Vulnerabilities > CVE-2016-3598 - Unspecified vulnerability in Oracle Jdk, JRE and Linux

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
oracle
critical
nessus

Summary

Unspecified vulnerability in Oracle Java SE 8u92 and Java SE Embedded 8u91 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Libraries, a different vulnerability than CVE-2016-3610.

Vulnerable Configurations

Part Description Count
Application
Oracle
4
OS
Oracle
3

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2016-1504.NASL
    descriptionAn update for java-1.7.0-openjdk is now available for Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6, and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix(es) : * Multiple flaws were discovered in the Hotspot and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2016-3606, CVE-2016-3598, CVE-2016-3610) * Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. (CVE-2016-3500, CVE-2016-3508) * Multiple flaws were found in the CORBA and Hotsport components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2016-3458, CVE-2016-3550)
    last seen2020-06-01
    modified2020-06-02
    plugin id92604
    published2016-07-28
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92604
    titleRHEL 5 / 6 / 7 : java-1.7.0-openjdk (RHSA-2016:1504)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2016:1504. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(92604);
      script_version("2.14");
      script_cvs_date("Date: 2019/10/24 15:35:41");
    
      script_cve_id("CVE-2016-3458", "CVE-2016-3500", "CVE-2016-3508", "CVE-2016-3550", "CVE-2016-3598", "CVE-2016-3606", "CVE-2016-3610");
      script_xref(name:"RHSA", value:"2016:1504");
    
      script_name(english:"RHEL 5 / 6 / 7 : java-1.7.0-openjdk (RHSA-2016:1504)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for java-1.7.0-openjdk is now available for Red Hat
    Enterprise Linux 5, Red Hat Enterprise Linux 6, and Red Hat Enterprise
    Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime
    Environment and the OpenJDK 7 Java Software Development Kit.
    
    Security Fix(es) :
    
    * Multiple flaws were discovered in the Hotspot and Libraries
    components in OpenJDK. An untrusted Java application or applet could
    use these flaws to completely bypass Java sandbox restrictions.
    (CVE-2016-3606, CVE-2016-3598, CVE-2016-3610)
    
    * Multiple denial of service flaws were found in the JAXP component in
    OpenJDK. A specially crafted XML file could cause a Java application
    using JAXP to consume an excessive amount of CPU and memory when
    parsed. (CVE-2016-3500, CVE-2016-3508)
    
    * Multiple flaws were found in the CORBA and Hotsport components in
    OpenJDK. An untrusted Java application or applet could use these flaws
    to bypass certain Java sandbox restrictions. (CVE-2016-3458,
    CVE-2016-3550)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2016:1504"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-3458"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-3610"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-3598"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-3550"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-3606"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-3508"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-3500"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-accessibility");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-demo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-headless");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-src");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.3");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.4");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/21");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/07/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/07/28");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(5|6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x / 6.x / 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2016:1504";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"java-1.7.0-openjdk-1.7.0.111-2.6.7.1.el5_11")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"java-1.7.0-openjdk-1.7.0.111-2.6.7.1.el5_11")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"java-1.7.0-openjdk-debuginfo-1.7.0.111-2.6.7.1.el5_11")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"java-1.7.0-openjdk-debuginfo-1.7.0.111-2.6.7.1.el5_11")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"java-1.7.0-openjdk-demo-1.7.0.111-2.6.7.1.el5_11")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"java-1.7.0-openjdk-demo-1.7.0.111-2.6.7.1.el5_11")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"java-1.7.0-openjdk-devel-1.7.0.111-2.6.7.1.el5_11")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"java-1.7.0-openjdk-devel-1.7.0.111-2.6.7.1.el5_11")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"java-1.7.0-openjdk-javadoc-1.7.0.111-2.6.7.1.el5_11")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"java-1.7.0-openjdk-javadoc-1.7.0.111-2.6.7.1.el5_11")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"java-1.7.0-openjdk-src-1.7.0.111-2.6.7.1.el5_11")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"java-1.7.0-openjdk-src-1.7.0.111-2.6.7.1.el5_11")) flag++;
    
    
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.7.0-openjdk-1.7.0.111-2.6.7.2.el6_8")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.7.0-openjdk-1.7.0.111-2.6.7.2.el6_8")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.7.0-openjdk-debuginfo-1.7.0.111-2.6.7.2.el6_8")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.7.0-openjdk-debuginfo-1.7.0.111-2.6.7.2.el6_8")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.7.0-openjdk-demo-1.7.0.111-2.6.7.2.el6_8")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.7.0-openjdk-demo-1.7.0.111-2.6.7.2.el6_8")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.7.0-openjdk-devel-1.7.0.111-2.6.7.2.el6_8")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.7.0-openjdk-devel-1.7.0.111-2.6.7.2.el6_8")) flag++;
    
      if (rpm_check(release:"RHEL6", reference:"java-1.7.0-openjdk-javadoc-1.7.0.111-2.6.7.2.el6_8")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.7.0-openjdk-src-1.7.0.111-2.6.7.2.el6_8")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.7.0-openjdk-src-1.7.0.111-2.6.7.2.el6_8")) flag++;
    
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"java-1.7.0-openjdk-1.7.0.111-2.6.7.2.el7_2")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.7.0-openjdk-1.7.0.111-2.6.7.2.el7_2")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"java-1.7.0-openjdk-accessibility-1.7.0.111-2.6.7.2.el7_2")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.7.0-openjdk-accessibility-1.7.0.111-2.6.7.2.el7_2")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"java-1.7.0-openjdk-debuginfo-1.7.0.111-2.6.7.2.el7_2")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.7.0-openjdk-debuginfo-1.7.0.111-2.6.7.2.el7_2")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"java-1.7.0-openjdk-demo-1.7.0.111-2.6.7.2.el7_2")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.7.0-openjdk-demo-1.7.0.111-2.6.7.2.el7_2")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"java-1.7.0-openjdk-devel-1.7.0.111-2.6.7.2.el7_2")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.7.0-openjdk-devel-1.7.0.111-2.6.7.2.el7_2")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"java-1.7.0-openjdk-headless-1.7.0.111-2.6.7.2.el7_2")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.7.0-openjdk-headless-1.7.0.111-2.6.7.2.el7_2")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"java-1.7.0-openjdk-javadoc-1.7.0.111-2.6.7.2.el7_2")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"java-1.7.0-openjdk-src-1.7.0.111-2.6.7.2.el7_2")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.7.0-openjdk-src-1.7.0.111-2.6.7.2.el7_2")) flag++;
    
