Vulnerabilities > CVE-2018-12539 - Deserialization of Untrusted Data vulnerability in multiple products

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
eclipse
oracle
CWE-502
nessus

Summary

In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code. Attach API is enabled by default on Windows, Linux and AIX JVMs and can be disabled using the command line option -Dcom.ibm.tools.attach.enable=no.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-2583-1.NASL
    descriptionThis update for java-1_7_1-ibm to version 7.1.4.30 fixes the following issues : Security issues fixed : CVE-2018-1517: Fixed a flaw in the java.math component in IBM SDK, which may allow an attacker to inflict a denial-of-service attack with specially crafted String data. CVE-2018-1656: Protect against path traversal attacks when extracting compressed dump files. CVE-2018-2940: Fixed an easily exploitable vulnerability in the libraries subcomponent, which allowed unauthenticated attackers with network access via multiple protocols to compromise the Java SE, leading to unauthorized read access. CVE-2018-2952: Fixed an easily exploitable vulnerability in the concurrency subcomponent, which allowed unauthenticated attackers with network access via multiple protocols to compromise the Java SE, leading to denial of service. CVE-2018-2973: Fixed a difficult to exploit vulnerability in the JSSE subcomponent, which allowed unauthenticated attackers with network access via SSL/TLS to compromise the Java SE, leading to unauthorized creation, deletion or modification access to critical data. CVE-2018-12539: Fixed a vulnerability in which users other than the process owner may be able to use Java Attach API to connect to the IBM JVM on the same machine and use Attach API operations, including the ability to execute untrusted arbitrary code. Other changes made: Various JIT/JVM crash fixes Version update to 7.1.4.30 (bsc#1104668) You can find detailed information about this update [here](https://developer.ibm.com/javasdk/support/security-vulnerabilit ies/# IBM_Security_Update_August_2018). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id112274
    published2018-09-04
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/112274
    titleSUSE SLES11 Security Update : java-1_7_1-ibm (SUSE-SU-2018:2583-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-2574-1.NASL
    descriptionThis update for java-1_7_0-ibm fixes the following issues : Security issues fixed : CVE-2018-1517: Fixed a flaw in the java.math component in IBM SDK, which may allow an attacker to inflict a denial-of-service attack with specially crafted String data. CVE-2018-1656: Protect against path traversal attacks when extracting compressed dump files. CVE-2018-2940: Fixed an easily exploitable vulnerability in the libraries subcomponent, which allowed unauthenticated attackers with network access via multiple protocols to compromise the Java SE, leading to unauthorized read access. CVE-2018-2952: Fixed an easily exploitable vulnerability in the concurrency subcomponent, which allowed unauthenticated attackers with network access via multiple protocols to compromise the Java SE, leading to denial of service. CVE-2018-2973: Fixed a difficult to exploit vulnerability in the JSSE subcomponent, which allowed unauthenticated attackers with network access via SSL/TLS to compromise the Java SE, leading to unauthorized creation, deletion or modification access to critical data. CVE-2018-12539: Fixed a vulnerability in which users other than the process owner may be able to use Java Attach API to connect to the IBM JVM on the same machine and use Attach API operations, including the ability to execute untrusted arbitrary code. Other changes made: Various JIT/JVM crash fixes Version update to 7.1.4.30 (bsc#1104668) You can find detailed information about this update [here](https://developer.ibm.com/javasdk/support/security-vulnerabilit ies/# IBM_Security_Update_August_2018). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id112273
    published2018-09-04
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/112273
    titleSUSE SLES11 Security Update : java-1_7_0-ibm (SUSE-SU-2018:2574-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-2649-2.NASL
    descriptionThis update for java-1_7_1-ibm fixes the following issues : Security issues fixed : CVE-2018-1517: Fixed a flaw in the java.math component in IBM SDK, which may allow an attacker to inflict a denial-of-service attack with specially crafted String data. CVE-2018-1656: Protect against path traversal attacks when extracting compressed dump files. CVE-2018-2940: Fixed an easily exploitable vulnerability in the libraries subcomponent, which allowed unauthenticated attackers with network access via multiple protocols to compromise the Java SE, leading to unauthorized read access. CVE-2018-2952: Fixed an easily exploitable vulnerability in the concurrency subcomponent, which allowed unauthenticated attackers with network access via multiple protocols to compromise the Java SE, leading to denial of service. CVE-2018-2973: Fixed a difficult to exploit vulnerability in the JSSE subcomponent, which allowed unauthenticated attackers with network access via SSL/TLS to compromise the Java SE, leading to unauthorized creation, deletion or modification access to critical data. CVE-2018-12539: Fixed a vulnerability in which users other than the process owner may be able to use Java Attach API to connect to the IBM JVM on the same machine and use Attach API operations, including the ability to execute untrusted arbitrary code. Other changes made: Various JIT/JVM crash fixes Version update to 7.1.4.30 (bsc#1104668) You can find detailed information about this update [here](https://developer.ibm.com/javasdk/support/security-vulnerabilit ies/# IBM_Security_Update_August_2018). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id118288
    published2018-10-22
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118288
    titleSUSE SLES12 Security Update : java-1_7_1-ibm (SUSE-SU-2018:2649-2)
  • NASL familyMisc.
