Vulnerabilities > CVE-2015-4871 - Unspecified vulnerability in Oracle JDK and JRE
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
NONE Summary
Unspecified vulnerability in Oracle Java SE 7u85 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Libraries.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3401.NASL description It was discovered that rebinding a receiver of a direct method handle may allow a protected method to be accessed. last seen 2020-06-01 modified 2020-06-02 plugin id 86998 published 2015-11-23 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86998 title Debian DSA-3401-1 : openjdk-7 - security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-3401. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(86998); script_version("2.2"); script_cvs_date("Date: 2018/11/10 11:49:37"); script_cve_id("CVE-2015-4871"); script_xref(name:"DSA", value:"3401"); script_name(english:"Debian DSA-3401-1 : openjdk-7 - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "It was discovered that rebinding a receiver of a direct method handle may allow a protected method to be accessed." ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/wheezy/openjdk-7" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/openjdk-7" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2015/dsa-3401" ); script_set_attribute( attribute:"solution", value: "Upgrade the openjdk-7 packages. For the oldstable distribution (wheezy), this problem has been fixed in version 7u91-2.6.3-1~deb7u1. For the stable distribution (jessie), this problem has been fixed in version 7u91-2.6.3-1~deb8u1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:openjdk-7"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"patch_publication_date", value:"2015/11/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/11/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"7.0", prefix:"icedtea-7-jre-cacao", reference:"7u91-2.6.3-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"icedtea-7-jre-jamvm", reference:"7u91-2.6.3-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"openjdk-7-dbg", reference:"7u91-2.6.3-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"openjdk-7-demo", reference:"7u91-2.6.3-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"openjdk-7-doc", reference:"7u91-2.6.3-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"openjdk-7-jdk", reference:"7u91-2.6.3-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"openjdk-7-jre", reference:"7u91-2.6.3-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"openjdk-7-jre-headless", reference:"7u91-2.6.3-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"openjdk-7-jre-lib", reference:"7u91-2.6.3-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"openjdk-7-jre-zero", reference:"7u91-2.6.3-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"openjdk-7-source", reference:"7u91-2.6.3-1~deb7u1")) flag++; if (deb_check(release:"8.0", prefix:"icedtea-7-jre-jamvm", reference:"7u91-2.6.3-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"openjdk-7-dbg", reference:"7u91-2.6.3-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"openjdk-7-demo", reference:"7u91-2.6.3-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"openjdk-7-doc", reference:"7u91-2.6.3-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"openjdk-7-jdk", reference:"7u91-2.6.3-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"openjdk-7-jre", reference:"7u91-2.6.3-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"openjdk-7-jre-headless", reference:"7u91-2.6.3-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"openjdk-7-jre-lib", reference:"7u91-2.6.3-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"openjdk-7-jre-zero", reference:"7u91-2.6.3-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"openjdk-7-source", reference:"7u91-2.6.3-1~deb8u1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-2268-1.NASL description This update for java-1_8_0-ibm fixes the following issues : - Version update to 8.0-2.0 (bsc#955131): CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4810 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4871 CVE-2015-4872 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4902 CVE-2015-4903 CVE-2015-4911 CVE-2015-5006 - Add backcompat symlinks for sdkdir. - Provide %{name} instead of %{sdklnk} only in _jvmprivdir. (bsc#941939) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 87405 published 2015-12-16 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87405 title SUSE SLES12 Security Update : java-1_8_0-ibm (SUSE-SU-2015:2268-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2015:2268-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(87405); script_version("2.7"); script_cvs_date("Date: 2019/09/11 11:22:12"); script_cve_id("CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4835", "CVE-2015-4840", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4871", "CVE-2015-4872", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4902", "CVE-2015-4903", "CVE-2015-4911", "CVE-2015-5006"); script_name(english:"SUSE SLES12 Security Update : java-1_8_0-ibm (SUSE-SU-2015:2268-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for java-1_8_0-ibm fixes the following issues : - Version update to 8.0-2.0 (bsc#955131): CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4810 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4871 CVE-2015-4872 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4902 CVE-2015-4903 CVE-2015-4911 CVE-2015-5006 - Add backcompat symlinks for sdkdir. - Provide %{name} instead of %{sdklnk} only in _jvmprivdir. (bsc#941939) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=941939" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=955131" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-4734/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-4803/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-4805/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-4806/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-4810/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-4835/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-4840/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-4842/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-4843/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-4844/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-4860/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-4871/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-4872/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-4882/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-4883/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-4893/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-4902/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-4903/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-4911/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-5006/" ); # https://www.suse.com/support/update/announcement/2015/suse-su-20152268-1.