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "java-1.7.0-openjdk / java-1.7.0-openjdk-accessibility / etc");
      }
    }
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2016-1504.NASL
    descriptionAn update for java-1.7.0-openjdk is now available for Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6, and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix(es) : * Multiple flaws were discovered in the Hotspot and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2016-3606, CVE-2016-3598, CVE-2016-3610) * Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. (CVE-2016-3500, CVE-2016-3508) * Multiple flaws were found in the CORBA and Hotsport components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2016-3458, CVE-2016-3550)
    last seen2020-06-01
    modified2020-06-02
    plugin id92586
    published2016-07-28
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92586
    titleCentOS 5 / 6 / 7 : java-1.7.0-openjdk (CESA-2016:1504)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2016-1458.NASL
    descriptionAn update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es) : * Multiple flaws were discovered in the Hotspot and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2016-3606, CVE-2016-3587, CVE-2016-3598, CVE-2016-3610) * Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. (CVE-2016-3500, CVE-2016-3508) * Multiple flaws were found in the CORBA and Hotsport components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2016-3458, CVE-2016-3550) Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website.
    last seen2020-06-01
    modified2020-06-02
    plugin id92473
    published2016-07-21
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92473
    titleCentOS 6 / 7 : java-1.8.0-openjdk (CESA-2016:1458)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2016-723.NASL
    descriptionMultiple flaws were discovered in the Hotspot and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2016-3606 , CVE-2016-3587 , CVE-2016-3598 , CVE-2016-3610) Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. (CVE-2016-3500 , CVE-2016-3508) Multiple flaws were found in the CORBA and Hotsport components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2016-3458 , CVE-2016-3550)
    last seen2020-06-01
    modified2020-06-02
    plugin id92470
    published2016-07-21
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/92470
    titleAmazon Linux AMI : java-1.8.0-openjdk (ALAS-2016-723)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-977.NASL
    descriptionThis update for java-1_7_0-openjdk fixes the following issues : - Update to 2.6.7 - OpenJDK 7u111 - Security fixes - S8079718, CVE-2016-3458: IIOP Input Stream Hooking (bsc#989732) - S8145446, CVE-2016-3485: Perfect pipe placement (Windows only) (bsc#989734) - S8147771: Construction of static protection domains under Javax custom policy - S8148872, CVE-2016-3500: Complete name checking (bsc#989730) - S8149962, CVE-2016-3508: Better delineation of XML processing (bsc#989731) - S8150752: Share Class Data - S8151925: Font reference improvements - S8152479, CVE-2016-3550: Coded byte streams (bsc#989733) - S8155981, CVE-2016-3606: Bolster bytecode verification (bsc#989722) - S8155985, CVE-2016-3598: Persistent Parameter Processing (bsc#989723) - S8158571, CVE-2016-3610: Additional method handle validation (bsc#989725) - CVE-2016-3511 (bsc#989727) - CVE-2016-3503 (bsc#989728) - CVE-2016-3498 (bsc#989729) - Import of OpenJDK 7 u111 build 0 - S6953295: Move few sun.security.(util, x509, pkcs) classes used by keytool/jarsigner to another package - S7060849: Eliminate pack200 build warnings - S7064075: Security libraries don
    last seen2020-06-05
    modified2016-08-16
    plugin id92978
    published2016-08-16
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92978
    titleopenSUSE Security Update : java-1_7_0-openjdk (openSUSE-2016-977)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2016-1032.NASL
    descriptionAccording to the versions of the java-1.7.0-openjdk packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Multiple flaws were discovered in the Hotspot and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. CVE-2016-3606, CVE-2016-3598, CVE-2016-3610) - Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. (CVE-2016-3500, CVE-2016-3508) - Multiple flaws were found in the CORBA and Hotsport components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2016-3458, CVE-2016-3550) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2017-05-01
    plugin id99795
    published2017-05-01
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99795
    titleEulerOS 2.0 SP1 : java-1.7.0-openjdk (EulerOS-SA-2016-1032)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20160727_JAVA_1_7_0_OPENJDK_ON_SL5_X.NASL
    descriptionSecurity Fix(es) : - Multiple flaws were discovered in the Hotspot and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2016-3606, CVE-2016-3598, CVE-2016-3610) - Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. (CVE-2016-3500, CVE-2016-3508) - Multiple flaws were found in the CORBA and Hotsport components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2016-3458, CVE-2016-3550)
    last seen2020-03-18
    modified2016-07-28
    plugin id92605
    published2016-07-28
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92605
    titleScientific Linux Security Update : java-1.7.0-openjdk on SL5.x, SL6.x, SL7.x i386/x86_64 (20160727)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2016-1587.NASL
    descriptionAn update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 6 Supplementary and Red Hat Enterprise Linux 7 Supplementary. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR3-FP10. Security Fix(es) : * This update fixes multiple vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2016-3511, CVE-2016-3598)
    last seen2020-06-01
    modified2020-06-02
    plugin id92856
    published2016-08-11
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92856
    titleRHEL 6 / 7 : java-1.8.0-ibm (RHSA-2016:1587)
  • NASL familyAIX Local Security Checks
    NASL idAIX_JAVA_JULY2016_ADVISORY.NASL
    descriptionThe version of Java SDK installed on the remote AIX host is affected by multiple vulnerabilities in the following subcomponents : - An unspecified flaw exists in the Networking subcomponent that allows a local attacker to impact integrity. (CVE-2016-3485) - An unspecified flaw exists in the Deployment subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-3511) - A flaw exists in the Libraries subcomponent in the share/classes/java/lang/invoke/MethodHandles.java class within the MethodHandles::dropArguments() function that allows an unauthenticated, remote attacker to impact confidentiality, integrity, and availability. (CVE-2016-3598)
    last seen2020-06-01
    modified2020-06-02
    plugin id94970
    published2016-11-18
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/94970
    titleAIX Java Advisory : java_july2016_advisory.asc (July 2016 CPU)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-2012-1.NASL
