Vulnerabilities > CVE-2015-0470 - Unspecified vulnerability in Oracle JDK and JRE

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
oracle
nessus

Summary

Unspecified vulnerability in Oracle Java SE 8u40 allows remote attackers to affect integrity via unknown vectors related to Hotspot. Per Oracle: Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets. (http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html)

Vulnerable Configurations

Part Description Count
Application
Oracle
2

Nessus

  • NASL familyWindows
    NASL idORACLE_JAVA_CPU_APR_2015.NASL
    descriptionThe version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 8 Update 45, 7 Update 79, 6 Update 95, or 5 Update 85. It is, therefore, affected by security vulnerabilities in the following components : - 2D - Beans - Deployment - Hotspot - JavaFX - JCE - JSSE - Tools
    last seen2020-06-01
    modified2020-06-02
    plugin id82820
    published2015-04-16
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82820
    titleOracle Java SE Multiple Vulnerabilities (April 2015 CPU) (FREAK)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include('compat.inc');
    
    if (description)
    {
      script_id(82820);
      script_version("1.13");
      script_cvs_date("Date: 2018/11/15 20:50:28");
    
      script_cve_id(
        "CVE-2015-0204",
        "CVE-2015-0458",
        "CVE-2015-0459",
        "CVE-2015-0460",
        "CVE-2015-0469",
        "CVE-2015-0470",
        "CVE-2015-0477",
        "CVE-2015-0478",
        "CVE-2015-0480",
        "CVE-2015-0484",
        "CVE-2015-0486",
        "CVE-2015-0488",
        "CVE-2015-0491",
        "CVE-2015-0492"
      );
      script_bugtraq_id(
        71936,
        74072,
        74083,
        74094,
        74097,
        74104,
        74111,
        74119,
        74129,
        74135,
        74141,
        74145,
        74147,
        74149
      );
    
      script_name(english:"Oracle Java SE Multiple Vulnerabilities (April 2015 CPU) (FREAK)");
      script_summary(english:"Checks the version of the JRE.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host contains a programming platform that is
    affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Oracle (formerly Sun) Java SE or Java for Business
    installed on the remote host is prior to 8 Update 45, 7 Update 79,
    6 Update 95, or 5 Update 85. It is, therefore, affected by security
    vulnerabilities in the following components :
    
      - 2D
      - Beans
      - Deployment
      - Hotspot
      - JavaFX
      - JCE
      - JSSE
      - Tools");
      # http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?56618dc1");
      # Java SE JDK and JRE 8 Update 45
      # https://www.oracle.com/technetwork/java/javase/8u45-relnotes-2494160.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?abb7def2");
      # Java SE JDK and JRE 7 Update 79
      # https://www.oracle.com/technetwork/java/javase/7u79-relnotes-2494161.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7736cf95");
      # Java SE JDK and JRE 6 Update 95
      # http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?726f7054");
      #Java SE JDK and JRE 5.0 Update 85
      # https://www.oracle.com/technetwork/java/javase/documentation/overview-137139.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?84f3023c");
      script_set_attribute(attribute:"see_also", value:"https://www.smacktls.com/#freak");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Oracle JDK / JRE 8 Update 45, 7 Update 79, 6 Update 95, or
    5 Update 85 or later. If necessary, remove any affected versions.
    
    Note that an Extended Support contract with Oracle is needed to obtain
    JDK / JRE 5 Update 85 or later and 6 Update 95 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/04/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/16");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jre");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jdk");
    
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.");
    
      script_dependencies("sun_java_jre_installed.nasl");
      script_require_keys("SMB/Java/JRE/Installed");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    # Check each installed JRE.
    installs = get_kb_list_or_exit("SMB/Java/JRE/*");
    
    info = "";
    vuln = 0;
    installed_versions = "";
    
    foreach install (list_uniq(keys(installs)))
    {
      ver = install - "SMB/Java/JRE/";
      if (ver !~ "^[0-9.]+") continue;
    
      installed_versions = installed_versions + " & " + ver;
    
