593, CVE-2014-8891, CVE-2014-8892, CVE-2015-0403, CVE-2015-0406, CVE-2015-0407, CVE-2015-0408, CVE-2015-0410, CVE-2015-0412) All users of java-1.7.1-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 7R1 SR2-FP10 release. All running instances of IBM Java must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id81201
    published2015-02-06
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81201
    titleRHEL 6 / 7 : java-1.7.1-ibm (RHSA-2015:0133)
  • NASL familyMisc.
    NASL idORACLE_JAVA_CPU_JAN_2015_UNIX.NASL
    descriptionThe version of Oracle Java SE or Java for Business installed on the remote host is prior to 8 Update 31, 7 Update 75, 6 Update 91, or 5 Update 81. It is, therefore, affected by security vulnerabilities in the following components : - 2D - Deployment - Hotspot - Install - JAX-WS - JSSE - Libraries - RMI - Security - Serviceability - Swing
    last seen2020-06-01
    modified2020-06-02
    plugin id80907
    published2015-01-22
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/80907
    titleOracle Java SE Multiple Vulnerabilities (January 2015 CPU) (Unix) (POODLE)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-0135.NASL
    descriptionUpdated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2014-6585, CVE-2014-6587, CVE-2014-6591, CVE-2014-6593, CVE-2014-8891, CVE-2014-8892, CVE-2015-0395, CVE-2015-0403, CVE-2015-0406, CVE-2015-0407, CVE-2015-0408, CVE-2015-0410, CVE-2015-0412) All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 6 SR16-FP3 release. All running instances of IBM Java must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id81203
    published2015-02-06
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81203
    titleRHEL 5 / 6 : java-1.6.0-ibm (RHSA-2015:0135)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2015-0067.NASL
    descriptionFrom Red Hat Security Advisory 2015:0067 : Updated java-1.7.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. A flaw was found in the way the Hotspot component in OpenJDK verified bytecode from the class files. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. (CVE-2014-6601) Multiple improper permission check issues were discovered in the JAX-WS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412, CVE-2015-0408) A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0395) A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded. (CVE-2015-0410) A flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the-middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack. (CVE-2014-3566) Note: This update disables SSL 3.0 by default to address this issue. The jdk.tls.disabledAlgorithms security property can be used to re-enable SSL 3.0 support if needed. For additional information, refer to the Red Hat Bugzilla bug linked to in the References section. It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. (CVE-2014-6593) An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-0407) A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. (CVE-2014-6587) Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591) Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. (CVE-2015-0383) The CVE-2015-0383 issue was discovered by Red Hat. Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id80899