    descriptionThis update for java-1_8_0-openjdk fixes the following issues : - Upgrade to version jdk8u101 (icedtea 3.1.0) - New in release 3.1.0 (2016-07-25) : - Security fixes - S8079718, CVE-2016-3458: IIOP Input Stream Hooking (bsc#989732) - S8145446, CVE-2016-3485: Perfect pipe placement (Windows only) (bsc#989734) - S8146514: Enforce GCM limits - S8147771: Construction of static protection domains under Javax custom policy - S8148872, CVE-2016-3500: Complete name checking (bsc#989730) - S8149070: Enforce update ordering - S8149962, CVE-2016-3508: Better delineation of XML processing (bsc#989731) - S8150752: Share Class Data - S8151925: Font reference improvements - S8152479, CVE-2016-3550: Coded byte streams (bsc#989733) - S8153312: Constrain AppCDS behavior - S8154475, CVE-2016-3587: Clean up lookup visibility (bsc#989721) - S8155981, CVE-2016-3606: Bolster bytecode verification (bsc#989722) - S8155985, CVE-2016-3598: Persistent Parameter Processing (bsc#989723) - S8158571, CVE-2016-3610: Additional method handle validation (bsc#989725) - CVE-2016-3552 (bsc#989726) - CVE-2016-3511 (bsc#989727) - CVE-2016-3503 (bsc#989728) - CVE-2016-3498 (bsc#989729) - New features - S8145547, PR1061: [AWT/Swing] Conditional support for GTK 3 on Linux - PR2821: Support building OpenJDK with --disable-headful - PR2931, G478960: Provide Infinality Support via fontconfig - PR3079: Provide option to build Shenandoah on x86_64 - Import of OpenJDK 8 u92 build 14 - S6869327: Add new C2 flag to keep safepoints in counted loops. - S8022865: [TESTBUG] Compressed Oops testing needs to be revised - S8029630: Thread id should be displayed as a hex number in error report - S8029726: On OS X some dtrace probe names are mismatched with Solaris - S8029727: On OS X dtrace probes Call<type>MethodA/Call<type>MethodV are not fired. - S8029728: On OS X dtrace probes SetStaticBooleanField are not fired - S8038184: XMLSignature throws StringIndexOutOfBoundsException if ID attribute value is empty String - S8038349: Signing XML with DSA throws Exception when key is larger than 1024 bits - S8041501: ImageIO reader is not capable of reading JPEGs without JFIF header - S8041900: [macosx] Java forces the use of discrete GPU - S8044363: Remove special build options for unpack200 executable - S8046471: Use OPENJDK_TARGET_CPU_ARCH instead of legacy value for hotspot ARCH - S8046611: Build errors with gcc on sparc/fastdebug - S8047763: Recognize sparc64 as a sparc platform - S8048232: Fix for 8046471 breaks PPC64 build - S8052396: Catch exceptions resulting from missing font cmap - S8058563: InstanceKlass::_dependencies list isn
    last seen2020-06-01
    modified2020-06-02
    plugin id93281
    published2016-09-02
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93281
    titleSUSE SLED12 / SLES12 Security Update : java-1_8_0-openjdk (SUSE-SU-2016:2012-1)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2016-729.NASL
    descriptionMultiple flaws were discovered in the Hotspot and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2016-3606 , CVE-2016-3598 , CVE-2016-3610) Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. (CVE-2016-3500 , CVE-2016-3508) Multiple flaws were found in the CORBA and Hotsport components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2016-3458 , CVE-2016-3550)
    last seen2020-06-01
    modified2020-06-02
    plugin id92664
    published2016-08-02
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/92664
    titleAmazon Linux AMI : java-1.7.0-openjdk (ALAS-2016-729)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201610-08.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201610-08 (Oracle JRE/JDK: Multiple vulnerabilities) Multiple vulnerabilities exist in both Oracle&rsquo;s JRE and JDK. Please review the referenced CVE&rsquo;s for additional information. Impact : Remote attackers could gain access to information, remotely execute arbitrary code, or cause Denial of Service. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id94085
    published2016-10-17
    reporterThis script is Copyright (C) 2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/94085
    titleGLSA-201610-08 : Oracle JRE/JDK: Multiple vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-2261-1.NASL
    descriptionIBM Java 7.1 was updated to version 7.1-3.50 to fix the following security issues: CVE-2016-3485 CVE-2016-3511 CVE-2016-3598 Please see https://www.ibm.com/developerworks/java/jdk/alerts/ for more information. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id93373
    published2016-09-08
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93373
    titleSUSE SLES11 Security Update : java-1_7_1-ibm (SUSE-SU-2016:2261-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2016-1475.NASL
    descriptionAn update for java-1.8.0-oracle is now available for Oracle Java for Red Hat Enterprise Linux 6 and Oracle Java for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [Updated 12 September 2016] This advisory has been updated to push packages into the Oracle Java for Red Hat Enterprise Linux 6 Compute Node channels. The packages included in this revised update have not been changed in any way from the packages included in the original advisory. Oracle Java SE version 8 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update upgrades Oracle Java SE 8 to version 8 Update 101. Security Fix(es) : * This update fixes multiple vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section. (CVE-2016-3458, CVE-2016-3498, CVE-2016-3500, CVE-2016-3503, CVE-2016-3508, CVE-2016-3511, CVE-2016-3550, CVE-2016-3552, CVE-2016-3587, CVE-2016-3598, CVE-2016-3606, CVE-2016-3610)
    last seen2020-06-01
    modified2020-06-02
    plugin id92508
    published2016-07-22
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92508
    titleRHEL 6 / 7 : java-1.8.0-oracle (RHSA-2016:1475)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2016-1458.NASL
    descriptionFrom Red Hat Security Advisory 2016:1458 : An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es) : * Multiple flaws were discovered in the Hotspot and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2016-3606, CVE-2016-3587, CVE-2016-3598, CVE-2016-3610) * Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. (CVE-2016-3500, CVE-2016-3508) * Multiple flaws were found in the CORBA and Hotsport components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2016-3458, CVE-2016-3550) Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website.
    last seen2020-06-01
    modified2020-06-02
    plugin id92489
    published2016-07-21
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92489
    titleOracle Linux 6 / 7 : java-1.8.0-openjdk (ELSA-2016-1458)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201701-43.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201701-43 (IcedTea: Multiple vulnerabilities) Various OpenJDK attack vectors in IcedTea, such as 2D, Corba, Hotspot, Libraries, and JAXP, exist which allows remote attackers to affect the confidentiality, integrity, and availability of vulnerable systems. Many of the vulnerabilities can only be exploited through sandboxed Java Web Start applications and java applets. Please review the CVE identifiers referenced below for details. Impact : Remote attackers may execute arbitrary code, compromise information, or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id96640