      # Fixes : (JDK|JRE) 8 Update 45 / 7 Update 79 / 6 Update 95 / 5 Update 85
      if (
        ver =~ '^1\\.5\\.0_([0-9]|[0-7][0-9]|8[0-4])([^0-9]|$)' ||
        ver =~ '^1\\.6\\.0_([0-9]|[0-8][0-9]|9[0-4])([^0-9]|$)' ||
        ver =~ '^1\\.7\\.0_([0-9]|[0-6][0-9]|7[0-8])([^0-9]|$)' ||
        ver =~ '^1\\.8\\.0_([0-9]|[0-3][0-9]|4[0-4])([^0-9]|$)'
      )
      {
        dirs = make_list(get_kb_list(install));
        vuln += max_index(dirs);
    
        foreach dir (dirs)
          info += '\n  Path              : ' + dir;
    
        info += '\n  Installed version : ' + ver;
        info += '\n  Fixed version     : 1.5.0_85 / 1.6.0_95 / 1.7.0_79 / 1.8.0_45\n';
      }
    }
    
    # Report if any were found to be vulnerable.
    if (info)
    {
      port = get_kb_item("SMB/transport");
      if (!port) port = 445;
    
      if (report_verbosity > 0)
      {
        if (vuln > 1) s = "s of Java are";
        else s = " of Java is";
    
        report =
          '\n' +
          'The following vulnerable instance'+s+' installed on the\n' +
          'remote host :\n' +
          info;
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
      exit(0);
    }
    else
    {
      installed_versions = substr(installed_versions, 3);
      if (" & " >< installed_versions)
        exit(0, "The Java "+installed_versions+" installs on the remote host are not affected.");
      else
        audit(AUDIT_INST_VER_NOT_VULN, "Java", installed_versions);
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3316.NASL
    descriptionSeveral vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the execution of arbitrary code, breakouts of the Java sandbox, information disclosure, denial of service or insecure cryptography.
    last seen2020-06-01
    modified2020-06-02
    plugin id85031
    published2015-07-28
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85031
    titleDebian DSA-3316-1 : openjdk-7 - security update (Bar Mitzvah) (Logjam)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-3316. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(85031);
      script_version("2.12");
      script_cvs_date("Date: 2019/07/15 14:20:29");
    
      script_cve_id("CVE-2014-8873", "CVE-2015-0460", "CVE-2015-0469", "CVE-2015-0470", "CVE-2015-0477", "CVE-2015-0478", "CVE-2015-0480", "CVE-2015-0488", "CVE-2015-2590", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2621", "CVE-2015-2625", "CVE-2015-2628", "CVE-2015-2632", "CVE-2015-2808", "CVE-2015-4000", "CVE-2015-4731", "CVE-2015-4732", "CVE-2015-4733", "CVE-2015-4748", "CVE-2015-4749", "CVE-2015-4760");
      script_xref(name:"DSA", value:"3316");
    
      script_name(english:"Debian DSA-3316-1 : openjdk-7 - security update (Bar Mitzvah) (Logjam)");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several vulnerabilities have been discovered in OpenJDK, an
    implementation of the Oracle Java platform, resulting in the execution
    of arbitrary code, breakouts of the Java sandbox, information
    disclosure, denial of service or insecure cryptography."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/wheezy/openjdk-7"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/jessie/openjdk-7"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2015/dsa-3316"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the openjdk-7 packages.
    
    For the oldstable distribution (wheezy), these problems have been
    fixed in version 7u79-2.5.6-1~deb7u1.
    
