Vulnerabilities > CVE-2015-1931 - Cleartext Storage of Sensitive Information vulnerability in multiple products

047910
CVSS 5.5 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
local
low complexity
ibm
suse
redhat
CWE-312
nessus

Summary

IBM Java Security Components in IBM SDK, Java Technology Edition 8 before SR1 FP10, 7 R1 before SR3 FP10, 7 before SR9 FP10, 6 R1 before SR8 FP7, 6 before SR16 FP7, and 5.0 before SR16 FP13 stores plaintext information in memory dumps, which allows local users to obtain sensitive information by reading a file.

Vulnerable Configurations

Part Description Count
Application
Ibm
67
Application
Redhat
2
OS
Suse
7
OS
Redhat
15

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Lifting Data Embedded in Client Distributions
    An attacker can resort to stealing data embedded in client distributions or client code in order to gain certain information. This information can reveal confidential contents, such as account numbers, or can be used as an intermediate step in a larger attack (such as by stealing keys/credentials).

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-1375-1.NASL
    descriptionjava-1_7_0-ibm was updated to fix 21 security issues. These security issues were fixed : - CVE-2015-4729: Unspecified vulnerability in Oracle Java SE 7u80 and 8u45 allowed remote attackers to affect confidentiality and integrity via unknown vectors related to Deployment (bsc#938895). - CVE-2015-4748: Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45; JRockit R28.3.6; and Java SE Embedded 7u75 and Embedded 8u33 allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Security (bsc#938895). - CVE-2015-2664: Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45 allowed local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment (bsc#938895). - CVE-2015-0192: Unspecified vulnerability in IBM Java 8 before SR1, 7 R1 before SR2 FP11, 7 before SR9, 6 R1 before SR8 FP4, 6 before SR16 FP4, and 5.0 before SR16 FP10 allowed remote attackers to gain privileges via unknown vectors related to the Java Virtual Machine (bsc#938895). - CVE-2015-2613: Unspecified vulnerability in Oracle Java SE 7u80 and 8u45, and Java SE Embedded 7u75 and 8u33 allowed remote attackers to affect confidentiality via vectors related to JCE (bsc#938895). - CVE-2015-4731: Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45; Java SE Embedded 7u75; and Java SE Embedded 8u33 allowed remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX (bsc#938895). - CVE-2015-2637: Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45; JavaFX 2.2.80; and Java SE Embedded 7u75 and 8u33 allowed remote attackers to affect confidentiality via unknown vectors related to 2D (bsc#938895). - CVE-2015-4733: Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allowed remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI (bsc#938895). - CVE-2015-4732: Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-2590 (bsc#938895). - CVE-2015-2621: Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33, allowed remote attackers to affect confidentiality via vectors related to JMX (bsc#938895). - CVE-2015-2619: Unspecified vulnerability in Oracle Java SE 7u80 and 8u45, JavaFX 2.2.80, and Java SE Embedded 7u75 and 8u33 allowed remote attackers to affect confidentiality via unknown vectors related to 2D (bsc#938895). - CVE-2015-2590: Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732 (bsc#938895). - CVE-2015-2638: Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45; JavaFX 2.2.80; and Java SE Embedded 7u75 and 8u33 allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D (bsc#938895). - CVE-2015-2625: Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45; JRockit R28.3.6; and Java SE Embedded 7u75 and 8u33 allowed remote attackers to affect confidentiality via vectors related to JSSE (bsc#938895). - CVE-2015-2632: Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45 allowed remote attackers to affect confidentiality via unknown vectors related to 2D (bsc#938895). - CVE-2015-1931: Unspecified vulnerability (bsc#938895). - CVE-2015-4760: Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45 allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D (bsc#938895). - CVE-2015-4000: The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, did not properly convey a DHE_EXPORT choice, which allowed man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the
    last seen2020-06-01
    modified2020-06-02
    plugin id85379
    published2015-08-13
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85379