    published2017-01-20
    reporterThis script is Copyright (C) 2017 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/96640
    titleGLSA-201701-43 : IcedTea: Multiple vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-2726-1.NASL
    descriptionIBM Java 8 was updated to version 8.0-3.10 to fix the following security issues : - CVE-2016-3485: Unspecified vulnerability allowed local users to affect integrity via vectors related to Networking - CVE-2016-3511: Unspecified vulnerability allowed local users to affect confidentiality, integrity, and availability via vectors related to Deployment - CVE-2016-3598: Unspecified vulnerability allowed remote attackers to affect confidentiality, integrity, and availability via vectors related to Libraries Please see https://www.ibm.com/developerworks/java/jdk/alerts/ for more information. - Add hwkeytool binary for zSeries. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id94609
    published2016-11-07
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94609
    titleSUSE SLES12 Security Update : java-1_8_0-ibm (SUSE-SU-2016:2726-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-982.NASL
    descriptionUpdate to 2.6.7 - OpenJDK 7u111 - Security fixes - S8079718, CVE-2016-3458: IIOP Input Stream Hooking (bsc#989732) - S8145446, CVE-2016-3485: Perfect pipe placement (Windows only) (bsc#989734) - S8147771: Construction of static protection domains under Javax custom policy - S8148872, CVE-2016-3500: Complete name checking (bsc#989730) - S8149962, CVE-2016-3508: Better delineation of XML processing (bsc#989731) - S8150752: Share Class Data - S8151925: Font reference improvements - S8152479, CVE-2016-3550: Coded byte streams (bsc#989733) - S8155981, CVE-2016-3606: Bolster bytecode verification (bsc#989722) - S8155985, CVE-2016-3598: Persistent Parameter Processing (bsc#989723) - S8158571, CVE-2016-3610: Additional method handle validation (bsc#989725) - CVE-2016-3511 (bsc#989727) - CVE-2016-3503 (bsc#989728) - CVE-2016-3498 (bsc#989729)
    last seen2020-06-05
    modified2016-08-17
    plugin id92992
    published2016-08-17
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/92992
    titleopenSUSE Security Update : OpenJDK7 (openSUSE-2016-982)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3062-1.NASL
    descriptionMultiple vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity, and availability. An attacker could exploit these to cause a denial of service, expose sensitive data over the network, or possibly execute arbitrary code. (CVE-2016-3598, CVE-2016-3606, CVE-2016-3610) A vulnerability was discovered in the OpenJDK JRE related to data integrity. An attacker could exploit this to expose sensitive data over the network or possibly execute arbitrary code. (CVE-2016-3458) Multiple vulnerabilities were discovered in the OpenJDK JRE related to availability. An attacker could exploit these to cause a denial of service. (CVE-2016-3500, CVE-2016-3508) A vulnerability was discovered in the OpenJDK JRE related to information disclosure. An attacker could exploit this to expose sensitive data over the network. (CVE-2016-3550). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id92999
    published2016-08-17
    reporterUbuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92999
    titleUbuntu 14.04 LTS : openjdk-7 vulnerabilities (USN-3062-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-1216.NASL
    descriptionAn update for java-1.7.1-ibm is now available for Red Hat Satellite 5.7 and Red Hat Satellite 5.6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 7 to version 7R1 SR4-FP1. Security Fix(es) : * This update fixes multiple vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2016-2183, CVE-2017-3272, CVE-2017-3289, CVE-2017-3253, CVE-2017-3261, CVE-2017-3231, CVE-2016-5547, CVE-2016-5552, CVE-2017-3252, CVE-2016-5546, CVE-2016-5548, CVE-2016-5549, CVE-2017-3241, CVE-2017-3259, CVE-2016-5573, CVE-2016-5554, CVE-2016-5542, CVE-2016-5597, CVE-2016-5556, CVE-2016-3598, CVE-2016-3511, CVE-2016-0363, CVE-2016-0686, CVE-2016-0687, CVE-2016-3426, CVE-2016-3427, CVE-2016-3443, CVE-2016-3449, CVE-2016-3422, CVE-2016-0376, CVE-2016-0264)
    last seen2020-06-01
    modified2020-06-02
    plugin id100094
    published2017-05-10
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100094
    titleRHEL 6 : java-1.7.1-ibm (RHSA-2017:1216)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2016-1589.NASL
    descriptionAn update for java-1.7.0-ibm is now available for Red Hat Enterprise Linux 5 Supplementary. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 7 to version 7 SR9-FP50. Security Fix(es) : * This update fixes multiple vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2016-3511, CVE-2016-3598)
    last seen2020-06-01
    modified2020-06-02
    plugin id92858
    published2016-08-11
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92858
    titleRHEL 5 : java-1.7.0-ibm (RHSA-2016:1589)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3043-1.NASL
    descriptionMultiple vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity, and availability. An attacker could exploit these to cause a denial of service, expose sensitive data over the network, or possibly execute arbitrary code. (CVE-2016-3587, CVE-2016-3598, CVE-2016-3606, CVE-2016-3610) A vulnerability was discovered in the OpenJDK JRE related to data integrity. An attacker could exploit this to expose sensitive data over the network or possibly execute arbitrary code. (CVE-2016-3458) Multiple vulnerabilities were discovered in the OpenJDK JRE related to availability. An attacker could exploit these to cause a denial of service. (CVE-2016-3500, CVE-2016-3508) A vulnerability was discovered in the OpenJDK JRE related to information disclosure. An attacker could exploit this to expose sensitive data over the network. (CVE-2016-3550). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id92584
    published2016-07-27
    reporterUbuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92584
    titleUbuntu 16.04 LTS : openjdk-8 vulnerabilities (USN-3043-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-2347-1.NASL
    descriptionIBM Java 7.1 was updated to version 7.1-3.50 to fix the following security issues: CVE-2016-3485 CVE-2016-3511 CVE-2016-3598 Please see https://www.ibm.com/developerworks/java/jdk/alerts/ for more information. - Add hwkeytool binary for zSeries. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id93646
    published2016-09-22
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93646
    titleSUSE SLES12 Security Update : java-1_7_1-ibm (SUSE-SU-2016:2347-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1997-1.NASL