    For the stable distribution (jessie), these problems have been fixed
    in version 7u79-2.5.6-1~deb8u1."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:openjdk-7");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/03/31");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/07/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/07/28");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"7.0", prefix:"icedtea-7-jre-cacao", reference:"7u79-2.5.6-1~deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"icedtea-7-jre-jamvm", reference:"7u79-2.5.6-1~deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"openjdk-7-dbg", reference:"7u79-2.5.6-1~deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"openjdk-7-demo", reference:"7u79-2.5.6-1~deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"openjdk-7-doc", reference:"7u79-2.5.6-1~deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"openjdk-7-jdk", reference:"7u79-2.5.6-1~deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"openjdk-7-jre", reference:"7u79-2.5.6-1~deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"openjdk-7-jre-headless", reference:"7u79-2.5.6-1~deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"openjdk-7-jre-lib", reference:"7u79-2.5.6-1~deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"openjdk-7-jre-zero", reference:"7u79-2.5.6-1~deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"openjdk-7-source", reference:"7u79-2.5.6-1~deb7u1")) flag++;
    if (deb_check(release:"8.0", prefix:"icedtea-7-jre-jamvm", reference:"7u79-2.5.6-1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"openjdk-7-dbg", reference:"7u79-2.5.6-1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"openjdk-7-demo", reference:"7u79-2.5.6-1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"openjdk-7-doc", reference:"7u79-2.5.6-1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"openjdk-7-jdk", reference:"7u79-2.5.6-1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"openjdk-7-jre", reference:"7u79-2.5.6-1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"openjdk-7-jre-headless", reference:"7u79-2.5.6-1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"openjdk-7-jre-lib", reference:"7u79-2.5.6-1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"openjdk-7-jre-zero", reference:"7u79-2.5.6-1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"openjdk-7-source", reference:"7u79-2.5.6-1~deb8u1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2015-332.NASL
    descriptionOpenJDK was updated to jdk8u45-b14 to fix security issues and bugs. The following vulnerabilities were fixed : - CVE-2015-0458: Deployment: unauthenticated remote attackers could execute arbitrary code via multiple protocols. - CVE-2015-0459: 2D: unauthenticated remote attackers could execute arbitrary code via multiple protocols. - CVE-2015-0460: Hotspot: unauthenticated remote attackers could execute arbitrary code via multiple protocols. - CVE-2015-0469: 2D: unauthenticated remote attackers could execute arbitrary code via multiple protocols. - CVE-2015-0470: Hotspot: unauthenticated remote attackers could update, insert or delete some JAVA accessible data via multiple protocols - CVE-2015-0477: Beans: unauthenticated remote attackers could update, insert or delete some JAVA accessible data via multiple protocols - CVE-2015-0478: JCE: unauthenticated remote attackers could read some JAVA accessible data via multiple protocols - CVE-2015-0480: Tools: unauthenticated remote attackers could update, insert or delete some JAVA accessible data via multiple protocols and cause a partial denial of service (partial DOS) - CVE-2015-0484: JavaFX: unauthenticated remote attackers could read, update, insert or delete access some Java accessible data via multiple protocols and cause a partial denial of service (partial DOS). - CVE-2015-0486: Deployment: unauthenticated remote attackers could read some JAVA accessible data via multiple protocols - CVE-2015-0488: JSSE: unauthenticated remote attackers could cause a partial denial of service (partial DOS). - CVE-2015-0491: 2D: unauthenticated remote attackers could execute arbitrary code via multiple protocols. - CVE-2015-0492: JavaFX: unauthenticated remote attackers could execute arbitrary code via multiple protocols.
    last seen2020-06-05
    modified2015-04-28
    plugin id83107
    published2015-04-28
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/83107
    titleopenSUSE Security Update : java-1_8_0-openjdk (openSUSE-2015-332)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-213.NASL
    descriptionSeveral vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the execution of arbitrary code, breakouts of the Java sandbox, information disclosure or denial of service. For Debian 6
    last seen2020-03-17
    modified2015-05-01
    plugin id83165
    published2015-05-01
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/83165
    titleDebian DLA-213-1 : openjdk-6 security update
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3235.NASL
    descriptionSeveral vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the execution of arbitrary code, breakouts of the Java sandbox, information disclosure or denial of service.
    last seen2020-06-01
    modified2020-06-02
    plugin id83063
    published2015-04-27
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/83063
    titleDebian DSA-3235-1 : openjdk-7 - security update
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20150415_JAVA_1_8_0_OPENJDK_ON_SL6_X.NASL
    descriptionAn off-by-one flaw, leading to a buffer overflow, was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. (CVE-2015-0469) A flaw was found in the way the Hotspot component in OpenJDK handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0460) A flaw was found in the way the JSSE component in OpenJDK parsed X.509 certificate options. A specially crafted certificate could cause JSSE to raise an exception, possibly causing an application using JSSE to exit unexpectedly. (CVE-2015-0488) Multiple flaws were discovered in the Beans and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2015-0477, CVE-2015-0470) A directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted. (CVE-2005-1080, CVE-2015-0480) It was found that the RSA implementation in the JCE component in OpenJDK did not follow recommended practices for implementing RSA signatures. (CVE-2015-0478) All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen2020-03-18
    modified2015-04-16
    plugin id82816
    published2015-04-16
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/82816
    titleScientific Linux Security Update : java-1.8.0-openjdk on SL6.x, SL7.x i386/srpm/x86_64 (20150415)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2015-517.NASL
    descriptionAn off-by-one flaw, leading to a buffer overflow, was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. (CVE-2015-0469) A flaw was found in the way the Hotspot component in OpenJDK handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0460) A flaw was found in the way the JSSE component in OpenJDK parsed X.509 certificate options. A specially crafted certificate could cause JSSE to raise an exception, possibly causing an application using JSSE to exit unexpectedly. (CVE-2015-0488) Multiple flaws were discovered in the Beans and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2015-0477 , CVE-2015-0470) A directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted. (CVE-2005-1080 , CVE-2015-0480) It was found that the RSA implementation in the JCE component in OpenJDK did not follow recommended practices for implementing RSA signatures. (CVE-2015-0478)