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?6501e6ec" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Software Development Kit 12-SP1 : zypper in -t patch SUSE-SLE-SDK-12-SP1-2015-965=1 SUSE Linux Enterprise Server 12-SP1 : zypper in -t patch SUSE-SLE-SERVER-12-SP1-2015-965=1 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-alsa"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-plugin"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/10/21"); script_set_attribute(attribute:"patch_publication_date", value:"2015/12/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/12/16"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(1)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP1", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"java-1_8_0-ibm-alsa-1.8.0_sr2.0-4.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"java-1_8_0-ibm-plugin-1.8.0_sr2.0-4.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"java-1_8_0-ibm-1.8.0_sr2.0-4.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "java-1_8_0-ibm"); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2015-2506.NASL description Updated java-1.7.1-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 6 and 7 Supplementary. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4810, CVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4871, CVE-2015-4872, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4902, CVE-2015-4903, CVE-2015-5006) Red Hat would like to thank Andrea Palazzo of Truel IT for reporting the CVE-2015-4806 issue. All users of java-1.7.1-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 7R1 SR3-FP20 release. All running instances of IBM Java must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 87047 published 2015-11-24 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87047 title RHEL 6 / 7 : java-1.7.1-ibm (RHSA-2015:2506) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2015:2506. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(87047); script_version("1.11"); script_cvs_date("Date: 2019/10/24 15:35:40"); script_cve_id("CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4835", "CVE-2015-4840", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4871", "CVE-2015-4872", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4902", "CVE-2015-4903", "CVE-2015-5006"); script_xref(name:"RHSA", value:"2015:2506"); script_name(english:"RHEL 6 / 7 : java-1.7.1-ibm (RHSA-2015:2506)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated java-1.7.1-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 6 and 7 Supplementary. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4810, CVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4871, CVE-2015-4872, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4902, CVE-2015-4903, CVE-2015-5006) Red Hat would like to thank Andrea Palazzo of Truel IT for reporting the CVE-2015-4806 issue. All users of java-1.7.1-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 7R1 SR3-FP20 release. All running instances of IBM Java must be restarted for the update to take effect." ); # http://www.ibm.com/developerworks/java/jdk/alerts/ script_set_attribute( attribute:"see_also", value:"https://developer.ibm.com/javasdk/support/security-vulnerabilities/" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2015:2506" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-4810" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-4902" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-4843" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-4842" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-4840" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-4872" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-4860" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-4844" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-4893" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-4883" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-4734" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-4882" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-4903" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-4806" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-4805" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-4803" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-4835" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-4871" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-5006" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-demo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-jdbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-plugin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-src"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6.7"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.5"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/10/21"); script_set_attribute(attribute:"patch_publication_date", value:"2015/11/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/11/24"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^(6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x / 7.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2015:2506"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.7.1-ibm-plugin-1.7.1.3.20-1jpp.1.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.7.1-ibm-plugin-1.7.1.3.20-1jpp.1.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el6_7")) flag++; if (rpm_check(release:"RHEL7", reference:"java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.7.1-ibm-plugin-1.7.1.3.20-1jpp.1.