Vulnerabilities > CVE-2018-2657

047910
CVSS 5.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
LOW
network
low complexity
oracle
redhat
schneider-electric
hp
nessus

Summary

Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u171 and 7u161; JRockit: R28.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, JRockit. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Nessus

  • NASL familyMisc.
    NASL idORACLE_JAVA_CPU_JAN_2018_UNIX.NASL
    descriptionThe version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 9 Update 4, 8 Update 161, 7 Update 171, or 6 Update 1888888881. It is, therefore, affected by multiple vulnerabilities related to the following components : - AWT - Deployment - Hotspot - I18n - Installer - JCE - JGSS - JMX - JNDI - JavaFX - LDAP - Libraries - Serialization
    last seen2020-06-01
    modified2020-06-02
    plugin id106191
    published2018-01-19
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106191
    titleOracle Java SE Multiple Vulnerabilities (January 2018 CPU) (Unix)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(106191);
      script_version("1.7");
      script_cvs_date("Date: 2019/11/08");
    
      script_cve_id(
        "CVE-2018-2579",
        "CVE-2018-2581",
        "CVE-2018-2582",
        "CVE-2018-2588",
        "CVE-2018-2599",
        "CVE-2018-2602",
        "CVE-2018-2603",
        "CVE-2018-2618",
        "CVE-2018-2627",
        "CVE-2018-2629",
        "CVE-2018-2633",
        "CVE-2018-2634",
        "CVE-2018-2637",
        "CVE-2018-2638",
        "CVE-2018-2639",
        "CVE-2018-2641",
        "CVE-2018-2657",
        "CVE-2018-2663",
        "CVE-2018-2677",
        "CVE-2018-2678"
      );
      script_bugtraq_id(
        102546,
        102556,
        102557,
        102576,
        102584,
        102592,
        102597,
        102605,
        102612,
        102615,
        102625,
        102629,
        102633,
        102636,
        102642,
        102656,
        102659,
        102661,
        102662,
        102663
      );
    
      script_name(english:"Oracle Java SE Multiple Vulnerabilities (January 2018 CPU) (Unix)");
      script_summary(english:"Checks the version of the JRE.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Unix host contains a programming platform that is affected
    by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Oracle (formerly Sun) Java SE or Java for Business
    installed on the remote host is prior to 9 Update 4, 8 Update 161,
    7 Update 171, or 6 Update 1888888881. It is, therefore, affected by multiple
    vulnerabilities related to the following components :
    
      - AWT
      - Deployment
      - Hotspot
      - I18n
      - Installer
      - JCE
      - JGSS
      - JMX
      - JNDI
      - JavaFX
      - LDAP
      - Libraries
      - Serialization");
      # https://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixJAVA
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?29ce2b01");
      # https://www.oracle.com/technetwork/java/javase/9-0-4-relnotes-4021191.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?793c3773");
      # https://www.oracle.com/technetwork/java/javase/8u162-relnotes-4021436.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?cc061f9a");
      # https://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2fbcacca");
      # http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?726f7054");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Oracle JDK / JRE 9 Update 4, 8 Update 161 / 7 Update 171 /
    6 Update 181 or later. If necessary, remove any affected versions.
    
    Note that an Extended Support contract with Oracle is needed to obtain
    JDK / JRE 6 Update 95 or later.");
      script_set_attribute(attribute:"agent", value:"unix");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-2639");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/01/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/01/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/19");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jre");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jdk");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("sun_java_jre_installed_unix.nasl");
      script_require_keys("Host/Java/JRE/Installed");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    # Check each installed JRE.
    installs = get_kb_list_or_exit("Host/Java/JRE/Unmanaged/*");
    
    info = "";
    vuln = 0;
    vuln2 = 0;
    installed_versions = "";
    granular = "";
    
    foreach install (list_uniq(keys(installs)))
    {
      ver = install - "Host/Java/JRE/Unmanaged/";
      if (ver !~ "^[0-9.]+") continue;
    
      installed_versions = installed_versions + " & " + ver;
    