    last seen2020-06-01
    modified2020-06-02
    plugin id83268
    published2015-05-07
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/83268
    titleAmazon Linux AMI : java-1.8.0-openjdk (ALAS-2015-517)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-0854.NASL
    descriptionUpdated java-1.8.0-oracle packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Oracle Java SE version 8 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section. (CVE-2005-1080, CVE-2015-0458, CVE-2015-0459, CVE-2015-0460, CVE-2015-0469, CVE-2015-0470, CVE-2015-0477, CVE-2015-0478, CVE-2015-0480, CVE-2015-0484, CVE-2015-0486, CVE-2015-0488, CVE-2015-0491, CVE-2015-0492) The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat Product Security. All users of java-1.8.0-oracle are advised to upgrade to these updated packages, which provide Oracle Java 8 Update 45 and resolve these issues. All running instances of Oracle Java must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id82897
    published2015-04-20
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/82897
    titleRHEL 6 / 7 : java-1.8.0-oracle (RHSA-2015:0854)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201603-11.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201603-11 (Oracle JRE/JDK: Multiple vulnerabilities) Multiple vulnerabilities exist in both Oracle&rsquo;s JRE and JDK. Please review the referenced CVE&rsquo;s for additional information. Impact : Remote attackers could gain access to information, remotely execute arbitrary code, and cause Denial of Service. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id89904
    published2016-03-14
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89904
    titleGLSA-201603-11 : Oracle JRE/JDK: Multiple vulnerabilities (Logjam)
  • NASL familyMisc.
    NASL idORACLE_JAVA_CPU_APR_2015_UNIX.NASL
    descriptionThe version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 8 Update 45, 7 Update 79, 6 Update 95, or 5 Update 85. It is, therefore, affected by security vulnerabilities in the following components : - 2D - Beans - Deployment - Hotspot - JavaFX - JCE - JSSE - Tools
    last seen2020-06-01
    modified2020-06-02
    plugin id82821
    published2015-04-16
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82821
    titleOracle Java SE Multiple Vulnerabilities (April 2015 CPU) (Unix) (FREAK)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3234.NASL
    descriptionSeveral vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the execution of arbitrary code, breakouts of the Java sandbox, information disclosure or denial of service.
    last seen2020-06-01
    modified2020-06-02
    plugin id83062
    published2015-04-27
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/83062
    titleDebian DSA-3234-1 : openjdk-6 - security update
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2015-0809.NASL
    descriptionUpdated java-1.8.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. An off-by-one flaw, leading to a buffer overflow, was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. (CVE-2015-0469) A flaw was found in the way the Hotspot component in OpenJDK handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0460) A flaw was found in the way the JSSE component in OpenJDK parsed X.509 certificate options. A specially crafted certificate could cause JSSE to raise an exception, possibly causing an application using JSSE to exit unexpectedly. (CVE-2015-0488) Multiple flaws were discovered in the Beans and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2015-0477, CVE-2015-0470) A directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted. (CVE-2005-1080, CVE-2015-0480) It was found that the RSA implementation in the JCE component in OpenJDK did not follow recommended practices for implementing RSA signatures. (CVE-2015-0478) The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat Product Security. All users of java-1.8.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id82804
    published2015-04-16
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/82804
    titleCentOS 6 / 7 : java-1.8.0-openjdk (CESA-2015:0809)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-0809.NASL
    descriptionUpdated java-1.8.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. An off-by-one flaw, leading to a buffer overflow, was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. (CVE-2015-0469) A flaw was found in the way the Hotspot component in OpenJDK handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0460) A flaw was found in the way the JSSE component in OpenJDK parsed X.509 certificate options. A specially crafted certificate could cause JSSE to raise an exception, possibly causing an application using JSSE to exit unexpectedly. (CVE-2015-0488) Multiple flaws were discovered in the Beans and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2015-0477, CVE-2015-0470) A directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted. (CVE-2005-1080, CVE-2015-0480) It was found that the RSA implementation in the JCE component in OpenJDK did not follow recommended practices for implementing RSA signatures. (CVE-2015-0478) The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat Product Security. All users of java-1.8.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id82811
    published2015-04-16
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/82811
    titleRHEL 6 / 7 : java-1.8.0-openjdk (RHSA-2015:0809)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2015-0809.NASL
    descriptionFrom Red Hat Security Advisory 2015:0809 : Updated java-1.8.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. An off-by-one flaw, leading to a buffer overflow, was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. (CVE-2015-0469) A flaw was found in the way the Hotspot component in OpenJDK handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0460) A flaw was found in the way the JSSE component in OpenJDK parsed X.509 certificate options. A specially crafted certificate could cause JSSE to raise an exception, possibly causing an application using JSSE to exit unexpectedly. (CVE-2015-0488) Multiple flaws were discovered in the Beans and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2015-0477, CVE-2015-0470) A directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted. (CVE-2005-1080, CVE-2015-0480) It was found that the RSA implementation in the JCE component in OpenJDK did not follow recommended practices for implementing RSA signatures. (CVE-2015-0478) The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat Product Security. All users of java-1.8.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id82789
    published2015-04-15
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/82789
    titleOracle Linux 6 / 7 : java-1.8.0-openjdk (ELSA-2015-0809)