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el7")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "java-1.7.1-ibm / java-1.7.1-ibm-demo / java-1.7.1-ibm-devel / etc"); } }NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-115.NASL description java-1_7_0-openjdk was updated to version 7u95 to fix 9 security issues. (bsc#962743) - CVE-2015-4871: Rebinding of the receiver of a DirectMethodHandle may allow a protected method to be accessed - CVE-2015-7575: Further reduce use of MD5 (SLOTH) (bsc#960996) - CVE-2015-8126: Vulnerability in the AWT component related to splashscreen displays - CVE-2015-8472: Vulnerability in the AWT component, addressed by same fix - CVE-2016-0402: Vulnerability in the Networking component related to URL processing - CVE-2016-0448: Vulnerability in the JMX comonent related to attribute processing - CVE-2016-0466: Vulnerability in the JAXP component, related to limits - CVE-2016-0483: Vulnerability in the AWT component related to image decoding - CVE-2016-0494: Vulnerability in 2D component related to font actions The following bugs were fixed : - bsc#939523: java-1_7_0-openjdk-headless had X dependencies, move libjavagtk to full package This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2016-02-03 plugin id 88541 published 2016-02-03 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/88541 title openSUSE Security Update : java-1_7_0-openjdk (openSUSE-2016-115) (SLOTH) NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-2216-1.NASL description The java-1_7_0-ibm package was updated to version 7.0-9.20 to fix several security and non security issues : - bnc#955131: Version update to 7.0-9.20: CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4810 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4871 CVE-2015-4872 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4902 CVE-2015-4903 CVE-2015-4911 CVE-2015-5006 - Add backcompat symlinks for sdkdir - bnc#941939: Fix to provide %{name} instead of %{sdklnk} only in _jvmprivdir Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 87277 published 2015-12-09 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87277 title SUSE SLES11 Security Update : java-1_7_0-ibm (SUSE-SU-2015:2216-1) (FREAK) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-0269-1.NASL description java-1_7_0-openjdk was updated to version 7u95 to fix 9 security issues. (bsc#962743) - CVE-2015-4871: Rebinding of the receiver of a DirectMethodHandle may allow a protected method to be accessed - CVE-2015-7575: Further reduce use of MD5 (SLOTH) (bsc#960996) - CVE-2015-8126: Vulnerability in the AWT component related to splashscreen displays - CVE-2015-8472: Vulnerability in the AWT component, addressed by same fix - CVE-2016-0402: Vulnerability in the Networking component related to URL processing - CVE-2016-0448: Vulnerability in the JMX comonent related to attribute processing - CVE-2016-0466: Vulnerability in the JAXP component, related to limits - CVE-2016-0483: Vulnerability in the AWT component related to image decoding - CVE-2016-0494: Vulnerability in 2D component related to font actions Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 88486 published 2016-01-29 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/88486 title SUSE SLED11 Security Update : java-1_7_0-openjdk (SUSE-SU-2016:0269-1) (SLOTH) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2016-0054.NASL description From Red Hat Security Advisory 2016:0054 : Updated java-1.7.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. An out-of-bounds write flaw was found in the JPEG image format decoder in the AWT component in OpenJDK. A specially crafted JPEG image could cause a Java application to crash or, possibly execute arbitrary code. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2016-0483) An integer signedness issue was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. (CVE-2016-0494) It was discovered that the JAXP component in OpenJDK did not properly enforce the totalEntitySizeLimit limit. An attacker able to make a Java application process a specially crafted XML file could use this flaw to make the application consume an excessive amount of memory. (CVE-2016-0466) A flaw was found in the way TLS 1.2 could use the MD5 hash function for signing ServerKeyExchange and Client Authentication packets during a TLS handshake. A man-in-the-middle attacker able to force a TLS connection to use the MD5 hash function could use this flaw to conduct collision attacks to impersonate a TLS server or an authenticated TLS client. (CVE-2015-7575) Multiple flaws were discovered in the Libraries, Networking, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2015-4871, CVE-2016-0402, CVE-2016-0448) Note: This update also disallows the use of the MD5 hash algorithm in the certification path processing. The use of MD5 can be re-enabled by removing MD5 from the jdk.certpath.disabledAlgorithms security property defined in the java.security file. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 88071 published 2016-01-22 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/88071 title Oracle Linux 5 / 7 : java-1.7.0-openjdk (ELSA-2016-0054) (SLOTH) NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-107.NASL description java-1_7_0-openjdk was updated to version 7u95 to fix 9 security issues. (bsc#962743) - CVE-2015-4871: Rebinding of the receiver of a DirectMethodHandle may allow a protected method to be accessed - CVE-2015-7575: Further reduce use of MD5 (SLOTH) (bsc#960996) - CVE-2015-8126: Vulnerability in the AWT component related to splashscreen displays - CVE-2015-8472: Vulnerability in the AWT component, addressed by same fix - CVE-2016-0402: Vulnerability in the Networking component related to URL processing - CVE-2016-0448: Vulnerability in the JMX comonent related to attribute processing - CVE-2016-0466: Vulnerability in the JAXP component, related to limits - CVE-2016-0483: Vulnerability in the AWT component related to image decoding - CVE-2016-0494: Vulnerability in 2D component related to font actions The following bugs were fixed : - bsc#939523: java-1_7_0-openjdk-headless had X dependencies, move libjavagtk to full package last seen 2020-06-05 modified 2016-02-03 plugin id 88538 published 2016-02-03 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/88538 title openSUSE Security Update : java-1_7_0-openjdk (openSUSE-2016-107) (SLOTH) NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-2168-2.NASL