      # Fixes : (JDK|JRE) 9 Update 4 / 8 Update 161 / 7 Update 171 / 6 Update 181
      if (
        ver =~ '^1\\.6\\.0_([0-9]|[0-9][0-9]|1[0-7][0-9]|180)([^0-9]|$)' ||
        ver =~ '^1\\.7\\.0_([0-9]|[0-9][0-9]|1[0-6][0-9]|170)([^0-9]|$)' ||
        ver =~ '^1\\.8\\.0_([0-9]|[0-9][0-9]|1[0-5][0-9]|160)([^0-9]|$)' ||
        ver =~ '^1\\.9\\.0_(00|0?[0-3])([^0-9]|$)'
      )
      {
        dirs = make_list(get_kb_list(install));
        vuln += max_index(dirs);
    
        foreach dir (dirs)
          info += '\n  Path              : ' + dir;
    
        info += '\n  Installed version : ' + ver;
        info += '\n  Fixed version     : 1.6.0_181 / 1.7.0_171 / 1.8.0_161 / 1.9.0_4\n';
      }
      else if (ver =~ "^[\d\.]+$")
      {
        dirs = make_list(get_kb_list(install));
        foreach dir (dirs)
          granular += "The Oracle Java version "+ver+" at "+dir+" is not granular enough to make a determination."+'\n';
      }
      else
      {
        dirs = make_list(get_kb_list(install));
        vuln2 += max_index(dirs);
      }
    
    }
    
    # Report if any were found to be vulnerable.
    if (info)
    {
      if (report_verbosity > 0)
      {
        if (vuln > 1) s = "s of Java are";
        else s = " of Java is";
    
        report =
          '\n' +
          'The following vulnerable instance'+s+' installed on the\n' +
          'remote host :\n' +
          info;
        security_warning(port:0, extra:report);
      }
      else security_warning(0);
      if (granular) exit(0, granular);
    }
    else
    {
      if (granular) exit(0, granular);
    
      installed_versions = substr(installed_versions, 3);
      if (vuln2 > 1)
        exit(0, "The Java "+installed_versions+" installations on the remote host are not affected.");
      else
        audit(AUDIT_INST_VER_NOT_VULN, "Java", installed_versions);
    }
    