Redhat

advisories
  • rhsa
    idRHSA-2015:0809
  • rhsa
    idRHSA-2015:0854
rpms
  • java-1.8.0-openjdk-1:1.8.0.45-28.b13.el6_6
  • java-1.8.0-openjdk-1:1.8.0.45-30.b13.ael7b_1
  • java-1.8.0-openjdk-1:1.8.0.45-30.b13.el7_1
  • java-1.8.0-openjdk-accessibility-1:1.8.0.45-30.b13.ael7b_1
  • java-1.8.0-openjdk-accessibility-1:1.8.0.45-30.b13.el7_1
  • java-1.8.0-openjdk-debuginfo-1:1.8.0.45-28.b13.el6_6
  • java-1.8.0-openjdk-debuginfo-1:1.8.0.45-30.b13.ael7b_1
  • java-1.8.0-openjdk-debuginfo-1:1.8.0.45-30.b13.el7_1
  • java-1.8.0-openjdk-demo-1:1.8.0.45-28.b13.el6_6
  • java-1.8.0-openjdk-demo-1:1.8.0.45-30.b13.ael7b_1
  • java-1.8.0-openjdk-demo-1:1.8.0.45-30.b13.el7_1
  • java-1.8.0-openjdk-devel-1:1.8.0.45-28.b13.el6_6
  • java-1.8.0-openjdk-devel-1:1.8.0.45-30.b13.ael7b_1
  • java-1.8.0-openjdk-devel-1:1.8.0.45-30.b13.el7_1
  • java-1.8.0-openjdk-headless-1:1.8.0.45-28.b13.el6_6
  • java-1.8.0-openjdk-headless-1:1.8.0.45-30.b13.ael7b_1
  • java-1.8.0-openjdk-headless-1:1.8.0.45-30.b13.el7_1
  • java-1.8.0-openjdk-javadoc-1:1.8.0.45-28.b13.el6_6
  • java-1.8.0-openjdk-javadoc-1:1.8.0.45-30.b13.ael7b_1
  • java-1.8.0-openjdk-javadoc-1:1.8.0.45-30.b13.el7_1
  • java-1.8.0-openjdk-src-1:1.8.0.45-28.b13.el6_6
  • java-1.8.0-openjdk-src-1:1.8.0.45-30.b13.ael7b_1
  • java-1.8.0-openjdk-src-1:1.8.0.45-30.b13.el7_1
  • java-1.8.0-oracle-1:1.8.0.45-1jpp.2.el6_6
  • java-1.8.0-oracle-1:1.8.0.45-1jpp.2.el7_1
  • java-1.8.0-oracle-devel-1:1.8.0.45-1jpp.2.el6_6
  • java-1.8.0-oracle-devel-1:1.8.0.45-1jpp.2.el7_1
  • java-1.8.0-oracle-javafx-1:1.8.0.45-1jpp.2.el6_6
  • java-1.8.0-oracle-javafx-1:1.8.0.45-1jpp.2.el7_1
  • java-1.8.0-oracle-jdbc-1:1.8.0.45-1jpp.2.el6_6
  • java-1.8.0-oracle-jdbc-1:1.8.0.45-1jpp.2.el7_1
  • java-1.8.0-oracle-plugin-1:1.8.0.45-1jpp.2.el6_6
  • java-1.8.0-oracle-plugin-1:1.8.0.45-1jpp.2.el7_1
  • java-1.8.0-oracle-src-1:1.8.0.45-1jpp.2.el6_6
  • java-1.8.0-oracle-src-1:1.8.0.45-1jpp.2.el7_1