    titleSUSE SLES11 Security Update : java-1_7_0-ibm (SUSE-SU-2015:1375-1) (Bar Mitzvah) (Logjam)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-1345-1.NASL
    descriptionIBM Java was updated to 6.0-16.7 to fix several security issues. The following vulnerabilities were fixed : - CVE-2015-1931: IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. - CVE-2015-2590: Easily exploitable vulnerability in the Libraries component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution. - CVE-2015-2601: Easily exploitable vulnerability in the JCE component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized read access to a subset of Java accessible data. - CVE-2015-2621: Easily exploitable vulnerability in the JMX component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized read access to a subset of Java accessible data. - CVE-2015-2625: Very difficult to exploit vulnerability in the JSSE component allowed successful unauthenticated network attacks via SSL/TLS. Successful attack of this vulnerability could have resulted in unauthorized read access to a subset of Java accessible data. - CVE-2015-2632: Easily exploitable vulnerability in the 2D component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized read access to a subset of Java accessible data. - CVE-2015-2637: Easily exploitable vulnerability in the 2D component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized read access to a subset of Java accessible data. - CVE-2015-2638: Easily exploitable vulnerability in the 2D component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution. - CVE-2015-2664: Difficult to exploit vulnerability in the Deployment component requiring logon to Operating System. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution. - CVE-2015-2808: Very difficult to exploit vulnerability in the JSSE component allowed successful unauthenticated network attacks via SSL/TLS. Successful attack of this vulnerability could have resulted in unauthorized update, insert or delete access to some Java accessible data as well as read access to a subset of Java accessible data. - CVE-2015-4000: Very difficult to exploit vulnerability in the JSSE component allowed successful unauthenticated network attacks via SSL/TLS. Successful attack of this vulnerability could have resulted in unauthorized update, insert or delete access to some Java accessible data as well as read access to a subset of Java Embedded accessible data. - CVE-2015-4731: Easily exploitable vulnerability in the JMX component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution. - CVE-2015-4732: Easily exploitable vulnerability in the Libraries component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution. - CVE-2015-4733: Easily exploitable vulnerability in the RMI component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution. - CVE-2015-4748: Very difficult to exploit vulnerability in the Security component allowed successful unauthenticated network attacks via OCSP. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution. - CVE-2015-4749: Difficult to exploit vulnerability in the JNDI component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized ability to cause a partial denial of service (partial DOS). - CVE-2015-4760: Easily exploitable vulnerability in the 2D component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution. The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-24
    modified2019-01-02
    plugin id119969
    published2019-01-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119969
    titleSUSE SLES12 Security Update : java-1_6_0-ibm (SUSE-SU-2015:1345-1) (Bar Mitzvah) (Logjam)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-1604.NASL
    descriptionUpdated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Satellite 5.6 and 5.7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2015-1931, CVE-2015-2590, CVE-2015-2601, CVE-2015-2621, CVE-2015-2625, CVE-2015-2632, CVE-2015-2637, CVE-2015-2638, CVE-2015-2664, CVE-2015-4000, CVE-2015-4731, CVE-2015-4732, CVE-2015-4733, CVE-2015-4748, CVE-2015-4749, CVE-2015-4760) Note: This update forces the TLS/SSL client implementation in IBM JDK to reject DH key sizes below 768 bits to address the CVE-2015-4000 issue. Refer to Red Hat Bugzilla bug 1223211, linked to in the References section, for additional details about this change. Users of Red Hat Satellite 5.6 and 5.7 are advised to upgrade to these updated packages, which contain the IBM Java SE 6 SR16-FP7 release. For this update to take effect, Red Hat Satellite must be restarted (