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-0100.NASL
    descriptionAn update for java-1.7.0-oracle is now available for Oracle Java for Red Hat Enterprise Linux 6 and Oracle Java for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Oracle Java SE version 7 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update upgrades Oracle Java SE 7 to version 7 Update 171. Security Fix(es) : * This update fixes multiple vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page listed in the References section. (CVE-2018-2579, CVE-2018-2581, CVE-2018-2588, CVE-2018-2599, CVE-2018-2602, CVE-2018-2603, CVE-2018-2618, CVE-2018-2629, CVE-2018-2633, CVE-2018-2634, CVE-2018-2637, CVE-2018-2641, CVE-2018-2657, CVE-2018-2663, CVE-2018-2677, CVE-2018-2678)
    last seen2020-06-01
    modified2020-06-02
    plugin id106183
    published2018-01-19
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106183
    titleRHEL 6 / 7 : java-1.7.0-oracle (RHSA-2018:0100)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-0458.NASL
    descriptionAn update for java-1.7.1-ibm is now available for Red Hat Enterprise Linux 7 Supplementary. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 7 to version 7R1 SR4-FP20. Security Fix(es) : * OpenJDK: insufficient validation of the invokeinterface instruction (Hotspot, 8174962) (CVE-2018-2582) * OpenJDK: LDAPCertStore insecure handling of LDAP referrals (JNDI, 8186606) (CVE-2018-2633) * OpenJDK: use of global credentials for HTTP/SPNEGO (JGSS, 8186600) (CVE-2018-2634) * OpenJDK: SingleEntryRegistry incorrect setup of deserialization filter (JMX, 8186998) (CVE-2018-2637) * OpenJDK: GTK library loading use-after-free (AWT, 8185325) (CVE-2018-2641) * OpenJDK: LdapLoginModule insufficient username encoding in LDAP query (LDAP, 8178449) (CVE-2018-2588) * OpenJDK: DnsClient missing source port randomization (JNDI, 8182125) (CVE-2018-2599) * OpenJDK: loading of classes from untrusted locations (I18n, 8182601) (CVE-2018-2602) * OpenJDK: DerValue unbounded memory allocation (Libraries, 8182387) (CVE-2018-2603) * OpenJDK: insufficient strength of key agreement (JCE, 8185292) (CVE-2018-2618) * Oracle JDK: unspecified vulnerability fixed in 6u181 and 7u171 (Serialization) (CVE-2018-2657) * OpenJDK: ArrayBlockingQueue deserialization to an inconsistent state (Libraries, 8189284) (CVE-2018-2663) * OpenJDK: unbounded memory allocation during deserialization (AWT, 8190289) (CVE-2018-2677) * OpenJDK: unbounded memory allocation in BasicAttributes deserialization (JNDI, 8191142) (CVE-2018-2678) * OpenJDK: unsynchronized access to encryption key data (Libraries, 8172525) (CVE-2018-2579) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id107207
    published2018-03-08
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107207
    titleRHEL 7 : java-1.7.1-ibm (RHSA-2018:0458)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-0630-1.NASL
    descriptionThis update for java-1_7_1-ibm provides the following fix: The version was updated to 7.1.4.20 [bsc#1082810] - Security fixes : - CVE-2018-2633 CVE-2018-2637 CVE-2018-2634 CVE-2018-2582 CVE-2018-2641 CVE-2018-2618 CVE-2018-2657 CVE-2018-2603 CVE-2018-2599 CVE-2018-2602 CVE-2018-2678 CVE-2018-2677 CVE-2018-2663 CVE-2018-2588 CVE-2018-2579 - Defect fixes : - IJ04281 Class Libraries: Startup time increase after applying apar IV96905 - IJ03822 Class Libraries: Update timezone information to tzdata2017c - IJ03605 Java Virtual Machine: Legacy security for com.ibm.jvm.dump, trace, log was not enabled by default - IJ03607 JIT Compiler: Result String contains a redundant dot when converted from BigDecimal with 0 on all platforms - IX90185 ORB: Upgrade ibmcfw.jar to version O1800.01 - IJ04282 Security: Change in location and default of jurisdiction policy files - IJ03853 Security: IBMCAC provider does not support SHA224 - IJ02679 Security: IBMPKCS11Impl – Bad sessions are being allocated internally - IJ02706 Security: IBMPKCS11Impl – Bad sessions are being allocated internally - IJ03552 Security: IBMPKCS11Impl - Config file problem with the slot specification attribute - IJ01901 Security: IBMPKCS11Impl – SecureRandom.setSeed() exception - IJ03801 Security: Issue with same DN certs, iKeyman GUI error with stash, JKS Chain issue and JVM argument parse issue with iKeyman - IJ03256 Security: javax.security.auth.Subject.toString() throws NPE - IJ02284 JIT Compiler: Division by zero in JIT compiler - Make it possible to run Java jnlp files from Firefox. (bsc#1057460) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id107213
    published2018-03-08
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107213
    titleSUSE SLES11 Security Update : java-1_7_1-ibm (SUSE-SU-2018:0630-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-0115.NASL
    descriptionAn update for java-1.6.0-sun is now available for Oracle Java for Red Hat Enterprise Linux 6 and Oracle Java for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Oracle Java SE version 6 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update upgrades Oracle Java SE 6 to version 6 Update 181. Security Fix(es) : * This update fixes multiple vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page listed in the References section. (CVE-2018-2579, CVE-2018-2588, CVE-2018-2599, CVE-2018-2602, CVE-2018-2603, CVE-2018-2618, CVE-2018-2629, CVE-2018-2633, CVE-2018-2637, CVE-2018-2641, CVE-2018-2657, CVE-2018-2663, CVE-2018-2677, CVE-2018-2678)
    last seen2020-06-01
    modified2020-06-02
    plugin id106256
    published2018-01-23
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106256
    titleRHEL 6 / 7 : java-1.6.0-sun (RHSA-2018:0115)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-1463.NASL
    descriptionAn update for java-1.8.0-ibm is now available for Red Hat Satellite 5.8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR5-FP10. Security Fix(es) : * IBM JDK: J9 JVM allows untrusted code running under a security manager to elevate its privileges (CVE-2018-1417) * Oracle JDK: unspecified vulnerability fixed in 8u161 and 9.0.4 (Deployment) (CVE-2018-2638) * Oracle JDK: unspecified vulnerability fixed in 8u161 and 9.0.4 (Deployment) (CVE-2018-2639) * OpenJDK: insufficient validation of the invokeinterface instruction (Hotspot, 8174962) (CVE-2018-2582) * Oracle JDK: unspecified vulnerability fixed in 8u161 and 9.0.4 (Installer) (CVE-2018-2627) * OpenJDK: LDAPCertStore insecure handling of LDAP referrals (JNDI, 8186606) (CVE-2018-2633) * OpenJDK: use of global credentials for HTTP/SPNEGO (JGSS, 8186600) (CVE-2018-2634) * OpenJDK: SingleEntryRegistry incorrect setup of deserialization filter (JMX, 8186998) (CVE-2018-2637) * OpenJDK: GTK library loading use-after-free (AWT, 8185325) (CVE-2018-2641) * Oracle JDK: unspecified vulnerability fixed in 7u171, 8u161, and 9.0.4 (JavaFX) (CVE-2018-2581) * OpenJDK: LdapLoginModule insufficient username encoding in LDAP query (LDAP, 8178449) (CVE-2018-2588) * OpenJDK: DnsClient missing source port randomization (JNDI, 8182125) (CVE-2018-2599) * OpenJDK: loading of classes from untrusted locations (I18n, 8182601) (CVE-2018-2602) * OpenJDK: DerValue unbounded memory allocation (Libraries, 8182387) (CVE-2018-2603) * OpenJDK: insufficient strength of key agreement (JCE, 8185292) (CVE-2018-2618) * OpenJDK: GSS context use-after-free (JGSS, 8186212) (CVE-2018-2629) * Oracle JDK: unspecified vulnerability fixed in 6u181 and 7u171 (Serialization) (CVE-2018-2657) * OpenJDK: ArrayBlockingQueue deserialization to an inconsistent state (Libraries, 8189284) (CVE-2018-2663) * OpenJDK: unbounded memory allocation during deserialization (AWT, 8190289) (CVE-2018-2677) * OpenJDK: unbounded memory allocation in BasicAttributes deserialization (JNDI, 8191142) (CVE-2018-2678) * OpenJDK: unsynchronized access to encryption key data (Libraries, 8172525) (CVE-2018-2579) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id109908