    NASL idORACLE_ENTERPRISE_MANAGER_APR_2019_CPU.NASL
    descriptionThe version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple vulnerabilities in Enterprise Manager Base Platform component: - Networking component of Enterprise Manager Base Platform (Spring Framework) is easily exploited and may allow an unauthenticated, remote attacker to takeover the Enterprise Manager Base Platform. (CVE-2018-1258, CVE-2018-11039, CVE-2018-11040, CVE-2018-1257, CVE-2018-15756) - Agent Next Gen (IBM Java) vulnerability allows unauthenticated, remote attacker unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data. (CVE-2018-1656, CVE-2018-12539) - An information disclosure vulnerability exists in OpenSSL due to the potential for a side-channel timing attack. An unauthenticated attacker can exploit this to disclose potentially sensitive information. (CVE-2018-0734, CVE-2018-0735, CVE-2018-5407)
    last seen2020-06-01
    modified2020-06-02
    plugin id124157
    published2019-04-18
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124157
    titleOracle Enterprise Manager Cloud Control (Apr 2019 CPU)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-2568.NASL
    descriptionAn update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 7 Supplementary. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR5-FP20. Security Fix(es) : * IBM JDK: privilege escalation via insufficiently restricted access to Attach API (CVE-2018-12539) * openssl: BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732) * openssl: bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736) * IBM JDK: DoS in the java.math component (CVE-2018-1517) * IBM JDK: path traversal flaw in the Diagnostic Tooling Framework (CVE-2018-1656) * Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (Libraries) (CVE-2018-2940) * OpenJDK: insufficient index validation in PatternSyntaxException getMessage () (Concurrency, 8199547) (CVE-2018-2952) * Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (JSSE) (CVE-2018-2973) * OpenSSL: Double-free in DSA code (CVE-2016-0705) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank the OpenSSL project for reporting CVE-2016-0705. Upstream acknowledges Adam Langley (Google/BoringSSL) as the original reporter of CVE-2016-0705.
    last seen2020-06-01
    modified2020-06-02
    plugin id112131
    published2018-08-28
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/112131
    titleRHEL 7 : java-1.8.0-ibm (RHSA-2018:2568)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-2569.NASL
    descriptionAn update for java-1.7.1-ibm is now available for Red Hat Enterprise Linux 7 Supplementary. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 7 to version 7R1 SR4-FP30. Security Fix(es) : * IBM JDK: privilege escalation via insufficiently restricted access to Attach API (CVE-2018-12539) * IBM JDK: DoS in the java.math component (CVE-2018-1517) * IBM JDK: path traversal flaw in the Diagnostic Tooling Framework (CVE-2018-1656) * Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (Libraries) (CVE-2018-2940) * OpenJDK: insufficient index validation in PatternSyntaxException getMessage () (Concurrency, 8199547) (CVE-2018-2952) * Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (JSSE) (CVE-2018-2973) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id112132
    published2018-08-28
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/112132
    titleRHEL 7 : java-1.7.1-ibm (RHSA-2018:2569)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-2575.NASL
    descriptionAn update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR5-FP20. Security Fix(es) : * IBM JDK: privilege escalation via insufficiently restricted access to Attach API (CVE-2018-12539) * openssl: BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732) * openssl: bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736) * IBM JDK: DoS in the java.math component (CVE-2018-1517) * IBM JDK: path traversal flaw in the Diagnostic Tooling Framework (CVE-2018-1656) * Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (Libraries) (CVE-2018-2940) * OpenJDK: insufficient index validation in PatternSyntaxException getMessage () (Concurrency, 8199547) (CVE-2018-2952) * Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (JSSE) (CVE-2018-2973) * OpenSSL: Double-free in DSA code (CVE-2016-0705) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank the OpenSSL project for reporting CVE-2016-0705. Upstream acknowledges Adam Langley (Google/BoringSSL) as the original reporter of CVE-2016-0705.