    last seen2020-06-01
    modified2020-06-02
    plugin id85373
    published2015-08-13
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85373
    titleRHEL 5 / 6 : Red Hat Satellite IBM Java Runtime (RHSA-2015:1604) (Logjam)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-1485.NASL
    descriptionUpdated java-1.7.1-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 6 and 7 Supplementary. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2015-1931, CVE-2015-2590, CVE-2015-2601, CVE-2015-2613, CVE-2015-2619, CVE-2015-2621, CVE-2015-2625, CVE-2015-2632, CVE-2015-2637, CVE-2015-2638, CVE-2015-2664, CVE-2015-4000, CVE-2015-4729, CVE-2015-4731, CVE-2015-4732, CVE-2015-4733, CVE-2015-4736, CVE-2015-4748, CVE-2015-4749, CVE-2015-4760) Note: This update forces the TLS/SSL client implementation in IBM JDK to reject DH key sizes below 768 bits to address the CVE-2015-4000 issue. Refer to Red Hat Bugzilla bug 1223211, linked to in the References section, for additional details about this change. All users of java-1.7.1-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 7R1 SR3-FP10 release. All running instances of IBM Java must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id84955
    published2015-07-23
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84955
    titleRHEL 6 / 7 : java-1.7.1-ibm (RHSA-2015:1485) (Logjam)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-1331-1.NASL
    descriptionIBM Java was updated to 7.1-3.10 to fix several security issues. The following vulnerabilities were fixed : - CVE-2015-1931: IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. - CVE-2015-2590: Easily exploitable vulnerability in the Libraries component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution. - CVE-2015-2601: Easily exploitable vulnerability in the JCE component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized read access to a subset of Java accessible data. - CVE-2015-2613: Easily exploitable vulnerability in the JCE component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. - CVE-2015-2619: Easily exploitable vulnerability in the 2D component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized read access to a subset of Java accessible data. - CVE-2015-2621: Easily exploitable vulnerability in the JMX component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized read access to a subset of Java accessible data. - CVE-2015-2625: Very difficult to exploit vulnerability in the JSSE component allowed successful unauthenticated network attacks via SSL/TLS. Successful attack of this vulnerability could have resulted in unauthorized read access to a subset of Java accessible data. - CVE-2015-2632: Easily exploitable vulnerability in the 2D component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized read access to a subset of Java accessible data. - CVE-2015-2637: Easily exploitable vulnerability in the 2D component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized read access to a subset of Java accessible data. - CVE-2015-2638: Easily exploitable vulnerability in the 2D component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution. - CVE-2015-2664: Difficult to exploit vulnerability in the Deployment component requiring logon to Operating System. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution. - CVE-2015-2808: Very difficult to exploit vulnerability in the JSSE component allowed successful unauthenticated network attacks via SSL/TLS. Successful attack of this vulnerability could have resulted in unauthorized update, insert or delete access to some Java accessible data as well as read access to a subset of Java accessible data. - CVE-2015-4000: Very difficult to exploit vulnerability in the JSSE component allowed successful unauthenticated network attacks via SSL/TLS. Successful attack of this vulnerability could have resulted in unauthorized update, insert or delete access to some Java accessible data as well as read access to a subset of Java Embedded accessible data. - CVE-2015-4729: Very difficult to exploit vulnerability in the Deployment component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized update, insert or delete access to some Java SE accessible data as well as read access to a subset of Java SE accessible data. - CVE-2015-4731: Easily exploitable vulnerability in the JMX component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution. - CVE-2015-4732: Easily exploitable vulnerability in the Libraries component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution. - CVE-2015-4733: Easily exploitable vulnerability in the RMI component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution. - CVE-2015-4748: Very difficult to exploit vulnerability in the Security component allowed successful unauthenticated network attacks via OCSP. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution. - CVE-2015-4749: Difficult to exploit vulnerability in the JNDI component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized ability to cause a partial denial of service (partial DOS). - CVE-2015-4760: Easily exploitable vulnerability in the 2D component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id85214