    published2018-05-18
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109908
    titleRHEL 6 : java-1.8.0-ibm (RHSA-2018:1463)
  • NASL familyWindows
    NASL idORACLE_JAVA_CPU_JAN_2018.NASL
    descriptionThe version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 9 Update 4, 8 Update 161, 7 Update 171, or 6 Update 181. It is, therefore, affected by multiple vulnerabilities related to the following components : - AWT - Deployment - Hotspot - I18n - Installer - JCE - JGSS - JMX - JNDI - JavaFX - LDAP - Libraries - Serialization
    last seen2020-06-01
    modified2020-06-02
    plugin id106190
    published2018-01-19
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106190
    titleOracle Java SE Multiple Vulnerabilities (January 2018 CPU)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-0694-1.NASL
    descriptionThis update for java-1_7_1-ibm fixes the following issues: The version was updated to 7.1.4.20 [bsc#1082810] - Security fixes : - CVE-2018-2633 CVE-2018-2637 CVE-2018-2634 CVE-2018-2582 CVE-2018-2641 CVE-2018-2618 CVE-2018-2657 CVE-2018-2603 CVE-2018-2599 CVE-2018-2602 CVE-2018-2678 CVE-2018-2677 CVE-2018-2663 CVE-2018-2588 CVE-2018-2579 - Defect fixes : - IJ04281 Class Libraries: Startup time increase after applying apar IV96905 - IJ03822 Class Libraries: Update timezone information to tzdata2017c - IJ03605 Java Virtual Machine: Legacy security for com.ibm.jvm.dump, trace, log was not enabled by default - IJ03607 JIT Compiler: Result String contains a redundant dot when converted from BigDecimal with 0 on all platforms - IX90185 ORB: Upgrade ibmcfw.jar to version O1800.01 - IJ04282 Security: Change in location and default of jurisdiction policy files - IJ03853 Security: IBMCAC provider does not support SHA224 - IJ02679 Security: IBMPKCS11Impl -- Bad sessions are being allocated internally - IJ02706 Security: IBMPKCS11Impl -- Bad sessions are being allocated internally - IJ03552 Security: IBMPKCS11Impl -- Config file problem with the slot specification attribute - IJ01901 Security: IBMPKCS11Impl -- SecureRandom.setSeed() exception - IJ03801 Security: Issue with same DN certs, iKeyman GUI error with stash, JKS Chain issue and JVM argument parse issue with iKeyman - IJ03256 Security: javax.security.auth.Subject.toString() throws NPE - IJ02284 JIT Compiler: Division by zero in JIT compiler - SUSE fixes : - Make it possible to run Java jnlp files from Firefox. (bsc#1057460) - Fixed symlinks to policy files on update [bsc#1085018] - Fixed jpackage-java-1_7_1-ibm-webstart.desktop file to allow Java jnlp files run from Firefox. [bsc#1057460, bsc#1076390] - Fix javaws segfaults when java expiration timer has elapsed. [bsc#929900] - Provide IBM Java updates for IBMs PMR 55931,671,760 and for SUSEs SR 110991601735. [bsc#966304] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id108400
    published2018-03-16
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108400
    titleSUSE SLES12 Security Update : java-1_7_1-ibm (SUSE-SU-2018:0694-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-1812.NASL
    descriptionAn update for java-1.7.1-ibm is now available for Red Hat Satellite 5.6 and Red Hat Satellite 5.7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 7 to version 7R1 SR4-FP20. Security Fix(es) : * OpenJDK: LDAPCertStore insecure handling of LDAP referrals (JNDI, 8186606) (CVE-2018-2633) * OpenJDK: use of global credentials for HTTP/SPNEGO (JGSS, 8186600) (CVE-2018-2634) * OpenJDK: SingleEntryRegistry incorrect setup of deserialization filter (JMX, 8186998) (CVE-2018-2637) * OpenJDK: GTK library loading use-after-free (AWT, 8185325) (CVE-2018-2641) * Oracle JDK: unspecified vulnerability fixed in 7u171, 