    last seen2020-06-01
    modified2020-06-02
    plugin id112178
    published2018-08-29
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/112178
    titleRHEL 6 : java-1.8.0-ibm (RHSA-2018:2575)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-2839-1.NASL
    descriptionThis update for java-1_8_0-ibm to 8.0.5.20 fixes the following security issues : CVE-2018-2952: Vulnerability in subcomponent: Concurrency. Difficult to exploit vulnerability allowed unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit (bsc#1104668) CVE-2018-2940: Vulnerability in subcomponent: Libraries. Easily exploitable vulnerability allowed unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data (bsc#1104668) CVE-2018-2973: Vulnerability in subcomponent: JSSE. Difficult to exploit vulnerability allowed unauthenticated attacker with network access via SSL/TLS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data (bsc#1104668) CVE-2018-2964: Vulnerability in subcomponent: Deployment. Difficult to exploit vulnerability allowed unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Java SE. (bsc#1104668) CVE-2016-0705: Prevent double free in the dsa_priv_decode function that allowed remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key (bsc#1104668) CVE-2017-3732: Prevent carry propagating bug in the x86_64 Montgomery squaring procedure (bsc#1104668) CVE-2017-3736: Prevent carry propagating bug in the x86_64 Montgomery squaring procedure (bsc#1104668) CVE-2018-1517: Unspecified vulnerability (bsc#1104668) CVE-2018-1656: Unspecified vulnerability (bsc#1104668) CVE-2018-12539: Users other than the process owner might have been able to use Java Attach API to connect to an IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code (bsc#1104668) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id117700
    published2018-09-25
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/117700
    titleSUSE SLES12 Security Update : java-1_8_0-ibm (SUSE-SU-2018:2839-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-3082-1.NASL
    descriptionThis update for java-1_8_0-ibm to 8.0.5.20 fixes the following issues : CVE-2018-2952: Vulnerability in subcomponent: Concurrency. Difficult to exploit vulnerability allowed unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit (bsc#1104668). CVE-2018-2940: Vulnerability in subcomponent: Libraries. Easily exploitable vulnerability allowed unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data (bsc#1104668). CVE-2018-2973: Vulnerability in subcomponent: JSSE. Difficult to exploit vulnerability allowed unauthenticated attacker with network access via SSL/TLS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data (bsc#1104668). CVE-2018-2964: Vulnerability in subcomponent: Deployment. Difficult to exploit vulnerability allowed unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Java SE. (bsc#1104668). CVE-2016-0705: Prevent double free in the dsa_priv_decode function that allowed remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key (bsc#1104668). CVE-2017-3732: Prevent carry propagating bug in the x86_64 Montgomery squaring procedure (bsc#1104668). CVE-2017-3736: Prevent carry propagating bug in the x86_64 Montgomery squaring procedure (bsc#1104668). CVE-2018-12539: Users other than the process owner might have been able to use Java Attach API to connect to an IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code (bsc#1104668) CVE-2018-1517: Unspecified vulnerability (bsc#1104668). CVE-2018-1656: Unspecified vulnerability (bsc#1104668) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-18
    modified2019-01-02
    plugin id120126
    published2019-01-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120126
    titleSUSE SLES15 Security Update : java-1_8_0-ibm (SUSE-SU-2018:3082-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-2839-2.NASL