    published2015-08-04
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85214
    titleSUSE SLES12 Security Update : java-1_7_1-ibm (SUSE-SU-2015:1331-1) (Bar Mitzvah) (Logjam)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-1509-1.NASL
    descriptionIBM Java was updated to version 6 SR16 FP7 (6.0-16.7) to fix several security issues and bugs. The following vulnerabilities were fixed : - CVE-2015-1931: IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. - CVE-2015-2590: Easily exploitable vulnerability in the Libraries component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution. - CVE-2015-2601: Easily exploitable vulnerability in the JCE component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized read access to a subset of Java accessible data. - CVE-2015-2621: Easily exploitable vulnerability in the JMX component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized read access to a subset of Java accessible data. - CVE-2015-2625: Very difficult to exploit vulnerability in the JSSE component allowed successful unauthenticated network attacks via SSL/TLS. Successful attack of this vulnerability could have resulted in unauthorized read access to a subset of Java accessible data. - CVE-2015-2632: Easily exploitable vulnerability in the 2D component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized read access to a subset of Java accessible data. - CVE-2015-2637: Easily exploitable vulnerability in the 2D component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized read access to a subset of Java accessible data. - CVE-2015-2638: Easily exploitable vulnerability in the 2D component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution. - CVE-2015-2664: Difficult to exploit vulnerability in the Deployment component requiring logon to Operating System. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution. - CVE-2015-2808: Very difficult to exploit vulnerability in the JSSE component allowed successful unauthenticated network attacks via SSL/TLS. Successful attack of this vulnerability could have resulted in unauthorized update, insert or delete access to some Java accessible data as well as read access to a subset of Java accessible data. - CVE-2015-4000: Very difficult to exploit vulnerability in the JSSE component allowed successful unauthenticated network attacks via SSL/TLS. Successful attack of this vulnerability could have resulted in unauthorized update, insert or delete access to some Java accessible data as well as read access to a subset of Java Embedded accessible data. (bnc#935540) - CVE-2015-4731: Easily exploitable vulnerability in the JMX component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution. - CVE-2015-4732: Easily exploitable vulnerability in the Libraries component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution. - CVE-2015-4733: Easily exploitable vulnerability in the RMI component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution. - CVE-2015-4748: Very difficult to exploit vulnerability in the Security component allowed successful unauthenticated network attacks via OCSP. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution. - CVE-2015-4749: Difficult to exploit vulnerability in the JNDI component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized ability to cause a partial denial of service (partial DOS). - CVE-2015-4760: Easily exploitable vulnerability in the 2D component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution. The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id85869
    published2015-09-09
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85869
    titleSUSE SLES11 Security Update : java-1_6_0-ibm (SUSE-SU-2015:1509-1) (Bar Mitzvah) (Logjam)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-1486.NASL