description The java-1_7_1-ibm package was updated to versioin 7.1-3.20 to fix several security and non security issues : - bnc#955131: Version update to 7.1-3.20: CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4810 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4871 CVE-2015-4872 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4902 CVE-2015-4903 CVE-2015-4911 CVE-2015-5006 - Add backcompat symlinks for sdkdir - bnc#941939: Fix to provide %{name} instead of %{sdklnk} only in _jvmprivdir Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 87404 published 2015-12-16 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87404 title SUSE SLES12 Security Update : java-1_7_1-ibm (SUSE-SU-2015:2168-2) (FREAK) NASL family Misc. NASL id ORACLE_JAVA_CPU_OCT_2015_UNIX.NASL description The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 8 Update 65, 7 Update 91, or 6 Update 105. It is, therefore, affected by security vulnerabilities in the following components : - 2D - CORBA - Deployment - JavaFX - JAXP - JGSS - Libraries - RMI - Security - Serialization last seen 2020-06-01 modified 2020-06-02 plugin id 86543 published 2015-10-22 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/86543 title Oracle Java SE Multiple Vulnerabilities (October 2015 CPU) (Unix) NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-2192-1.NASL description This update for java-1_6_0-ibm fixes the following issues : - Version update to 6.0-16.15 bsc#955131: CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4810 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4871 CVE-2015-4872 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4902 CVE-2015-4903 CVE-2015-4911 CVE-2015-5006 CVE-2015-2808 CVE-2015-2625 CVE-2015-0491 CVE-2015-0459 CVE-2015-0469 CVE-2015-0458 CVE-2015-0480 CVE-2015-0488 CVE-2015-0478 CVE-2015-0477 CVE-2015-0204 - Add backcompat symlinks for sdkdir - Fix baselibs.conf policy symlinking - Fix bsc#941939 to provide %{name} instead of %{sdklnk} only in _jvmprivdir Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-24 modified 2019-01-02 plugin id 119972 published 2019-01-02 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119972 title SUSE SLES12 Security Update : java-1_6_0-ibm (SUSE-SU-2015:2192-1) (Bar Mitzvah) (FREAK) NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-2182-1.NASL description The java-1_7_1-ibm package was updated to version 7.1-3.20 to fix several security and non security issues : - bnc#955131: Version update to 7.1-3.20: CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4810 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4871 CVE-2015-4872 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4902 CVE-2015-4903 CVE-2015-4911 CVE-2015-5006 - Add backcompat symlinks for sdkdir - bnc#941939: Fix to provide %{name} instead of %{sdklnk} only in _jvmprivdir Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 87200 published 2015-12-04 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87200 title SUSE SLES11 Security Update : java-1_7_1-ibm (SUSE-SU-2015:2182-1) (FREAK) NASL family Scientific Linux Local Security Checks NASL id SL_20160121_JAVA_1_7_0_OPENJDK_ON_SL5_X.NASL description An out-of-bounds write flaw was found in the JPEG image format decoder in the AWT component in OpenJDK. A specially crafted JPEG image could cause a Java application to crash or, possibly execute arbitrary code. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2016-0483) An integer signedness issue was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. (CVE-2016-0494) It was discovered that the JAXP component in OpenJDK did not properly enforce the totalEntitySizeLimit limit. An attacker able to make a Java application process a specially crafted XML file could use this flaw to make the application consume an excessive amount of memory. (CVE-2016-0466) A flaw was found in the way TLS 1.2 could use the MD5 hash function for signing ServerKeyExchange and Client Authentication packets during a TLS handshake. A man-in-the-middle attacker able to force a TLS connection to use the MD5 hash function could use this flaw to conduct collision attacks to impersonate a TLS server or an authenticated TLS client. (CVE-2015-7575) Multiple flaws were discovered in the Libraries, Networking, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2015-4871, CVE-2016-0402, CVE-2016-0448) Note: This update also disallows the use of the MD5 hash algorithm in the certification path processing. The use of MD5 can be re-enabled by removing MD5 from the jdk.certpath.disabledAlgorithms security property defined in the java.security file. All running instances of OpenJDK Java must be restarted for the update to take effect. last seen 2020-03-18 modified 2016-01-22 plugin id 88079 published 2016-01-22 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/88079 title Scientific Linux Security Update : java-1.7.0-openjdk on SL5.x, SL7.x i386/x86_64 (20160121) (SLOTH) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2016-0053.NASL description Updated java-1.7.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. An out-of-bounds write flaw was found in the JPEG image format decoder in the AWT component in OpenJDK. A specially crafted JPEG image could cause a Java application to crash or, possibly execute arbitrary code. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2016-0483) An integer signedness issue was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. (CVE-2016-0494) It was discovered that the JAXP component in OpenJDK did not properly enforce the totalEntitySizeLimit limit. An attacker able to make a Java application process a specially crafted XML file could use this flaw to make the application consume an excessive amount of memory. (CVE-2016-0466) A flaw was found in the way TLS 1.2 could use the MD5 hash function for signing ServerKeyExchange and Client Authentication packets during a TLS handshake. A man-in-the-middle attacker able to force a TLS connection to use the MD5 hash function could use this flaw to conduct collision attacks to impersonate a TLS server or an authenticated TLS client. (CVE-2015-7575) Multiple flaws were discovered in the Libraries, Networking, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2015-4871, CVE-2016-0402, CVE-2016-0448) Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. Note: This update also disallows the use of the MD5 hash algorithm in the certification path processing. The use of MD5 can be re-enabled by removing MD5 from the jdk.certpath.disabledAlgorithms security property defined in the java.security file. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 88062 published 2016-01-22 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/88062 title CentOS 6 : java-1.7.0-openjdk (CESA-2016:0053) (SLOTH) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2016-0053.NASL description From Red Hat Security Advisory 2016:0053 : Updated java-1.7.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. An out-of-bounds write flaw was found in the JPEG image format decoder in the AWT component in OpenJDK. A specially crafted JPEG image could cause a Java application to crash or, possibly execute arbitrary code. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2016-0483) An integer signedness issue was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. (CVE-2016-0494) It was discovered that the JAXP component in OpenJDK did not properly enforce the totalEntitySizeLimit limit. An attacker able to make a Java application process a specially crafted XML file could use this flaw to make the application consume an excessive amount of memory. (CVE-2016-0466) A flaw was found in the way TLS 1.2 could use the MD5 hash function for signing ServerKeyExchange and Client Authentication packets during a TLS handshake. A man-in-the-middle attacker able to force a TLS connection to use the MD5 hash function could use this flaw to conduct collision attacks to impersonate a TLS server or an authenticated TLS client. (CVE-2015-7575) Multiple flaws were discovered in the Libraries, Networking, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2015-4871, CVE-2016-0402, CVE-2016-0448) Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. Note: This update also disallows the use of the MD5 hash algorithm in the certification path processing. The use of MD5 can be re-enabled by removing MD5 from the jdk.certpath.disabledAlgorithms security property defined in the java.security file. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 88070 published 2016-01-22 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/88070 title Oracle Linux 6 : java-1.7.0-openjdk (ELSA-2016-0053) (SLOTH) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2016-1430.NASL description An update for java-1.7.0-ibm and java-1.7.1-ibm is now available for Red Hat Satellite 5.7 and Red Hat Satellite 5.6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 7 to versions 7 SR9-FP40 and 7R1 SR3-FP40. Security Fix(es) : * This update fixes multiple vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4810, CVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4871, CVE-2015-4872, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4902, CVE-2015-4903, CVE-2015-5006, CVE-2015-5041, CVE-2015-7575, CVE-2015-7981, CVE-2015-8126, CVE-2015-8472, CVE-2015-8540, CVE-2016-0264, CVE-2016-0363, CVE-2016-0376, CVE-2016-0402, CVE-2016-0448, CVE-2016-0466, CVE-2016-0483, CVE-2016-0494, CVE-2016-0686, CVE-2016-0687, CVE-2016-3422, CVE-2016-3426, CVE-2016-3427, CVE-2016-3443, CVE-2016-3449) Red Hat would like to thank Andrea Palazzo of Truel IT for reporting the CVE-2015-4806 issue. last seen 2020-06-01 modified 2020-06-02 plugin id 92400 published 2016-07-19 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92400 title RHEL 5 / 6 : java-1.7.0-ibm and java-1.7.1-ibm (RHSA-2016:1430) (SLOTH) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_A5934BA8A37611E585E914DAE9D210B8.NASL description Oracle reports : This Critical Patch Update contains 25 new security fixes for Oracle Java SE. 24 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. last seen 2020-06-01 modified 2020-06-02 plugin id 87386 published 2015-12-16 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87386 title FreeBSD : java -- multiple vulnerabilities (a5934ba8-a376-11e5-85e9-14dae9d210b8) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2015-1927.NASL description Updated java-1.7.0-oracle packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Oracle Java SE version 7 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section. (CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4810, CVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4871, CVE-2015-4872, CVE-2015-4881, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4902, CVE-2015-4903, CVE-2015-4911) Red Hat would like to thank Andrea Palazzo of Truel IT for reporting the CVE-2015-4806 issue. All users of java-1.7.0-oracle are advised to upgrade to these updated packages, which provide Oracle Java 7 Update 91 and resolve these issues. All running instances of Oracle Java must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 86561 published 2015-10-23 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86561 title RHEL 5 / 6 / 7 : java-1.7.0-oracle (RHSA-2015:1927) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2015-2507.NASL description Updated java-1.7.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 Supplementary. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4810, CVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4871, CVE-2015-4872, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4902, CVE-2015-4903, CVE-2015-5006) Red Hat would like to thank Andrea Palazzo of Truel IT for reporting the CVE-2015-4806 issue. All users of java-1.7.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 7 SR9-FP20 release. All running instances of IBM Java must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 87048 published 2015-11-24 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87048 title RHEL 5 : java-1.7.0-ibm (RHSA-2015:2507) NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-110.NASL description Update OpenJDK to 7u95 / IcedTea 2.6.4 including the following fixes : - Security fixes - S8059054, CVE-2016-0402: Better URL processing - S8130710, CVE-2016-0448: Better attributes processing - S8132210: Reinforce JMX collector internals - S8132988: Better printing dialogues - S8133962, CVE-2016-0466: More general limits - S8137060: JMX memory management improvements - S8139012: Better font substitutions - S8139017, CVE-2016-0483: More stable image decoding - S8140543, CVE-2016-0494: Arrange font actions - S8143185: Cleanup for handling proxies - S8143941, CVE-2015-8126, CVE-2015-8472: Update splashscreen displays - S8144773, CVE-2015-7575: Further reduce use of MD5 (SLOTH) - S8142882, CVE-2015-4871: rebinding of the receiver of a DirectMethodHandle may allow a protected method to be accessed - Import of OpenJDK 7 u95 build 0 - S7167988: PKIX CertPathBuilder in reverse mode doesn last seen 2020-06-05 modified 2016-02-03 plugin id 88540 published 2016-02-03 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/88540 title openSUSE Security Update : Java7 (openSUSE-2016-110) (SLOTH) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2016-0053.NASL description Updated java-1.7.