    descriptionThis update for java-1_7_0-openjdk fixes the following issues : - Update to 2.6.7 - OpenJDK 7u111 - Security fixes - S8079718, CVE-2016-3458: IIOP Input Stream Hooking (bsc#989732) - S8145446, CVE-2016-3485: Perfect pipe placement (Windows only) (bsc#989734) - S8147771: Construction of static protection domains under Javax custom policy - S8148872, CVE-2016-3500: Complete name checking (bsc#989730) - S8149962, CVE-2016-3508: Better delineation of XML processing (bsc#989731) - S8150752: Share Class Data - S8151925: Font reference improvements - S8152479, CVE-2016-3550: Coded byte streams (bsc#989733) - S8155981, CVE-2016-3606: Bolster bytecode verification (bsc#989722) - S8155985, CVE-2016-3598: Persistent Parameter Processing (bsc#989723) - S8158571, CVE-2016-3610: Additional method handle validation (bsc#989725) - CVE-2016-3511 (bsc#989727) - CVE-2016-3503 (bsc#989728) - CVE-2016-3498 (bsc#989729) - Import of OpenJDK 7 u111 build 0 - S6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package - S7060849: Eliminate pack200 build warnings - S7064075: Security libraries don
    last seen2020-06-01
    modified2020-06-02
    plugin id93272
    published2016-09-02
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93272
    titleSUSE SLED12 / SLES12 Security Update : java-1_7_0-openjdk (SUSE-SU-2016:1997-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-944.NASL
    descriptionThis update for java-1_8_0-openjdk fixes the following issues : - Upgrade to version jdk8u101 (icedtea 3.1.0) - New in release 3.1.0 (2016-07-25) : - Security fixes - S8079718, CVE-2016-3458: IIOP Input Stream Hooking (boo#989732) - S8145446, CVE-2016-3485: Perfect pipe placement (Windows only) (boo#989734) - S8146514: Enforce GCM limits - S8147771: Construction of static protection domains under Javax custom policy - S8148872, CVE-2016-3500: Complete name checking (boo#989730) - S8149070: Enforce update ordering - S8149962, CVE-2016-3508: Better delineation of XML processing (boo#989731) - S8150752: Share Class Data - S8151925: Font reference improvements - S8152479, CVE-2016-3550: Coded byte streams (boo#989733) - S8153312: Constrain AppCDS behavior - S8154475, CVE-2016-3587: Clean up lookup visibility (boo#989721) - S8155981, CVE-2016-3606: Bolster bytecode verification (boo#989722) - S8155985, CVE-2016-3598: Persistent Parameter Processing (boo#989723) - S8158571, CVE-2016-3610: Additional method handle validation (boo#989725) - CVE-2016-3552 (boo#989726) - CVE-2016-3511 (boo#989727) - CVE-2016-3503 (boo#989728) - CVE-2016-3498 (boo#989729) - New features - S8145547, PR1061: [AWT/Swing] Conditional support for GTK 3 on Linux - PR2821: Support building OpenJDK with --disable-headful - PR2931, G478960: Provide Infinality Support via fontconfig - PR3079: Provide option to build Shenandoah on x86_64 - Import of OpenJDK 8 u92 build 14 - S6869327: Add new C2 flag to keep safepoints in counted loops. - S8022865: [TESTBUG] Compressed Oops testing needs to be revised - S8029630: Thread id should be displayed as a hex number in error report - S8029726: On OS X some dtrace probe names are mismatched with Solaris - S8029727: On OS X dtrace probes Call<type>MethodA/Call<type>MethodV are not fired. - S8029728: On OS X dtrace probes SetStaticBooleanField are not fired - S8038184: XMLSignature throws StringIndexOutOfBoundsException if ID attribute value is empty String - S8038349: Signing XML with DSA throws Exception when key is larger than 1024 bits - S8041501: ImageIO reader is not capable of reading JPEGs without JFIF header - S8041900: [macosx] Java forces the use of discrete GPU - S8044363: Remove special build options for unpack200 executable - S8046471: Use OPENJDK_TARGET_CPU_ARCH instead of legacy value for hotspot ARCH - S8046611: Build errors with gcc on sparc/fastdebug - S8047763: Recognize sparc64 as a sparc platform - S8048232: Fix for 8046471 breaks PPC64 build - S8052396: Catch exceptions resulting from missing font cmap - S8058563: InstanceKlass::_dependencies list isn
    last seen2020-06-05
    modified2016-08-08
    plugin id92774
    published2016-08-08
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/92774
    titleopenSUSE Security Update : java-1_8_0-openjdk (openSUSE-2016-944)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-978.NASL
    descriptionThis update for java-1_8_0-openjdk fixes the following issues : - Upgrade to version jdk8u101 (icedtea 3.1.0) - New in release 3.1.0 (2016-07-25) : - Security fixes - S8079718, CVE-2016-3458: IIOP Input Stream Hooking (bsc#989732) - S8145446, CVE-2016-3485: Perfect pipe placement (Windows only) (bsc#989734) - S8146514: Enforce GCM limits - S8147771: Construction of static protection domains under Javax custom policy - S8148872, CVE-2016-3500: Complete name checking (bsc#989730) - S8149070: Enforce update ordering - S8149962, CVE-2016-3508: Better delineation of XML processing (bsc#989731) - S8150752: Share Class Data - S8151925: Font reference improvements - S8152479, CVE-2016-3550: Coded byte streams (bsc#989733) - S8153312: Constrain AppCDS behavior - S8154475, CVE-2016-3587: Clean up lookup visibility (bsc#989721) - S8155981, CVE-2016-3606: Bolster bytecode verification (bsc#989722) - S8155985, CVE-2016-3598: Persistent Parameter Processing (bsc#989723) - S8158571, CVE-2016-3610: Additional method handle validation (bsc#989725) - CVE-2016-3552 (bsc#989726) - CVE-2016-3511 (bsc#989727) - CVE-2016-3503 (bsc#989728) - CVE-2016-3498 (bsc#989729) - New features - S8145547, PR1061: [AWT/Swing] Conditional support for GTK 3 on Linux - PR2821: Support building OpenJDK with --disable-headful - PR2931, G478960: Provide Infinality Support via fontconfig - PR3079: Provide option to build Shenandoah on x86_64 - Import of OpenJDK 8 u92 build 14 - S6869327: Add new C2 flag to keep safepoints in counted loops. - S8022865: [TESTBUG] Compressed Oops testing needs to be revised - S8029630: Thread id should be displayed as a hex number in error report - S8029726: On OS X some dtrace probe names are mismatched with Solaris - S8029727: On OS X dtrace probes Call<type>MethodA/Call<type>MethodV are not fired. - S8029728: On OS X dtrace probes SetStaticBooleanField are not fired - S8038184: XMLSignature throws StringIndexOutOfBoundsException if ID attribute value is empty String - S8038349: Signing XML with DSA throws Exception when key is larger than 1024 bits - S8041501: ImageIO reader is not capable of reading JPEGs without JFIF header - S8041900: [macosx] Java forces the use of discrete GPU - S8044363: Remove special build options for unpack200 executable - S8046471: Use OPENJDK_TARGET_CPU_ARCH instead of legacy value for hotspot ARCH - S8046611: Build errors with gcc on sparc/fastdebug - S8047763: Recognize sparc64 as a sparc platform - S8048232: Fix for 8046471 breaks PPC64 build - S8052396: Catch exceptions resulting from missing font cmap - S8058563: InstanceKlass::_dependencies list isn
    last seen2020-06-05
    modified2016-08-16
    plugin id92979
    published2016-08-16
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/92979
    titleopenSUSE Security Update : java-1_8_0-openjdk (openSUSE-2016-978)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-2286-1.NASL
    descriptionIBM Java 7 was updated to 7.1-9.50, fixing bugs and security issues (bsc#992537). Security issues fixed: CVE-2016-3485 CVE-2016-3511 CVE-2016-3598 Please see https://www.ibm.com/developerworks/java/jdk/alerts/ for more information. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id93458
    published2016-09-13
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93458