    published2015-01-22
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/80899
    titleOracle Linux 6 / 7 : java-1.7.0-openjdk (ELSA-2015-0067) (POODLE)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-157.NASL
    descriptionSeveral vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the execution of arbitrary code, information disclosure or denial of service. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2015-03-26
    plugin id82140
    published2015-03-26
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/82140
    titleDebian DLA-157-1 : openjdk-6 security update (POODLE)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_JAVA-1_7_0-OPENJDK-150206.NASL
    descriptionjava-1_7_0-openjdk was updated to fix 19 security issues. Details are available at http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.h tml#AppendixJAVA
    last seen2020-06-01
    modified2020-06-02
    plugin id81419
    published2015-02-20
    reporterThis script is Copyright (C) 2015 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/81419
    titleSuSE 11.3 Security Update : java-1_7_0-openjdk (SAT Patch Number 10286)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20150126_JAVA_1_6_0_OPENJDK_ON_SL5_X.NASL
    descriptionA flaw was found in the way the Hotspot component in OpenJDK verified bytecode from the class files. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. (CVE-2014-6601) Multiple improper permission check issues were discovered in the JAX-WS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412, CVE-2015-0408) A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0395) A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded. (CVE-2015-0410) A flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the- middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack. (CVE-2014-3566) It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. (CVE-2014-6593) An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-0407) A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. (CVE-2014-6587) Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591) Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. (CVE-2015-0383) All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen2020-03-18
    modified2015-01-27
    plugin id81015
    published2015-01-27
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81015
    titleScientific Linux Security Update : java-1.6.0-openjdk on SL5.x, SL6.x, SL7.x i386/x86_64 (20150126) (POODLE)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201603-14.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201603-14 (IcedTea: Multiple vulnerabilities) Various OpenJDK attack vectors in IcedTea, such as 2D, Corba, Hotspot, Libraries, and JAXP, exist which allows remote attackers to affect the confidentiality, integrity, and availability of vulnerable systems. This includes the possibility of remote execution of arbitrary code, information disclosure, or Denial of Service. Many of the vulnerabilities can only be exploited through sandboxed Java Web Start applications and java applets. Please reference the CVEs listed for specific details. Impact : Remote attackers may remotely execute arbitrary code, compromise information, or cause Denial of Service. Workaround : There is no known work around at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id89907