8u161, and 9.0.4 (JavaFX) (CVE-2018-2581) * OpenJDK: LdapLoginModule insufficient username encoding in LDAP query (LDAP, 8178449) (CVE-2018-2588) * OpenJDK: DnsClient missing source port randomization (JNDI, 8182125) (CVE-2018-2599) * OpenJDK: loading of classes from untrusted locations (I18n, 8182601) (CVE-2018-2602) * OpenJDK: DerValue unbounded memory allocation (Libraries, 8182387) (CVE-2018-2603) * OpenJDK: insufficient strength of key agreement (JCE, 8185292) (CVE-2018-2618) * OpenJDK: GSS context use-after-free (JGSS, 8186212) (CVE-2018-2629) * Oracle JDK: unspecified vulnerability fixed in 6u181 and 7u171 (Serialization) (CVE-2018-2657) * OpenJDK: ArrayBlockingQueue deserialization to an inconsistent state (Libraries, 8189284) (CVE-2018-2663) * OpenJDK: unbounded memory allocation during deserialization (AWT, 8190289) (CVE-2018-2677) * OpenJDK: unbounded memory allocation in BasicAttributes deserialization (JNDI, 8191142) (CVE-2018-2678) * OpenJDK: unsynchronized access to encryption key data (Libraries, 8172525) (CVE-2018-2579) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id110405
    published2018-06-08
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110405
    titleRHEL 6 : java-1.7.1-ibm (RHSA-2018:1812)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-0645-1.NASL
    descriptionThis update for java-1_7_0-ibm provides the following fixes: The version was updated to 7.0.10.20 [bsc#1082810] : - Following security issues were fixed : - CVE-2018-2633 CVE-2018-2637 CVE-2018-2634 CVE-2018-2582 CVE-2018-2641 CVE-2018-2618 CVE-2018-2657 CVE-2018-2603 CVE-2018-2599 CVE-2018-2602 CVE-2018-2678 CVE-2018-2677 CVE-2018-2663 CVE-2018-2588 CVE-2018-2579 - Defect fixes : - IJ04281 Class Libraries: Startup time increase after applying apar IV96905 - IJ03822 Class Libraries: Update timezone information to tzdata2017c - IJ03605 Java Virtual Machine: Legacy security for com.ibm.jvm.dump, trace, log was not enabled by default - IJ03607 JIT Compiler: Result String contains a redundant dot when converted from BigDecimal with 0 on all platforms - IX90185 ORB: Upgrade ibmcfw.jar to version O1800.01 - IJ04282 Security: Change in location and default of jurisdiction policy files - IJ03853 Security: IBMCAC provider does not support SHA224 - IJ02679 Security: IBMPKCS11Impl – Bad sessions are being allocated internally - IJ02706 Security: IBMPKCS11Impl – Bad sessions are being allocated internally - IJ03552 Security: IBMPKCS11Impl - Config file problem with the slot specification attribute - IJ01901 Security: IBMPKCS11Impl – SecureRandom.setSeed() exception - IJ03801 Security: Issue with same DN certs, iKeyman GUI error with stash, JKS Chain issue and JVM argument parse issue with iKeyman - IJ02284 JIT Compiler: Division by zero in JIT compiler - Make it possible to run Java jnlp files from Firefox. (bsc#1057460) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id107288
    published2018-03-12
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107288
    titleSUSE SLES11 Security Update : java-1_7_0-ibm (SUSE-SU-2018:0645-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-0743-1.NASL
    descriptionThis update for java-1_7_1-ibm fixes the following issue: The version was updated to 7.1.4.20 [bsc#1082810] - Security fixes : - CVE-2018-2633 CVE-2018-2637 CVE-2018-2634 CVE-2018-2582 CVE-2018-2641 CVE-2018-2618 CVE-2018-2657 CVE-2018-2603 CVE-2018-2599 CVE-2018-2602 CVE-2018-2678 CVE-2018-2677 CVE-2018-2663 CVE-2018-2588 CVE-2018-2579 - Defect fixes : - IJ04281 Class Libraries: Startup time increase after applying apar IV96905 - IJ03822 Class Libraries: Update timezone information to tzdata2017c - IJ03605 Java Virtual Machine: Legacy security for com.ibm.jvm.dump, trace, log was not enabled by default - IJ03607 JIT Compiler: Result String contains a redundant dot when converted from BigDecimal