    descriptionUpdated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2015-1931, CVE-2015-2590, CVE-2015-2601, CVE-2015-2621, CVE-2015-2625, CVE-2015-2632, CVE-2015-2637, CVE-2015-2638, CVE-2015-2664, CVE-2015-4000, CVE-2015-4731, CVE-2015-4732, CVE-2015-4733, CVE-2015-4748, CVE-2015-4749, CVE-2015-4760) Note: This update forces the TLS/SSL client implementation in IBM JDK to reject DH key sizes below 768 bits to address the CVE-2015-4000 issue. Refer to Red Hat Bugzilla bug 1223211, linked to in the References section, for additional details about this change. All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 6 SR16-FP7 release. All running instances of IBM Java must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id84956
    published2015-07-23
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84956
    titleRHEL 5 / 6 : java-1.6.0-ibm (RHSA-2015:1486) (Logjam)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-1544.NASL
    descriptionUpdated java-1.5.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. IBM J2SE version 5.0 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2015-1931, CVE-2015-2590, CVE-2015-2601, CVE-2015-2621, CVE-2015-2632, CVE-2015-2637, CVE-2015-2638, CVE-2015-2664, CVE-2015-4000, CVE-2015-4731, CVE-2015-4732, CVE-2015-4733, CVE-2015-4748, CVE-2015-4749, CVE-2015-4760) Note: This update forces the TLS/SSL client implementation in IBM JDK to reject DH key sizes below 768 bits to address the CVE-2015-4000 issue. Refer to Red Hat Bugzilla bug 1223211, linked to in the References section, for additional details about this change. IBM Java SDK and JRE 5.0 will not receive software updates after September 2015. This date is referred to as the End of Service (EOS) date. Customers are advised to migrate to current versions of IBM Java at this time. IBM Java SDK and JRE versions 6 and 7 are available via the Red Hat Enterprise Linux 5 and 6 Supplementary content sets and will continue to receive updates based on IBM
    last seen2020-06-01
    modified2020-06-02
    plugin id85238
    published2015-08-05
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85238
    titleRHEL 5 / 6 : java-1.5.0-ibm (RHSA-2015:1544) (Logjam)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-1488.NASL
    descriptionUpdated java-1.7.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 Supplementary. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2015-1931, CVE-2015-2590, CVE-2015-2601, CVE-2015-2613, CVE-2015-2619, CVE-2015-2621, CVE-2015-2625, CVE-2015-2632, CVE-2015-2637, CVE-2015-2638, CVE-2015-2664, CVE-2015-4000, CVE-2015-4729, CVE-2015-4731, CVE-2015-4732, CVE-2015-4733, CVE-2015-4736, CVE-2015-4748, CVE-2015-4749, CVE-2015-4760) Note: This update forces the TLS/SSL client implementation in IBM JDK to reject DH key sizes below 768 bits to address the CVE-2015-4000 issue. Refer to Red Hat Bugzilla bug 1223211, linked to in the References section, for additional details about this change. All users of java-1.7.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 7 SR9-FP10 release. All running instances of IBM Java must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id84978
    published2015-07-24
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84978
    titleRHEL 5 : java-1.7.0-ibm (RHSA-2015:1488) (Logjam)
  • NASL familyAIX Local Security Checks
    NASL idAIX_JAVA_JULY2015_ADVISORY.NASL
    descriptionThe version of Java SDK installed on the remote AIX host is affected by multiple vulnerabilities : - Java Security Components store plaintext data in memory dumps, which allows a local attacker to gain access to sensitive information. (CVE-2015-1931) - A flaw exists in the readSerialData() function in class ObjectInputStream.java when handling OIS data, which allows an attacker to execute arbitrary code. (CVE-2015-2590) - Multiple flaws exist in the JCE component due to various cryptographic operations using non-constant time comparisons. A remote attacker can exploit this to conduct timing attacks to gain access to sensitive information. (CVE-2015-2601) - A flaw exists in the ECDH_Derive() function in file ec.c due to missing EC parameter validation when performing ECDH key derivation. A remote attacker can exploit this to access sensitive information. (CVE-2015-2613) - An unspecified vulnerability exists in the 2D component that allows a remote attacker to access sensitive information. (CVE-2015-2619, CVE-2015-2637) - A flaw exists in the RMIConnectionImpl constructor in class RMIConnectionImpl.java due to improper permission checks when creating repository class loaders. An attacker can exploit this to