    published2016-03-14
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89907
    titleGLSA-201603-14 : IcedTea: Multiple vulnerabilities
  • NASL familyWindows
    NASL idORACLE_JAVA_CPU_JAN_2015.NASL
    descriptionThe version of Oracle Java SE or Java for Business installed on the remote host is prior to 8 Update 31, 7 Update 75, 6 Update 91, or 5 Update 81. It is, therefore, affected by security vulnerabilities in the following components : - 2D - Deployment - Hotspot - Install - JAX-WS - JSSE - Libraries - RMI - Security - Serviceability - Swing
    last seen2020-06-01
    modified2020-06-02
    plugin id80908
    published2015-01-22
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/80908
    titleOracle Java SE Multiple Vulnerabilities (January 2015 CPU) (POODLE)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201507-14.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201507-14 (Oracle JRE/JDK: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Oracle JRE/JDK. Please review the CVE identifiers referenced below for details. Impact : An context-dependent attacker may be able to influence the confidentiality, integrity, and availability of Java applications/runtime. Workaround : There is no workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id84719
    published2015-07-14
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84719
    titleGLSA-201507-14 : Oracle JRE/JDK: Multiple vulnerabilities (POODLE)

Redhat

advisories
  • rhsa
    idRHSA-2015:0068
  • rhsa
    idRHSA-2015:0079
  • rhsa
    idRHSA-2015:0080
  • rhsa
    idRHSA-2015:0085
  • rhsa
    idRHSA-2015:0086
  • rhsa
    idRHSA-2015:0136
  • rhsa
    idRHSA-2015:0264
rpms
  • java-1.7.0-openjdk-1:1.7.0.75-2.5.4.0.el6_6
  • java-1.7.0-openjdk-1:1.7.0.75-2.5.4.2.el7_0
  • java-1.7.0-openjdk-accessibility-1:1.7.0.75-2.5.4.2.el7_0
  • java-1.7.0-openjdk-debuginfo-1:1.7.0.75-2.5.4.0.el6_6
  • java-1.7.0-openjdk-debuginfo-1:1.7.0.75-2.5.4.2.el7_0
  • java-1.7.0-openjdk-demo-1:1.7.0.75-2.5.4.0.el6_6
  • java-1.7.0-openjdk-demo-1:1.7.0.75-2.5.4.2.el7_0
  • java-1.7.0-openjdk-devel-1:1.7.0.75-2.5.4.0.el6_6
  • java-1.7.0-openjdk-devel-1:1.7.0.75-2.5.4.2.el7_0
  • java-1.7.0-openjdk-headless-1:1.7.0.75-2.5.4.2.el7_0
  • java-1.7.0-openjdk-javadoc-1:1.7.0.75-2.5.4.0.el6_6
  • java-1.7.0-openjdk-javadoc-1:1.7.0.75-2.5.4.2.el7_0
  • java-1.7.0-openjdk-src-1:1.7.0.75-2.5.4.0.el6_6
  • java-1.7.0-openjdk-src-1:1.7.0.75-2.5.4.2.el7_0
  • java-1.7.0-openjdk-1:1.7.0.75-2.5.4.0.el5_11
  • java-1.7.0-openjdk-debuginfo-1:1.7.0.75-2.5.4.0.el5_11
  • java-1.7.0-openjdk-demo-1:1.7.0.75-2.5.4.0.el5_11