with 0 on all platforms - IX90185 ORB: Upgrade ibmcfw.jar to version O1800.01 - IJ04282 Security: Change in location and default of jurisdiction policy files - IJ03853 Security: IBMCAC provider does not support SHA224 - IJ02679 Security: IBMPKCS11Impl -- Bad sessions are being allocated internally - IJ02706 Security: IBMPKCS11Impl -- Bad sessions are being allocated internally - IJ03552 Security: IBMPKCS11Impl -- Config file problem with the slot specification attribute - IJ01901 Security: IBMPKCS11Impl -- SecureRandom.setSeed() exception - IJ03801 Security: Issue with same DN certs, iKeyman GUI error with stash, JKS Chain issue and JVM argument parse issue with iKeyman - IJ03256 Security: javax.security.auth.Subject.toString() throws NPE - IJ02284 JIT Compiler: Division by zero in JIT compiler - SUSE fixes : - Make it possible to run Java jnlp files from Firefox. (bsc#1057460) - Fixed jpackage-java-1_7_1-ibm-webstart.desktop file to allow Java jnlp files run from Firefox. [bsc#1057460, bsc#1076390] - Fix javaws segfaults when java expiration timer has elapsed. [bsc#929900] - Provide IBM Java updates for IBMs PMR 55931,671,760 and for SUSEs SR 110991601735. [bsc#966304] - Ensure that all Java policy files are symlinked into the proper file system locations. Without those symlinks, several OES iManager plugins did not function properly. [bsc#1085018] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id108482
    published2018-03-20
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108482
    titleSUSE SLES12 Security Update : java-1_7_1-ibm (SUSE-SU-2018:0743-1)
  • NASL familyWindows
    NASL idORACLE_JROCKIT_CPU_JAN_2018.NASL
    descriptionThe version of Oracle JRockit installed on the remote Windows host is R28.3.16. It is, therefore, affected by multiple vulnerabilities. See advisory for details.
    last seen2020-06-01
    modified2020-06-02
    plugin id106139
    published2018-01-18
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106139
    titleOracle JRockit R28.3.16 Multiple Vulnerabilities (January 2018 CPU)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-0521.NASL
    descriptionAn update for java-1.7.1-ibm is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 7 to version 7R1 SR4-FP20. Security Fix(es) : * OpenJDK: insufficient validation of the invokeinterface instruction (Hotspot, 8174962) (CVE-2018-2582) * OpenJDK: LDAPCertStore insecure handling of LDAP referrals (JNDI, 8186606) (CVE-2018-2633) * OpenJDK: use of global credentials for HTTP/SPNEGO (JGSS, 8186600) (CVE-2018-2634) * OpenJDK: SingleEntryRegistry incorrect setup of deserialization filter (JMX, 8186998) (CVE-2018-2637) * OpenJDK: GTK library loading use-after-free (AWT, 8185325) (CVE-2018-2641) * OpenJDK: LdapLoginModule insufficient username encoding in LDAP query (LDAP, 8178449) (CVE-2018-2588) * OpenJDK: DnsClient missing source port randomization (JNDI, 8182125) (CVE-2018-2599) * OpenJDK: loading of classes from untrusted locations (I18n, 8182601) (CVE-2018-2602) * OpenJDK: DerValue unbounded memory allocation (Libraries, 8182387) (CVE-2018-2603) * OpenJDK: insufficient strength of key agreement (JCE, 8185292) (CVE-2018-2618) * Oracle JDK: unspecified vulnerability fixed in 6u181 and 7u171 (Serialization) (CVE-2018-2657) * OpenJDK: ArrayBlockingQueue deserialization to an inconsistent state (Libraries, 8189284) (CVE-2018-2663) * OpenJDK: unbounded memory allocation during deserialization (AWT, 8190289) (CVE-2018-2677) * OpenJDK: unbounded memory allocation in BasicAttributes deserialization (JNDI, 8191142) (CVE-2018-2678) * OpenJDK: unsynchronized access to encryption key data (Libraries, 8172525) (CVE-2018-2579) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id108362
    published2018-03-15
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108362
    titleRHEL 6 : java-1.7.1-ibm (RHSA-2018:0521)