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. An out-of-bounds write flaw was found in the JPEG image format decoder in the AWT component in OpenJDK. A specially crafted JPEG image could cause a Java application to crash or, possibly execute arbitrary code. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2016-0483) An integer signedness issue was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. (CVE-2016-0494) It was discovered that the JAXP component in OpenJDK did not properly enforce the totalEntitySizeLimit limit. An attacker able to make a Java application process a specially crafted XML file could use this flaw to make the application consume an excessive amount of memory. (CVE-2016-0466) A flaw was found in the way TLS 1.2 could use the MD5 hash function for signing ServerKeyExchange and Client Authentication packets during a TLS handshake. A man-in-the-middle attacker able to force a TLS connection to use the MD5 hash function could use this flaw to conduct collision attacks to impersonate a TLS server or an authenticated TLS client. (CVE-2015-7575) Multiple flaws were discovered in the Libraries, Networking, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2015-4871, CVE-2016-0402, CVE-2016-0448) Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. Note: This update also disallows the use of the MD5 hash algorithm in the certification path processing. The use of MD5 can be re-enabled by removing MD5 from the jdk.certpath.disabledAlgorithms security property defined in the java.security file. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 88072 published 2016-01-22 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/88072 title RHEL 6 : java-1.7.0-openjdk (RHSA-2016:0053) (SLOTH) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2015-2509.NASL description Updated java-1.8.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 7 Supplementary. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4810, CVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4871, CVE-2015-4872, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4902, CVE-2015-4903, CVE-2015-5006) Red Hat would like to thank Andrea Palazzo of Truel IT for reporting the CVE-2015-4806 issue. All users of java-1.8.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 8 SR2 release. All running instances of IBM Java must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 87050 published 2015-11-24 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87050 title RHEL 7 : java-1.8.0-ibm (RHSA-2015:2509) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2016-0054.NASL description Updated java-1.7.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. An out-of-bounds write flaw was found in the JPEG image format decoder in the AWT component in OpenJDK. A specially crafted JPEG image could cause a Java application to crash or, possibly execute arbitrary code. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2016-0483) An integer signedness issue was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. (CVE-2016-0494) It was discovered that the JAXP component in OpenJDK did not properly enforce the totalEntitySizeLimit limit. An attacker able to make a Java application process a specially crafted XML file could use this flaw to make the application consume an excessive amount of memory. (CVE-2016-0466) A flaw was found in the way TLS 1.2 could use the MD5 hash function for signing ServerKeyExchange and Client Authentication packets during a TLS handshake. A man-in-the-middle attacker able to force a TLS connection to use the MD5 hash function could use this flaw to conduct collision attacks to impersonate a TLS server or an authenticated TLS client. (CVE-2015-7575) Multiple flaws were discovered in the Libraries, Networking, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2015-4871, CVE-2016-0402, CVE-2016-0448) Note: This update also disallows the use of the MD5 hash algorithm in the certification path processing. The use of MD5 can be re-enabled by removing MD5 from the jdk.certpath.disabledAlgorithms security property defined in the java.security file. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 88063 published 2016-01-22 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/88063 title CentOS 5 / 7 : java-1.7.0-openjdk (CESA-2016:0054) (SLOTH) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201603-11.NASL description The remote host is affected by the vulnerability described in GLSA-201603-11 (Oracle JRE/JDK: Multiple vulnerabilities) Multiple vulnerabilities exist in both Oracle’s JRE and JDK. Please review the referenced CVE’s for additional information. Impact : Remote attackers could gain access to information, remotely execute arbitrary code, and cause Denial of Service. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 89904 published 2016-03-14 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/89904 title GLSA-201603-11 : Oracle JRE/JDK: Multiple vulnerabilities (Logjam) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2016-0054.NASL description Updated java-1.7.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. An out-of-bounds write flaw was found in the JPEG image format decoder in the AWT component in OpenJDK. A specially crafted JPEG image could cause a Java application to crash or, possibly execute arbitrary code. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2016-0483) An integer signedness issue was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. (CVE-2016-0494) It was discovered that the JAXP component in OpenJDK did not properly enforce the totalEntitySizeLimit limit. An attacker able to make a Java application process a specially crafted XML file could use this flaw to make the application consume an excessive amount of memory. (CVE-2016-0466) A flaw was found in the way TLS 1.2 could use the MD5 hash function for signing ServerKeyExchange and Client Authentication packets during a TLS handshake. A man-in-the-middle attacker able to force a TLS connection to use the MD5 hash function could use this flaw to conduct collision attacks to impersonate a TLS server or an authenticated TLS client. (CVE-2015-7575) Multiple flaws were discovered in the Libraries, Networking, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2015-4871, CVE-2016-0402, CVE-2016-0448) Note: This update also disallows the use of the MD5 hash algorithm in the certification path processing. The use of MD5 can be re-enabled by removing MD5 from the jdk.certpath.disabledAlgorithms security property defined in the java.security file. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 88073 published 2016-01-22 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/88073 title RHEL 5 / 7 : java-1.7.0-openjdk (RHSA-2016:0054) (SLOTH) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2818-1.NASL description It was discovered that rebinding of the receiver of a DirectMethodHandle may allow a protected method to be accessed. Am attacker could use this to expose sensitive information or possibly execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 87107 published 2015-11-30 reporter Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87107 title Ubuntu 14.04 LTS / 15.04 / 15.10 : openjdk-7 vulnerability (USN-2818-1) NASL family AIX Local Security Checks NASL id AIX_JAVA_OCT2015_ADVISORY.NASL description The version of Java SDK installed on the remote AIX host is affected by multiple vulnerabilities in the following components : - 2D - CORBA - Deployment - JAXP - JGSS - Libraries - RMI - Security - Serialization last seen 2020-06-01 modified 2020-06-02 plugin id 87374 published 2015-12-15 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/87374 title AIX Java Advisory : java_oct2015_advisory.asc (October 2015 CPU) NASL family Scientific Linux Local Security Checks NASL id SL_20160121_JAVA_1_7_0_OPENJDK_ON_SL6_X.NASL description An out-of-bounds write flaw was found in the JPEG image format decoder in the AWT component in OpenJDK. A specially crafted JPEG image could cause a Java application to crash or, possibly execute arbitrary code. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2016-0483) An integer signedness issue was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. (CVE-2016-0494) It was discovered that the JAXP component in OpenJDK did not properly enforce the totalEntitySizeLimit limit. An attacker able to make a Java application process a specially crafted XML file could use this flaw to make the application consume an excessive amount of memory. (CVE-2016-0466) A flaw was found in the way TLS 1.2 could use the MD5 hash function for signing ServerKeyExchange and Client Authentication packets during a TLS handshake. A man-in-the-middle attacker able to force a TLS connection to use the MD5 hash function could use this flaw to conduct collision attacks to impersonate a TLS server or an authenticated TLS client. (CVE-2015-7575) Multiple flaws were discovered in the Libraries, Networking, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2015-4871, CVE-2016-0402, CVE-2016-0448) Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. Note: This update also disallows the use of the MD5 hash algorithm in the certification path processing. The use of MD5 can be re-enabled by removing MD5 from the jdk.certpath.disabledAlgorithms security property defined in the java.security file. All running instances of OpenJDK Java must be restarted for the update to take effect. last seen 2020-03-18 modified 2016-01-22 plugin id 88080 published 2016-01-22 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/88080 title Scientific Linux Security Update : java-1.7.0-openjdk on SL6.x i386/x86_64 (20160121) (SLOTH) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-0113-1.NASL description This version update for java-1_6_0-ibm to version 6.0.16.15 fixes the following issues : CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4810 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4871 CVE-2015-4872 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4902 CVE-2015-4903 CVE-2015-4911 CVE-2015-5006 CVE-2015-2808 CVE-2015-2625 CVE-2015-0491 CVE-2015-0459 CVE-2015-0469 CVE-2015-0458 CVE-2015-0480 CVE-2015-0488 CVE-2015-0478 CVE-2015-0477 CVE-2015-0204 For more information please visit: <a href= last seen 2020-06-01 modified 2020-06-02 plugin id 87914 published 2016-01-14 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87914 title SUSE SLES10 Security Update : java-1_6_0-ibm (SUSE-SU-2016:0113-1) (Bar Mitzvah) (FREAK) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-0265-1.NASL description java-1_7_0-openjdk was updated to version 7u95 to fix 9 security issues. (bsc#962743) - CVE-2015-4871: Rebinding of the receiver of a DirectMethodHandle may allow a protected method to be accessed - CVE-2015-7575: Further reduce use of MD5 (SLOTH) (bsc#960996) - CVE-2015-8126: Vulnerability in the AWT component related to splashscreen displays - CVE-2015-8472: Vulnerability in the AWT component, addressed by same fix - CVE-2016-0402: Vulnerability in the Networking component related to URL processing - CVE-2016-0448: Vulnerability in the JMX comonent related to attribute processing - CVE-2016-0466: Vulnerability in the JAXP component, related to limits - CVE-2016-0483: Vulnerability in the AWT component related to image decoding - CVE-2016-0494: Vulnerability in 2D component related to font actions The following bugs were fixed : - bsc#939523: java-1_7_0-openjdk-headless had X dependencies, move libjavagtk to full package Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 88485 published 2016-01-29 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/88485 title SUSE SLED12 / SLES12 Security Update : java-1_7_0-openjdk (SUSE-SU-2016:0265-1) (SLOTH) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2016-643.NASL description An out-of-bounds write flaw was found in the JPEG image format decoder in the AWT component in OpenJDK. A specially crafted JPEG image could cause a Java application to crash or, possibly execute arbitrary code. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2016-0483) An integer signedness issue was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. (CVE-2016-0494) It was discovered that the JAXP component in OpenJDK did not properly enforce the totalEntitySizeLimit limit. An attacker able to make a Java application process a specially crafted XML file could use this flaw to make the application consume an excessive amount of memory. (CVE-2016-0466) A flaw was found in the way TLS 1.2 could use the MD5 hash function for signing ServerKeyExchange and Client Authentication packets during a TLS handshake. A man-in-the-middle attacker able to force a TLS connection to use the MD5 hash function could use this flaw to conduct collision attacks to impersonate a TLS server or an authenticated TLS client. (CVE-2015-7575) Multiple flaws were discovered in the Libraries, Networking, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2015-4871 , CVE-2016-0402 , CVE-2016-0448) Note: This update also disallows the use of the MD5 hash algorithm in the certification path processing. The use of MD5 can be re-enabled by removing MD5 from the jdk.certpath.disabledAlgorithms security property defined in the java.security file. last seen 2020-06-01 modified 2020-06-02 plugin id 88655 published 2016-02-10 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/88655 title Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2016-643) (SLOTH) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201603-14.NASL description The remote host is affected by the vulnerability described in GLSA-201603-14 (IcedTea: Multiple vulnerabilities) Various OpenJDK attack vectors in IcedTea, such as 2D, Corba, Hotspot, Libraries, and JAXP, exist which allows remote attackers to affect the confidentiality, integrity, and availability of vulnerable systems. This includes the possibility of remote execution of arbitrary code, information disclosure, or Denial of Service. Many of the vulnerabilities can only be exploited through sandboxed Java Web Start applications and java applets. Please reference the CVEs listed for specific details. Impact : Remote attackers may remotely execute arbitrary code, compromise information, or cause Denial of Service. Workaround : There is no known work around at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 89907 published 2016-03-14 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/89907 title GLSA-201603-14 : IcedTea: Multiple vulnerabilities NASL family Windows NASL id ORACLE_JAVA_CPU_OCT_2015.NASL description The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 8 Update 65, 7 Update 91, or 6 Update 105. It is, therefore, affected by security vulnerabilities in the following components : - 2D - CORBA - Deployment - JavaFX - JAXP - JGSS - Libraries - RMI - Security - Serialization last seen 2020-06-01 modified 2020-06-02 plugin id 86542 published 2015-10-22 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/86542 title Oracle Java SE Multiple Vulnerabilities (October 2015 CPU) NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-2168-1.NASL description The java-1_7_1-ibm package was updated to versioin 7.1-3.20 to fix several security and non security issues : - bnc#955131: Version update to 7.1-3.20: CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4810 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4871 CVE-2015-4872 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4902 CVE-2015-4903 CVE-2015-4911 CVE-2015-5006 - Add backcompat symlinks for sdkdir - bnc#941939: Fix to provide %{name} instead of %{sdklnk} only in _jvmprivdir Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 87181 published 2015-12-03 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87181 title SUSE SLES12 Security Update : java-1_7_1-ibm (SUSE-SU-2015:2168-1) (FREAK) NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-2166-1.NASL description This update for java-1_6_0-ibm fixes the following issues : - Version update to 6.0-16.15 bsc#955131: CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4810 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4871 CVE-2015-4872 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4902 CVE-2015-4903 CVE-2015-4911 CVE-2015-5006 CVE-2015-2808 CVE-2015-2625 CVE-2015-0491 CVE-2015-0459 CVE-2015-0469 CVE-2015-0458 CVE-2015-0480 CVE-2015-0488 CVE-2015-0478 CVE-2015-0477 CVE-2015-0204 Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 87180 published 2015-12-03 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87180 title SUSE SLES11 Security Update : java-1_6_0-ibm (SUSE-SU-2015:2166-1) (Bar Mitzvah) (FREAK)
Redhat
| advisories |
| ||||||||||||||||||||||||||||
| rpms |
|
References
- http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
- https://access.redhat.com/errata/RHSA-2016:1430
- http://www.securityfocus.com/bid/77238
- https://security.gentoo.org/glsa/201603-11
- https://security.gentoo.org/glsa/201603-14
- http://rhn.redhat.com/errata/RHSA-2016-0053.html
- http://rhn.redhat.com/errata/RHSA-2016-0054.html
- http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00003.html
- http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00044.html
- http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00042.html
- http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00048.html
- http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00000.html
- http://rhn.redhat.com/errata/RHSA-2015-2506.html
- http://rhn.redhat.com/errata/RHSA-2015-2507.html
- http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00004.html
- http://www.debian.org/security/2015/dsa-3401
- http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00006.html
- http://rhn.redhat.com/errata/RHSA-2015-2509.html
- http://www.ubuntu.com/usn/USN-2818-1
- http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00005.html
- http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00043.html
- http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00047.html
- http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00014.html
- http://www.securitytracker.com/id/1033884
- http://www.debian.org/security/2015/dsa-3381
- http://rhn.redhat.com/errata/RHSA-2015-1927.html