  • java-1.7.0-openjdk-devel-1:1.7.0.75-2.5.4.0.el5_11
  • java-1.7.0-openjdk-javadoc-1:1.7.0.75-2.5.4.0.el5_11
  • java-1.7.0-openjdk-src-1:1.7.0.75-2.5.4.0.el5_11
  • java-1.8.0-openjdk-1:1.8.0.31-1.b13.el6_6
  • java-1.8.0-openjdk-debuginfo-1:1.8.0.31-1.b13.el6_6
  • java-1.8.0-openjdk-demo-1:1.8.0.31-1.b13.el6_6
  • java-1.8.0-openjdk-devel-1:1.8.0.31-1.b13.el6_6
  • java-1.8.0-openjdk-headless-1:1.8.0.31-1.b13.el6_6
  • java-1.8.0-openjdk-javadoc-1:1.8.0.31-1.b13.el6_6
  • java-1.8.0-openjdk-src-1:1.8.0.31-1.b13.el6_6
  • java-1.7.0-oracle-1:1.7.0.75-1jpp.1.el5_11
  • java-1.7.0-oracle-1:1.7.0.75-1jpp.1.el6
  • java-1.7.0-oracle-1:1.7.0.75-1jpp.2.el7
  • java-1.7.0-oracle-devel-1:1.7.0.75-1jpp.1.el5_11
  • java-1.7.0-oracle-devel-1:1.7.0.75-1jpp.1.el6
  • java-1.7.0-oracle-devel-1:1.7.0.75-1jpp.2.el7
  • java-1.7.0-oracle-javafx-1:1.7.0.75-1jpp.1.el5_11
  • java-1.7.0-oracle-javafx-1:1.7.0.75-1jpp.1.el6
  • java-1.7.0-oracle-javafx-1:1.7.0.75-1jpp.2.el7
  • java-1.7.0-oracle-jdbc-1:1.7.0.75-1jpp.1.el5_11
  • java-1.7.0-oracle-jdbc-1:1.7.0.75-1jpp.1.el6
  • java-1.7.0-oracle-jdbc-1:1.7.0.75-1jpp.2.el7
  • java-1.7.0-oracle-plugin-1:1.7.0.75-1jpp.1.el5_11
  • java-1.7.0-oracle-plugin-1:1.7.0.75-1jpp.1.el6
  • java-1.7.0-oracle-plugin-1:1.7.0.75-1jpp.2.el7
  • java-1.7.0-oracle-src-1:1.7.0.75-1jpp.1.el5_11
  • java-1.7.0-oracle-src-1:1.7.0.75-1jpp.1.el6
  • java-1.7.0-oracle-src-1:1.7.0.75-1jpp.2.el7
  • java-1.8.0-oracle-1:1.8.0.31-1jpp.1.el6
  • java-1.8.0-oracle-devel-1:1.8.0.31-1jpp.1.el6
  • java-1.8.0-oracle-javafx-1:1.8.0.31-1jpp.1.el6
  • java-1.8.0-oracle-jdbc-1:1.8.0.31-1jpp.1.el6
  • java-1.8.0-oracle-plugin-1:1.8.0.31-1jpp.1.el6
  • java-1.8.0-oracle-src-1:1.8.0.31-1jpp.1.el6
  • java-1.6.0-openjdk-1:1.6.0.34-1.13.6.1.el5_11
  • java-1.6.0-openjdk-1:1.6.0.34-1.13.6.1.el6_6
  • java-1.6.0-openjdk-1:1.6.0.34-1.13.6.1.el7_0
  • java-1.6.0-openjdk-debuginfo-1:1.6.0.34-1.13.6.1.el5_11
  • java-1.6.0-openjdk-debuginfo-1:1.6.0.34-1.13.6.1.el6_6
  • java-1.6.0-openjdk-debuginfo-1:1.6.0.34-1.13.6.1.el7_0
  • java-1.6.0-openjdk-demo-1:1.6.0.34-1.13.6.1.el5_11
  • java-1.6.0-openjdk-demo-1:1.6.0.34-1.13.6.1.el6_6
  • java-1.6.0-openjdk-demo-1:1.6.0.34-1.13.6.1.el7_0
  • java-1.6.0-openjdk-devel-1:1.6.0.34-1.13.6.1.el5_11
  • java-1.6.0-openjdk-devel-1:1.6.0.34-1.13.6.1.el6_6
  • java-1.6.0-openjdk-devel-1:1.6.0.34-1.13.6.1.el7_0
  • java-1.6.0-openjdk-javadoc-1:1.6.0.34-1.13.6.1.el5_11
  • java-1.6.0-openjdk-javadoc-1:1.6.0.34-1.13.6.1.el6_6
  • java-1.6.0-openjdk-javadoc-1:1.6.0.34-1.13.6.1.el7_0
  • java-1.6.0-openjdk-src-1:1.6.0.34-1.13.6.1.el5_11
  • java-1.6.0-openjdk-src-1:1.6.0.34-1.13.6.1.el6_6
  • java-1.6.0-openjdk-src-1:1.6.0.34-1.13.6.1.el7_0
  • java-1.6.0-sun-1:1.6.0.91-1jpp.1.el5_11
  • java-1.6.0-sun-1:1.6.0.91-1jpp.1.el6
  • java-1.6.0-sun-1:1.6.0.91-1jpp.1.el7
  • java-1.6.0-sun-demo-1:1.6.0.91-1jpp.1.el5_11
  • java-1.6.0-sun-demo-1:1.6.0.91-1jpp.1.el6
  • java-1.6.0-sun-demo-1:1.6.0.91-1jpp.1.el7
  • java-1.6.0-sun-devel-1:1.6.0.91-1jpp.1.el5_11
  • java-1.6.0-sun-devel-1:1.6.0.91-1jpp.1.el6
  • java-1.6.0-sun-devel-1:1.6.0.91-1jpp.1.el7