Redhat

advisories
  • rhsa
    idRHSA-2018:0100
  • rhsa
    idRHSA-2018:0115
  • rhsa
    idRHSA-2018:0458
  • rhsa
    idRHSA-2018:0521
  • rhsa
    idRHSA-2018:1463
  • rhsa
    idRHSA-2018:1812
rpms
  • java-1.7.0-oracle-1:1.7.0.171-1jpp.1.el6_9
  • java-1.7.0-oracle-1:1.7.0.171-1jpp.1.el7
  • java-1.7.0-oracle-devel-1:1.7.0.171-1jpp.1.el6_9
  • java-1.7.0-oracle-devel-1:1.7.0.171-1jpp.1.el7
  • java-1.7.0-oracle-javafx-1:1.7.0.171-1jpp.1.el6_9
  • java-1.7.0-oracle-javafx-1:1.7.0.171-1jpp.1.el7
  • java-1.7.0-oracle-jdbc-1:1.7.0.171-1jpp.1.el6_9
  • java-1.7.0-oracle-jdbc-1:1.7.0.171-1jpp.1.el7
  • java-1.7.0-oracle-plugin-1:1.7.0.171-1jpp.1.el6_9
  • java-1.7.0-oracle-plugin-1:1.7.0.171-1jpp.1.el7
  • java-1.7.0-oracle-src-1:1.7.0.171-1jpp.1.el6_9
  • java-1.7.0-oracle-src-1:1.7.0.171-1jpp.1.el7
  • java-1.6.0-sun-1:1.6.0.181-1jpp.1.el6
  • java-1.6.0-sun-1:1.6.0.181-1jpp.2.el7
  • java-1.6.0-sun-demo-1:1.6.0.181-1jpp.1.el6
  • java-1.6.0-sun-demo-1:1.6.0.181-1jpp.2.el7
  • java-1.6.0-sun-devel-1:1.6.0.181-1jpp.1.el6
  • java-1.6.0-sun-devel-1:1.6.0.181-1jpp.2.el7
  • java-1.6.0-sun-jdbc-1:1.6.0.181-1jpp.1.el6
  • java-1.6.0-sun-jdbc-1:1.6.0.181-1jpp.2.el7
  • java-1.6.0-sun-plugin-1:1.6.0.181-1jpp.1.el6
  • java-1.6.0-sun-plugin-1:1.6.0.181-1jpp.2.el7
  • java-1.6.0-sun-src-1:1.6.0.181-1jpp.1.el6
  • java-1.6.0-sun-src-1:1.6.0.181-1jpp.2.el7
  • java-1.7.1-ibm-1:1.7.1.4.20-1jpp.1.el7
  • java-1.7.1-ibm-demo-1:1.7.1.4.20-1jpp.1.el7
  • java-1.7.1-ibm-devel-1:1.7.1.4.20-1jpp.1.el7
  • java-1.7.1-ibm-jdbc-1:1.7.1.4.20-1jpp.1.el7
  • java-1.7.1-ibm-plugin-1:1.7.1.4.20-1jpp.1.el7
  • java-1.7.1-ibm-src-1:1.7.1.4.20-1jpp.1.el7
  • java-1.7.1-ibm-1:1.7.1.4.20-1jpp.3.el6_9
  • java-1.7.1-ibm-demo-1:1.7.1.4.20-1jpp.3.el6_9
  • java-1.7.1-ibm-devel-1:1.7.1.4.20-1jpp.3.el6_9
  • java-1.7.1-ibm-jdbc-1:1.7.1.4.20-1jpp.3.el6_9
  • java-1.7.1-ibm-plugin-1:1.7.1.4.20-1jpp.3.el6_9
  • java-1.7.1-ibm-src-1:1.7.1.4.20-1jpp.3.el6_9
  • java-1.8.0-ibm-1:1.8.0.5.10-1jpp.1.el6_9
  • java-1.8.0-ibm-devel-1:1.8.0.5.10-1jpp.1.el6_9
  • java-1.7.1-ibm-1:1.7.1.4.20-1jpp.3.el6_9
  • java-1.7.1-ibm-devel-1:1.7.1.4.20-1jpp.3.el6_9