bypass sandbox restrictions and access sensitive information. (CVE-2015-2621) - An unspecified flaw exists in the JSSE component when handling the SSL/TLS protocol. A remote attacker can exploit this to gain access to sensitive information. (CVE-2015-2625) - An integer overflow condition exists in the International Components for Unicode for C/C++ (ICU4C). An attacker, using a specially crafted font, can exploit this to crash an application using this library or access memory contents. (CVE-2015-2632) - A unspecified vulnerability exists in the 2D component that allows a remote attacker to execute arbitrary code. (CVE-2015-2638) - An unspecified flaw exists in the Deployment component that allows a local attacker to gain elevated privileges. (CVE-2015-2664) - A man-in-the-middle vulnerability, known as Logjam, exists due to a flaw in the SSL/TLS protocol. A remote attacker can exploit this flaw to downgrade connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography. (CVE-2015-4000) - An unspecified vulnerability exists in the Deployment component that impacts confidentiality and integrity. (CVE-2015-4729) - A flaw exists in class MBeanServerInvocationHandler.java when handling MBean connection proxy classes. An attacker can exploit this to bypass sandbox restrictions and execute arbitrary code. (CVE-2015-4731) - Multiple flaws exist in classes ObjectInputStream.java and SerialCallbackContext.java related to insufficient context checking. An attacker can exploit these to execute arbitrary code. (CVE-2015-4732) - A flaw exists in the invoke() method in the class RemoteObjectInvocationHandler.java due to calls to the finalize() method being permitted. An attacker can exploit this to bypass sandbox protections and execute arbitrary code. (CVE-2015-4733) - An unspecified flaw exists in the Deployment component that allows a local attacker to execute arbitrary code. (CVE-2015-4736) - A flaw exists in the Security component when handling Online Certificate Status Protocol (OCSP) responses with no
    last seen2020-06-01
    modified2020-06-02
    plugin id85447
    published2015-08-17
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85447
    titleAIX Java Advisory : java_july2015_advisory.asc (Logjam)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-1329-1.NASL
    descriptionIBM Java was updated to 7.1-3.10 to fix several security issues. The following vulnerabilities were fixed : - CVE-2015-1931: IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system. - CVE-2015-2590: Easily exploitable vulnerability in the Libraries component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution. - CVE-2015-2601: Easily exploitable vulnerability in the JCE component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized read access to a subset of Java accessible data. - CVE-2015-2613: Easily exploitable vulnerability in the JCE component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. - CVE-2015-2619: Easily exploitable vulnerability in the 2D component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized read access to a subset of Java accessible data. - CVE-2015-2621: Easily exploitable vulnerability in the JMX component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized read access to a subset of Java accessible data. - CVE-2015-2625: Very difficult to exploit vulnerability in the JSSE component allowed successful unauthenticated network attacks via SSL/TLS. Successful attack of this vulnerability could have resulted in unauthorized read access to a subset of Java accessible data. - CVE-2015-2632: Easily exploitable vulnerability in the 2D component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized read access to a subset of Java accessible data. - CVE-2015-2637: Easily exploitable vulnerability in the 2D component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized read access to a subset of Java accessible data. - CVE-2015-2638: Easily exploitable vulnerability in the 2D component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution. - CVE-2015-2664: Difficult to exploit vulnerability in the Deployment component requiring logon to Operating System. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution. - CVE-2015-2808: Very difficult to exploit vulnerability in the JSSE component allowed successful unauthenticated network attacks via SSL/TLS. Successful attack of this vulnerability could have resulted in unauthorized update, insert or delete access to some Java accessible data as well as read access to a subset of Java accessible data. - CVE-2015-4000: Very difficult to exploit vulnerability in the JSSE component allowed successful unauthenticated network attacks via SSL/TLS. Successful attack of this vulnerability could have resulted in unauthorized update, insert or delete access to some Java accessible data as well as read access to a subset of Java Embedded accessible data. - CVE-2015-4729: Very difficult to exploit vulnerability in the Deployment component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized update, insert or delete access to some Java SE accessible data as well as read access to a subset of Java SE accessible data. - CVE-2015-4731: Easily exploitable vulnerability in the JMX component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution. - CVE-2015-4732: Easily exploitable vulnerability in the Libraries component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution. - CVE-2015-4733: Easily exploitable vulnerability in the RMI component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution. - CVE-2015-4748: Very difficult to exploit vulnerability in the Security component allowed successful unauthenticated network attacks via OCSP. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution. - CVE-2015-4749: Difficult to exploit vulnerability in the JNDI component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized ability to cause a partial denial of service (partial DOS). - CVE-2015-4760: Easily exploitable vulnerability in the 2D component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id85213
    published2015-08-04
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85213
    titleSUSE SLES11 Security Update : java-1_7_1-ibm (SUSE-SU-2015:1329-1) (Bar Mitzvah) (Logjam)

Redhat

rpms
  • java-1.7.1-ibm-1:1.7.1.3.10-1jpp.1.ael7b_1
  • java-1.7.1-ibm-1:1.7.1.3.10-1jpp.1.el7_1
  • java-1.7.1-ibm-1:1.7.1.3.10-1jpp.3.el6_7
  • java-1.7.1-ibm-demo-1:1.7.1.3.10-1jpp.1.ael7b_1
  • java-1.7.1-ibm-demo-1:1.7.1.3.10-1jpp.1.el7_1
  • java-1.7.1-ibm-demo-1:1.7.1.3.10-1jpp.3.el6_7
  • java-1.7.1-ibm-devel-1:1.7.1.3.10-1jpp.1.ael7b_1
  • java-1.7.1-ibm-devel-1:1.7.1.3.10-1jpp.1.el7_1
  • java-1.7.1-ibm-devel-1:1.7.1.3.10-1jpp.3.el6_7
  • java-1.7.1-ibm-jdbc-1:1.7.1.3.10-1jpp.1.ael7b_1
  • java-1.7.1-ibm-jdbc-1:1.7.1.3.10-1jpp.1.el7_1
  • java-1.7.1-ibm-jdbc-1:1.7.1.3.10-1jpp.3.el6_7
  • java-1.7.1-ibm-plugin-1:1.7.1.3.10-1jpp.1.el7_1
  • java-1.7.1-ibm-plugin-1:1.7.1.3.10-1jpp.3.el6_7
  • java-1.7.1-ibm-src-1:1.7.1.3.10-1jpp.1.ael7b_1
  • java-1.7.1-ibm-src-1:1.7.1.3.10-1jpp.1.el7_1
  • java-1.7.1-ibm-src-1:1.7.1.3.10-1jpp.3.el6_7
  • java-1.6.0-ibm-1:1.6.0.16.7-1jpp.1.el5
  • java-1.6.0-ibm-1:1.6.0.16.7-1jpp.1.el6_7
  • java-1.6.0-ibm-accessibility-1:1.6.0.16.7-1jpp.1.el5
  • java-1.6.0-ibm-demo-1:1.6.0.16.7-1jpp.1.el5
  • java-1.6.0-ibm-demo-1:1.6.0.16.7-1jpp.1.el6_7
  • java-1.6.0-ibm-devel-1:1.6.0.16.7-1jpp.1.el5
  • java-1.6.0-ibm-devel-1:1.6.0.16.7-1jpp.1.el6_7
  • java-1.6.0-ibm-javacomm-1:1.6.0.16.7-1jpp.1.el5
  • java-1.6.0-ibm-javacomm-1:1.6.0.16.7-1jpp.1.el6_7
  • java-1.6.0-ibm-jdbc-1:1.6.0.16.7-1jpp.1.el5
  • java-1.6.0-ibm-jdbc-1:1.6.0.16.7-1jpp.1.el6_7
  • java-1.6.0-ibm-plugin-1:1.6.0.16.7-1jpp.1.el5
  • java-1.6.0-ibm-plugin-1:1.6.0.16.7-1jpp.1.el6_7
  • java-1.6.0-ibm-src-1:1.6.0.16.7-1jpp.1.el5
  • java-1.6.0-ibm-src-1:1.6.0.16.7-1jpp.1.el6_7
  • java-1.7.0-ibm-1:1.7.0.9.10-1jpp.2.el5
  • java-1.7.0-ibm-demo-1:1.7.0.9.10-1jpp.2.el5
  • java-1.7.0-ibm-devel-1:1.7.0.9.10-1jpp.2.el5
  • java-1.7.0-ibm-jdbc-1:1.7.0.9.10-1jpp.2.el5
  • java-1.7.0-ibm-plugin-1:1.7.0.9.10-1jpp.2.el5
  • java-1.7.0-ibm-src-1:1.7.0.9.10-1jpp.2.el5
  • java-1.5.0-ibm-1:1.5.0.16.13-1jpp.3.el5
  • java-1.5.0-ibm-1:1.5.0.16.13-1jpp.3.el6_7
  • java-1.5.0-ibm-accessibility-1:1.5.0.16.13-1jpp.3.el5
  • java-1.5.0-ibm-demo-1:1.5.0.16.13-1jpp.3.el5
  • java-1.5.0-ibm-demo-1:1.5.0.16.13-1jpp.3.el6_7
  • java-1.5.0-ibm-devel-1:1.5.0.16.13-1jpp.3.el5
  • java-1.5.0-ibm-devel-1:1.5.0.16.13-1jpp.3.el6_7
  • java-1.5.0-ibm-javacomm-1:1.5.0.16.13-1jpp.3.el5
  • java-1.5.0-ibm-javacomm-1:1.5.0.16.13-1jpp.3.el6_7
  • java-1.5.0-ibm-jdbc-1:1.5.0.16.13-1jpp.3.el5
  • java-1.5.0-ibm-jdbc-1:1.5.0.16.13-1jpp.3.el6_7
  • java-1.5.0-ibm-plugin-1:1.5.0.16.13-1jpp.3.el5
  • java-1.5.0-ibm-plugin-1:1.5.0.16.13-1jpp.3.el6_7
  • java-1.5.0-ibm-src-1:1.5.0.16.13-1jpp.3.el5
  • java-1.5.0-ibm-src-1:1.5.0.16.13-1jpp.3.el6_7
  • java-1.6.0-ibm-1:1.6.0.16.7-1jpp.1.el5
  • java-1.6.0-ibm-1:1.6.0.16.7-1jpp.1.el6_7
  • java-1.6.0-ibm-devel-1:1.6.0.16.7-1jpp.1.el5
  • java-1.6.0-ibm-devel-1:1.6.0.16.7-1jpp.1.el6_7