  • java-1.6.0-sun-jdbc-1:1.6.0.91-1jpp.1.el5_11
  • java-1.6.0-sun-jdbc-1:1.6.0.91-1jpp.1.el6
  • java-1.6.0-sun-jdbc-1:1.6.0.91-1jpp.1.el7
  • java-1.6.0-sun-plugin-1:1.6.0.91-1jpp.1.el5_11
  • java-1.6.0-sun-plugin-1:1.6.0.91-1jpp.1.el6
  • java-1.6.0-sun-plugin-1:1.6.0.91-1jpp.1.el7
  • java-1.6.0-sun-src-1:1.6.0.91-1jpp.1.el5_11
  • java-1.6.0-sun-src-1:1.6.0.91-1jpp.1.el6
  • java-1.6.0-sun-src-1:1.6.0.91-1jpp.1.el7
  • java-1.7.1-ibm-1:1.7.1.2.10-1jpp.3.el6_6
  • java-1.7.1-ibm-1:1.7.1.2.10-1jpp.3.el7_0
  • java-1.7.1-ibm-demo-1:1.7.1.2.10-1jpp.3.el6_6
  • java-1.7.1-ibm-demo-1:1.7.1.2.10-1jpp.3.el7_0
  • java-1.7.1-ibm-devel-1:1.7.1.2.10-1jpp.3.el6_6
  • java-1.7.1-ibm-devel-1:1.7.1.2.10-1jpp.3.el7_0
  • java-1.7.1-ibm-jdbc-1:1.7.1.2.10-1jpp.3.el6_6
  • java-1.7.1-ibm-jdbc-1:1.7.1.2.10-1jpp.3.el7_0
  • java-1.7.1-ibm-plugin-1:1.7.1.2.10-1jpp.3.el6_6
  • java-1.7.1-ibm-plugin-1:1.7.1.2.10-1jpp.3.el7_0
  • java-1.7.1-ibm-src-1:1.7.1.2.10-1jpp.3.el6_6
  • java-1.7.1-ibm-src-1:1.7.1.2.10-1jpp.3.el7_0
  • java-1.7.0-ibm-1:1.7.0.8.10-1jpp.4.el5
  • java-1.7.0-ibm-demo-1:1.7.0.8.10-1jpp.4.el5
  • java-1.7.0-ibm-devel-1:1.7.0.8.10-1jpp.4.el5
  • java-1.7.0-ibm-jdbc-1:1.7.0.8.10-1jpp.4.el5
  • java-1.7.0-ibm-plugin-1:1.7.0.8.10-1jpp.4.el5
  • java-1.7.0-ibm-src-1:1.7.0.8.10-1jpp.4.el5
  • java-1.6.0-ibm-1:1.6.0.16.3-1jpp.1.el5
  • java-1.6.0-ibm-1:1.6.0.16.3-1jpp.1.el6_6
  • java-1.6.0-ibm-accessibility-1:1.6.0.16.3-1jpp.1.el5
  • java-1.6.0-ibm-demo-1:1.6.0.16.3-1jpp.1.el5
  • java-1.6.0-ibm-demo-1:1.6.0.16.3-1jpp.1.el6_6
  • java-1.6.0-ibm-devel-1:1.6.0.16.3-1jpp.1.el5
  • java-1.6.0-ibm-devel-1:1.6.0.16.3-1jpp.1.el6_6
  • java-1.6.0-ibm-javacomm-1:1.6.0.16.3-1jpp.1.el5
  • java-1.6.0-ibm-javacomm-1:1.6.0.16.3-1jpp.1.el6_6
  • java-1.6.0-ibm-jdbc-1:1.6.0.16.3-1jpp.1.el5
  • java-1.6.0-ibm-jdbc-1:1.6.0.16.3-1jpp.1.el6_6
  • java-1.6.0-ibm-plugin-1:1.6.0.16.3-1jpp.1.el5
  • java-1.6.0-ibm-plugin-1:1.6.0.16.3-1jpp.1.el6_6
  • java-1.6.0-ibm-src-1:1.6.0.16.3-1jpp.1.el5
  • java-1.6.0-ibm-src-1:1.6.0.16.3-1jpp.1.el6_6
  • java-1.5.0-ibm-1:1.5.0.16.9-1jpp.1.el5
  • java-1.5.0-ibm-1:1.5.0.16.9-1jpp.1.el6_6
  • java-1.5.0-ibm-accessibility-1:1.5.0.16.9-1jpp.1.el5
  • java-1.5.0-ibm-demo-1:1.5.0.16.9-1jpp.1.el5
  • java-1.5.0-ibm-demo-1:1.5.0.16.9-1jpp.1.el6_6
  • java-1.5.0-ibm-devel-1:1.5.0.16.9-1jpp.1.el5
  • java-1.5.0-ibm-devel-1:1.5.0.16.9-1jpp.1.el6_6
  • java-1.5.0-ibm-javacomm-1:1.5.0.16.9-1jpp.1.el5
  • java-1.5.0-ibm-javacomm-1:1.5.0.16.9-1jpp.1.el6_6
  • java-1.5.0-ibm-jdbc-1:1.5.0.16.9-1jpp.1.el5
  • java-1.5.0-ibm-jdbc-1:1.5.0.16.9-1jpp.1.el6_6
  • java-1.5.0-ibm-plugin-1:1.5.0.16.9-1jpp.1.el5
  • java-1.5.0-ibm-plugin-1:1.5.0.16.9-1jpp.1.el6_6
  • java-1.5.0-ibm-src-1:1.5.0.16.9-1jpp.1.el5
  • java-1.5.0-ibm-src-1:1.5.0.16.9-1jpp.1.el6_6
  • java-1.6.0-ibm-1:1.6.0.16.3-1jpp.1.el6
  • java-1.6.0-ibm-devel-1:1.6.0.16.3-1jpp.1.el6
  • java-1.6.0-ibm-1:1.6.0.16.3-1jpp.1.el5
  • java-1.6.0-ibm-1:1.6.0.16.3-1jpp.1.el6
  • java-1.6.0-ibm-devel-1:1.6.0.16.3-1jpp.1.el5
  • java-1.6.0-ibm-devel-1:1.6.0.16.3-1jpp.1.el6