    descriptionThis update for java-1_8_0-ibm to 8.0.5.20 fixes the following security issues : CVE-2018-2952: Vulnerability in subcomponent: Concurrency. Difficult to exploit vulnerability allowed unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit (bsc#1104668) CVE-2018-2940: Vulnerability in subcomponent: Libraries. Easily exploitable vulnerability allowed unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data (bsc#1104668) CVE-2018-2973: Vulnerability in subcomponent: JSSE. Difficult to exploit vulnerability allowed unauthenticated attacker with network access via SSL/TLS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data (bsc#1104668) CVE-2018-2964: Vulnerability in subcomponent: Deployment. Difficult to exploit vulnerability allowed unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Java SE. (bsc#1104668) CVE-2016-0705: Prevent double free in the dsa_priv_decode function that allowed remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key (bsc#1104668) CVE-2017-3732: Prevent carry propagating bug in the x86_64 Montgomery squaring procedure (bsc#1104668) CVE-2017-3736: Prevent carry propagating bug in the x86_64 Montgomery squaring procedure (bsc#1104668) CVE-2018-1517: Unspecified vulnerability (bsc#1104668) CVE-2018-1656: Unspecified vulnerability (bsc#1104668) CVE-2018-12539: Users other than the process owner might have been able to use Java Attach API to connect to an IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code (bsc#1104668) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id118293
    published2018-10-22
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118293
    titleSUSE SLES12 Security Update : java-1_8_0-ibm (SUSE-SU-2018:2839-2)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-2713.NASL
    descriptionAn update for java-1.8.0-ibm is now available for Red Hat Satellite 5.8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR5-FP20. Security Fix(es) : * IBM JDK: privilege escalation via insufficiently restricted access to Attach API (CVE-2018-12539) * openssl: BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732) * openssl: bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736) * IBM JDK: DoS in the java.math component (CVE-2018-1517) * IBM JDK: path traversal flaw in the Diagnostic Tooling Framework (CVE-2018-1656) * Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (Libraries) (CVE-2018-2940) * OpenJDK: insufficient index validation in PatternSyntaxException getMessage () (Concurrency, 8199547) (CVE-2018-2952) * Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (JSSE) (CVE-2018-2973) * OpenSSL: Double-free in DSA code (CVE-2016-0705) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank the OpenSSL project for reporting CVE-2016-0705. Upstream acknowledges Adam Langley (Google/BoringSSL) as the original reporter of CVE-2016-0705.
    last seen2020-06-01
    modified2020-06-02
    plugin id117587
    published2018-09-18
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/117587
    titleRHEL 6 : java-1.8.0-ibm (RHSA-2018:2713)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-2712.NASL
    descriptionAn update for java-1.7.1-ibm is now available for Red Hat Satellite 5.6 and Red Hat Satellite 5.7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 7 to version 7R1 SR4-FP30. Security Fix(es) : * IBM JDK: privilege escalation via insufficiently restricted access to Attach API (CVE-2018-12539) * IBM JDK: DoS in the java.math component (CVE-2018-1517) * IBM JDK: path traversal flaw in the Diagnostic Tooling Framework (CVE-2018-1656) * Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (Libraries) (CVE-2018-2940) * OpenJDK: insufficient index validation in PatternSyntaxException getMessage () (Concurrency, 8199547) (CVE-2018-2952) * Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (JSSE) (CVE-2018-2973) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id117535
    published2018-09-18
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/117535
    titleRHEL 6 : java-1.7.1-ibm (RHSA-2018:2712)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-2649-1.NASL