    titleSUSE SLES11 Security Update : java-1_7_0-ibm (SUSE-SU-2016:2286-1)
  • NASL familyMisc.
    NASL idORACLE_JAVA_CPU_JUL_2016_UNIX.NASL
    descriptionThe version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 8 Update 101, 7 Update 111, or 6 Update 121. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the CORBA subcomponent that allows an unauthenticated, remote attacker to impact integrity. (CVE-2016-3458) - An unspecified flaw exists in the Networking subcomponent that allows a local attacker to impact integrity. (CVE-2016-3485) - An unspecified flaw exists in the JavaFX subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2016-3498) - An unspecified flaw exists in the JAXP subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2016-3500) - An unspecified flaw exists in the Install subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-3503) - An unspecified flaw exists in the JAXP subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2016-3508) - An unspecified flaw exists in the Deployment subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-3511) - An unspecified flaw exists in the Hotspot subcomponent that allows an unauthenticated, remote attacker to disclose potentially sensitive information. (CVE-2016-3550) - An unspecified flaw exists in the Install subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-3552) - A flaw exists in the Hotspot subcomponent due to improper access to the MethodHandle::invokeBasic() function. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-3587) - A flaw exists in the Libraries subcomponent within the MethodHandles::dropArguments() function that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2016-3598) - A flaw exists in the Hotspot subcomponent within the ClassVerifier::ends_in_athrow() function when handling bytecode verification. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-3606) - An unspecified flaw exists in the Libraries subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2016-3610)
    last seen2020-06-01
    modified2020-06-02
    plugin id92517
    published2016-07-22
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92517
    titleOracle Java SE Multiple Vulnerabilities (July 2016 CPU) (Unix)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-976.NASL
    descriptionThis update for java-1_7_0-openjdk fixes the following issues : - Update to 2.6.7 - OpenJDK 7u111 - Security fixes - S8079718, CVE-2016-3458: IIOP Input Stream Hooking (bsc#989732) - S8145446, CVE-2016-3485: Perfect pipe placement (Windows only) (bsc#989734) - S8147771: Construction of static protection domains under Javax custom policy - S8148872, CVE-2016-3500: Complete name checking (bsc#989730) - S8149962, CVE-2016-3508: Better delineation of XML processing (bsc#989731) - S8150752: Share Class Data - S8151925: Font reference improvements - S8152479, CVE-2016-3550: Coded byte streams (bsc#989733) - S8155981, CVE-2016-3606: Bolster bytecode verification (bsc#989722) - S8155985, CVE-2016-3598: Persistent Parameter Processing (bsc#989723) - S8158571, CVE-2016-3610: Additional method handle validation (bsc#989725) - CVE-2016-3511 (bsc#989727) - CVE-2016-3503 (bsc#989728) - CVE-2016-3498 (bsc#989729) - Import of OpenJDK 7 u111 build 0 - S6953295: Move few sun.security.(util, x509, pkcs) classes used by keytool/jarsigner to another package - S7060849: Eliminate pack200 build warnings - S7064075: Security libraries don
    last seen2020-06-05
    modified2016-08-12
    plugin id92932
    published2016-08-12
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92932
    titleopenSUSE Security Update : java-1_7_0-openjdk (openSUSE-2016-976)
  • NASL familyWindows
    NASL idORACLE_JAVA_CPU_JUL_2016.NASL
    descriptionThe version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 8 Update 101, 7 Update 111, or 6 Update 121. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the CORBA subcomponent that allows an unauthenticated, remote attacker to impact integrity. (CVE-2016-3458) - An unspecified flaw exists in the Networking subcomponent that allows a local attacker to impact integrity. (CVE-2016-3485) - An unspecified flaw exists in the JavaFX subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2016-3498) - An unspecified flaw exists in the JAXP subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2016-3500) - An unspecified flaw exists in the Install subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-3503) - An unspecified flaw exists in the JAXP subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2016-3508) - An unspecified flaw exists in the Deployment subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-3511) - An unspecified flaw exists in the Hotspot subcomponent that allows an unauthenticated, remote attacker to disclose potentially sensitive information. (CVE-2016-3550) - An unspecified flaw exists in the Install subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-3552) - A flaw exists in the Hotspot subcomponent due to improper access to the MethodHandle::invokeBasic() function. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-3587) - A flaw exists in the Libraries subcomponent within the MethodHandles::dropArguments() function that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2016-3598) - A flaw exists in the Hotspot subcomponent within the ClassVerifier::ends_in_athrow() function when handling bytecode verification. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-3606) - An unspecified flaw exists in the Libraries subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2016-3610)
    last seen2020-06-01
    modified2020-06-02
    plugin id92516
    published2016-07-22
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92516
    titleOracle Java SE Multiple Vulnerabilities (July 2016 CPU)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2016-1458.NASL
    descriptionAn update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es) : * Multiple flaws were discovered in the Hotspot and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2016-3606, CVE-2016-3587, CVE-2016-3598, CVE-2016-3610) * Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. (CVE-2016-3500, CVE-2016-3508) * Multiple flaws were found in the CORBA and Hotsport components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2016-3458, CVE-2016-3550) Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website.
    last seen2020-06-01
    modified2020-06-02
    plugin id92490
    published2016-07-21
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92490
    titleRHEL 6 / 7 : java-1.8.0-openjdk (RHSA-2016:1458)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2016-1504.NASL
    descriptionFrom Red Hat Security Advisory 2016:1504 : An update for java-1.7.0-openjdk is now available for Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6, and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix(es) : * Multiple flaws were discovered in the Hotspot and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2016-3606, CVE-2016-3598, CVE-2016-3610) * Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. (CVE-2016-3500, CVE-2016-3508) * Multiple flaws were found in the CORBA and Hotsport components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2016-3458, CVE-2016-3550)
    last seen2020-06-01
    modified2020-06-02
    plugin id92599
    published2016-07-28
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92599
    titleOracle Linux 5 / 6 / 7 : java-1.7.0-openjdk (ELSA-2016-1504)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2016-1588.NASL
    descriptionAn update for java-1.7.1-ibm is now available for Red Hat Enterprise Linux 6 Supplementary and Red Hat Enterprise Linux 7 Supplementary. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 7 to version 7R1 SR3-FP50. Security Fix(es) : * This update fixes multiple vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2016-3511, CVE-2016-3598)
    last seen2020-06-01
    modified2020-06-02
    plugin id92857
    published2016-08-11
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92857
    titleRHEL 6 / 7 : java-1.7.1-ibm (RHSA-2016:1588)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20160720_JAVA_1_8_0_OPENJDK_ON_SL6_X.NASL
    descriptionSecurity Fix(es) : - Multiple flaws were discovered in the Hotspot and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2016-3606, CVE-2016-3587, CVE-2016-3598, CVE-2016-3610) - Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. (CVE-2016-3500, CVE-2016-3508) - Multiple flaws were found in the CORBA and Hotsport components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2016-3458, CVE-2016-3550) Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website.
    last seen2020-03-18
    modified2016-07-21
    plugin id92491
    published2016-07-21
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92491
    titleScientific Linux Security Update : java-1.8.0-openjdk on SL6.x, SL7.x i386/x86_64 (20160720)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0111_JAVA-1.8.0-OPENJDK.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 4.05, has java-1.8.0-openjdk packages installed that are affected by multiple vulnerabilities: - It was found that the JAXP component of OpenJDK failed to correctly enforce parse tree size limits when parsing XML document. An attacker able to make a Java application parse a specially crafted XML document could use this flaw to make it consume an excessive amount of CPU and memory. (CVE-2017-3526) - An untrusted library search path flaw was found in the JCE component of OpenJDK. A local attacker could possibly use this flaw to cause a Java application using JCE to load an attacker-controlled library and hence escalate their privileges. (CVE-2017-3511) - It was discovered that the HTTP client implementation in the Networking component of OpenJDK could cache and re- use an NTLM authenticated connection in a different security context. A remote attacker could possibly use this flaw to make a Java application perform HTTP requests authenticated with credentials of a different user. (CVE-2017-3509) - A newline injection flaw was discovered in the SMTP client implementation in the Networking component in OpenJDK. A remote attacker could possibly use this flaw to manipulate SMTP connections established by a Java application. (CVE-2017-3544) - It was discovered that the Security component of OpenJDK did not allow users to restrict the set of algorithms allowed for Jar integrity verification. This flaw could allow an attacker to modify content of the Jar file that used weak signing key or hash algorithm. (CVE-2017-3539) - A newline injection flaw was discovered in the FTP client implementation in the Networking component in OpenJDK. A remote attacker could possibly use this flaw to manipulate FTP connections established by a Java application. (CVE-2017-3533) - It was discovered that the Libraries component of OpenJDK accepted ECDSA signatures using non-canonical DER encoding. This could cause a Java application to accept signature in an incorrect format not accepted by other cryptographic tools. (CVE-2016-5546) - It was discovered that the Libraries component of OpenJDK did not validate the length of the object identifier read from the DER input before allocating memory to store the OID. An attacker able to make a Java application decode a specially crafted DER input could cause the application to consume an excessive amount of memory. (CVE-2016-5547) - A covert timing channel flaw was found in the DSA implementation in the Libraries component of OpenJDK. A remote attacker could possibly use this flaw to extract certain information about the used key via a timing side channel. (CVE-2016-5548) - It was discovered that the Networking component of OpenJDK failed to properly parse user info from the URL. A remote attacker could cause a Java application to incorrectly parse an attacker supplied URL and interpret it differently from other applications processing the same URL. (CVE-2016-5552) - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u131, 7u121 and 8u112; Java SE Embedded: 8u111. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS v3.0 Base Score 4.3 (Confidentiality impacts). (CVE-2017-3231, CVE-2017-3261) - It was discovered that the RMI registry and DCG implementations in the RMI component of OpenJDK performed deserialization of untrusted inputs. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application. (CVE-2017-3241) - It was discovered that the JAAS component of OpenJDK did not use the correct way to extract user DN from the result of the user search LDAP query. A specially crafted user LDAP entry could cause the application to use an incorrect DN. (CVE-2017-3252) - It was discovered that the 2D component of OpenJDK performed parsing of iTXt and zTXt PNG image chunks even when configured to ignore metadata. An attacker able to make a Java application parse a specially crafted PNG image could cause the application to consume an excessive amount of memory. (CVE-2017-3253) - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u131, 7u121 and 8u112; Java SE Embedded: 8u111. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS v3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). (CVE-2017-3272) - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 7u121 and 8u112; Java SE Embedded: 8u111. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS v3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). (CVE-2017-3289) - It was discovered that the Libraries component of OpenJDK did not restrict the set of algorithms used for JAR integrity verification. This flaw could allow an attacker to modify content of the JAR file that used weak signing key or hash algorithm. (CVE-2016-5542) - A flaw was found in the way the JMX component of OpenJDK handled classloaders. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2016-5554) - It was discovered that the Hotspot component of OpenJDK did not properly check received Java Debug Wire Protocol (JDWP) packets. An attacker could possibly use this flaw to send debugging commands to a Java program running with debugging enabled if they could make victim
    last seen2020-06-01
    modified2020-06-02
    plugin id127348
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127348
    titleNewStart CGSL MAIN 4.05 : java-1.8.0-openjdk Multiple Vulnerabilities (NS-SA-2019-0111)