    descriptionThis update for java-1_7_1-ibm fixes the following issues : Security issues fixed : CVE-2018-1517: Fixed a flaw in the java.math component in IBM SDK, which may allow an attacker to inflict a denial-of-service attack with specially crafted String data. CVE-2018-1656: Protect against path traversal attacks when extracting compressed dump files. CVE-2018-2940: Fixed an easily exploitable vulnerability in the libraries subcomponent, which allowed unauthenticated attackers with network access via multiple protocols to compromise the Java SE, leading to unauthorized read access. CVE-2018-2952: Fixed an easily exploitable vulnerability in the concurrency subcomponent, which allowed unauthenticated attackers with network access via multiple protocols to compromise the Java SE, leading to denial of service. CVE-2018-2973: Fixed a difficult to exploit vulnerability in the JSSE subcomponent, which allowed unauthenticated attackers with network access via SSL/TLS to compromise the Java SE, leading to unauthorized creation, deletion or modification access to critical data. CVE-2018-12539: Fixed a vulnerability in which users other than the process owner may be able to use Java Attach API to connect to the IBM JVM on the same machine and use Attach API operations, including the ability to execute untrusted arbitrary code. Other changes made: Various JIT/JVM crash fixes Version update to 7.1.4.30 (bsc#1104668) You can find detailed information about this update [here](https://developer.ibm.com/javasdk/support/security-vulnerabilit ies/# IBM_Security_Update_August_2018). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id117385
    published2018-09-10
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/117385
    titleSUSE SLES12 Security Update : java-1_7_1-ibm (SUSE-SU-2018:2649-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-2576.NASL
    descriptionAn update for java-1.7.1-ibm is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 7 to version 7R1 SR4-FP30. Security Fix(es) : * IBM JDK: privilege escalation via insufficiently restricted access to Attach API (CVE-2018-12539) * IBM JDK: DoS in the java.math component (CVE-2018-1517) * IBM JDK: path traversal flaw in the Diagnostic Tooling Framework (CVE-2018-1656) * Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (Libraries) (CVE-2018-2940) * OpenJDK: insufficient index validation in PatternSyntaxException getMessage () (Concurrency, 8199547) (CVE-2018-2952) * Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (JSSE) (CVE-2018-2973) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id112179
    published2018-08-29
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/112179
    titleRHEL 6 : java-1.7.1-ibm (RHSA-2018:2576)

Redhat

advisories
  • rhsa
    idRHSA-2018:2568
  • rhsa
    idRHSA-2018:2569
  • rhsa
    idRHSA-2018:2575
  • rhsa
    idRHSA-2018:2576
  • rhsa
    idRHSA-2018:2712
  • rhsa
    idRHSA-2018:2713
rpms
  • java-1.8.0-ibm-1:1.8.0.5.20-1jpp.1.el7
  • java-1.8.0-ibm-demo-1:1.8.0.5.20-1jpp.1.el7
  • java-1.8.0-ibm-devel-1:1.8.0.5.20-1jpp.1.el7
  • java-1.8.0-ibm-jdbc-1:1.8.0.5.20-1jpp.1.el7
  • java-1.8.0-ibm-plugin-1:1.8.0.5.20-1jpp.1.el7
  • java-1.8.0-ibm-src-1:1.8.0.5.20-1jpp.1.el7
  • java-1.7.1-ibm-1:1.7.1.4.30-1jpp.1.el7
  • java-1.7.1-ibm-demo-1:1.7.1.4.30-1jpp.1.el7
  • java-1.7.1-ibm-devel-1:1.7.1.4.30-1jpp.1.el7
  • java-1.7.1-ibm-jdbc-1:1.7.1.4.30-1jpp.1.el7
  • java-1.7.1-ibm-plugin-1:1.7.1.4.30-1jpp.1.el7
  • java-1.7.1-ibm-src-1:1.7.1.4.30-1jpp.1.el7
  • java-1.8.0-ibm-1:1.8.0.5.20-1jpp.1.el6_10
  • java-1.8.0-ibm-demo-1:1.8.0.5.20-1jpp.1.el6_10
  • java-1.8.0-ibm-devel-1:1.8.0.5.20-1jpp.1.el6_10
  • java-1.8.0-ibm-jdbc-1:1.8.0.5.20-1jpp.1.el6_10
  • java-1.8.0-ibm-plugin-1:1.8.0.5.20-1jpp.1.el6_10
  • java-1.8.0-ibm-src-1:1.8.0.5.20-1jpp.1.el6_10
  • java-1.7.1-ibm-1:1.7.1.4.30-1jpp.2.el6_10
  • java-1.7.1-ibm-demo-1:1.7.1.4.30-1jpp.2.el6_10
  • java-1.7.1-ibm-devel-1:1.7.1.4.30-1jpp.2.el6_10
  • java-1.7.1-ibm-jdbc-1:1.7.1.4.30-1jpp.2.el6_10
  • java-1.7.1-ibm-plugin-1:1.7.1.4.30-1jpp.2.el6_10
  • java-1.7.1-ibm-src-1:1.7.1.4.30-1jpp.2.el6_10
  • java-1.7.1-ibm-1:1.7.1.4.30-1jpp.2.el6_10
  • java-1.7.1-ibm-devel-1:1.7.1.4.30-1jpp.2.el6_10
  • java-1.8.0-ibm-1:1.8.0.5.20-1jpp.1.el6_10
  • java-1.8.0-ibm-devel-1:1.8.0.5.20-1jpp.1.el6_10