Redhat

advisories
  • rhsa
    idRHSA-2016:1458
  • rhsa
    idRHSA-2016:1475
  • rhsa
    idRHSA-2016:1504
  • rhsa
    idRHSA-2016:1587
  • rhsa
    idRHSA-2016:1588
  • rhsa
    idRHSA-2016:1589
  • rhsa
    idRHSA-2017:1216
rpms
  • java-1.8.0-openjdk-1:1.8.0.101-3.b13.el6_8
  • java-1.8.0-openjdk-1:1.8.0.101-3.b13.el7_2
  • java-1.8.0-openjdk-accessibility-1:1.8.0.101-3.b13.el7_2
  • java-1.8.0-openjdk-accessibility-debug-1:1.8.0.101-3.b13.el7_2
  • java-1.8.0-openjdk-debug-1:1.8.0.101-3.b13.el6_8
  • java-1.8.0-openjdk-debug-1:1.8.0.101-3.b13.el7_2
  • java-1.8.0-openjdk-debuginfo-1:1.8.0.101-3.b13.el6_8
  • java-1.8.0-openjdk-debuginfo-1:1.8.0.101-3.b13.el7_2
  • java-1.8.0-openjdk-demo-1:1.8.0.101-3.b13.el6_8
  • java-1.8.0-openjdk-demo-1:1.8.0.101-3.b13.el7_2
  • java-1.8.0-openjdk-demo-debug-1:1.8.0.101-3.b13.el6_8
  • java-1.8.0-openjdk-demo-debug-1:1.8.0.101-3.b13.el7_2
  • java-1.8.0-openjdk-devel-1:1.8.0.101-3.b13.el6_8
  • java-1.8.0-openjdk-devel-1:1.8.0.101-3.b13.el7_2
  • java-1.8.0-openjdk-devel-debug-1:1.8.0.101-3.b13.el6_8
  • java-1.8.0-openjdk-devel-debug-1:1.8.0.101-3.b13.el7_2
  • java-1.8.0-openjdk-headless-1:1.8.0.101-3.b13.el6_8
  • java-1.8.0-openjdk-headless-1:1.8.0.101-3.b13.el7_2
  • java-1.8.0-openjdk-headless-debug-1:1.8.0.101-3.b13.el6_8
  • java-1.8.0-openjdk-headless-debug-1:1.8.0.101-3.b13.el7_2
  • java-1.8.0-openjdk-javadoc-1:1.8.0.101-3.b13.el6_8
  • java-1.8.0-openjdk-javadoc-1:1.8.0.101-3.b13.el7_2
  • java-1.8.0-openjdk-javadoc-debug-1:1.8.0.101-3.b13.el6_8
  • java-1.8.0-openjdk-javadoc-debug-1:1.8.0.101-3.b13.el7_2
  • java-1.8.0-openjdk-src-1:1.8.0.101-3.b13.el6_8
  • java-1.8.0-openjdk-src-1:1.8.0.101-3.b13.el7_2
  • java-1.8.0-openjdk-src-debug-1:1.8.0.101-3.b13.el6_8
  • java-1.8.0-openjdk-src-debug-1:1.8.0.101-3.b13.el7_2
  • java-1.8.0-oracle-1:1.8.0.101-1jpp.1.el6_8
  • java-1.8.0-oracle-1:1.8.0.101-1jpp.1.el7
  • java-1.8.0-oracle-devel-1:1.8.0.101-1jpp.1.el6_8
  • java-1.8.0-oracle-devel-1:1.8.0.101-1jpp.1.el7
  • java-1.8.0-oracle-javafx-1:1.8.0.101-1jpp.1.el6_8
  • java-1.8.0-oracle-javafx-1:1.8.0.101-1jpp.1.el7
  • java-1.8.0-oracle-jdbc-1:1.8.0.101-1jpp.1.el6_8
  • java-1.8.0-oracle-jdbc-1:1.8.0.101-1jpp.1.el7
  • java-1.8.0-oracle-plugin-1:1.8.0.101-1jpp.1.el6_8
  • java-1.8.0-oracle-plugin-1:1.8.0.101-1jpp.1.el7
  • java-1.8.0-oracle-src-1:1.8.0.101-1jpp.1.el6_8
  • java-1.8.0-oracle-src-1:1.8.0.101-1jpp.1.el7
  • java-1.7.0-openjdk-1:1.7.0.111-2.6.7.1.el5_11
  • java-1.7.0-openjdk-1:1.7.0.111-2.6.7.2.el6_8
  • java-1.7.0-openjdk-1:1.7.0.111-2.6.7.2.el7_2
  • java-1.7.0-openjdk-accessibility-1:1.7.0.111-2.6.7.2.el7_2
  • java-1.7.0-openjdk-debuginfo-1:1.7.0.111-2.6.7.1.el5_11
  • java-1.7.0-openjdk-debuginfo-1:1.7.0.111-2.6.7.2.el6_8
  • java-1.7.0-openjdk-debuginfo-1:1.7.0.111-2.6.7.2.el7_2
  • java-1.7.0-openjdk-demo-1:1.7.0.111-2.6.7.1.el5_11
  • java-1.7.0-openjdk-demo-1:1.7.0.111-2.6.7.2.el6_8
  • java-1.7.0-openjdk-demo-1:1.7.0.111-2.6.7.2.el7_2
  • java-1.7.0-openjdk-devel-1:1.7.0.111-2.6.7.1.el5_11
  • java-1.7.0-openjdk-devel-1:1.7.0.111-2.6.7.2.el6_8
  • java-1.7.0-openjdk-devel-1:1.7.0.111-2.6.7.2.el7_2
  • java-1.7.0-openjdk-headless-1:1.7.0.111-2.6.7.2.el7_2
  • java-1.7.0-openjdk-javadoc-1:1.7.0.111-2.6.7.1.el5_11
  • java-1.7.0-openjdk-javadoc-1:1.7.0.111-2.6.7.2.el6_8
  • java-1.7.0-openjdk-javadoc-1:1.7.0.111-2.6.7.2.el7_2
  • java-1.7.0-openjdk-src-1:1.7.0.111-2.6.7.1.el5_11
  • java-1.7.0-openjdk-src-1:1.7.0.111-2.6.7.2.el6_8
  • java-1.7.0-openjdk-src-1:1.7.0.111-2.6.7.2.el7_2
  • java-1.8.0-ibm-1:1.8.0.3.10-1jpp.2.el6_8
  • java-1.8.0-ibm-1:1.8.0.3.10-1jpp.2.el7_2
  • java-1.8.0-ibm-demo-1:1.8.0.3.10-1jpp.2.el6_8
  • java-1.8.0-ibm-demo-1:1.8.0.3.10-1jpp.2.el7_2
  • java-1.8.0-ibm-devel-1:1.8.0.3.10-1jpp.2.el6_8
  • java-1.8.0-ibm-devel-1:1.8.0.3.10-1jpp.2.el7_2
  • java-1.8.0-ibm-jdbc-1:1.8.0.3.10-1jpp.2.el6_8
  • java-1.8.0-ibm-jdbc-1:1.8.0.3.10-1jpp.2.el7_2
  • java-1.8.0-ibm-plugin-1:1.8.0.3.10-1jpp.2.el6_8
  • java-1.8.0-ibm-plugin-1:1.8.0.3.10-1jpp.2.el7_2
  • java-1.8.0-ibm-src-1:1.8.0.3.10-1jpp.2.el6_8
  • java-1.8.0-ibm-src-1:1.8.0.3.10-1jpp.2.el7_2
  • java-1.7.1-ibm-1:1.7.1.3.50-1jpp.1.el6_8
  • java-1.7.1-ibm-1:1.7.1.3.50-1jpp.1.el7_2
  • java-1.7.1-ibm-demo-1:1.7.1.3.50-1jpp.1.el6_8
  • java-1.7.1-ibm-demo-1:1.7.1.3.50-1jpp.1.el7_2
  • java-1.7.1-ibm-devel-1:1.7.1.3.50-1jpp.1.el6_8
  • java-1.7.1-ibm-devel-1:1.7.1.3.50-1jpp.1.el7_2
  • java-1.7.1-ibm-jdbc-1:1.7.1.3.50-1jpp.1.el6_8
  • java-1.7.1-ibm-jdbc-1:1.7.1.3.50-1jpp.1.el7_2
  • java-1.7.1-ibm-plugin-1:1.7.1.3.50-1jpp.1.el6_8
  • java-1.7.1-ibm-plugin-1:1.7.1.3.50-1jpp.1.el7_2
  • java-1.7.1-ibm-src-1:1.7.1.3.50-1jpp.1.el6_8
  • java-1.7.1-ibm-src-1:1.7.1.3.50-1jpp.1.el7_2
  • java-1.7.0-ibm-1:1.7.0.9.50-1jpp.1.el5_11
  • java-1.7.0-ibm-demo-1:1.7.0.9.50-1jpp.1.el5_11
  • java-1.7.0-ibm-devel-1:1.7.0.9.50-1jpp.1.el5_11
  • java-1.7.0-ibm-jdbc-1:1.7.0.9.50-1jpp.1.el5_11
  • java-1.7.0-ibm-plugin-1:1.7.0.9.50-1jpp.1.el5_11
  • java-1.7.0-ibm-src-1:1.7.0.9.50-1jpp.1.el5_11
  • java-1.7.1-ibm-1:1.7.1.4.1-1jpp.1.el6_8
  • java-1.7.1-ibm-devel-1:1.7.1.4.1-1jpp.1.el6_8

References