Vulnerabilities > CVE-2018-2657
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u171 and 7u161; JRockit: R28.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, JRockit. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 5 | |
| Application | 3 | |
| Application | Schneider-Electric
| 6 |
| Application | 3 | |
| OS | 5 |
Nessus
NASL family Misc. NASL id ORACLE_JAVA_CPU_JAN_2018_UNIX.NASL description The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 9 Update 4, 8 Update 161, 7 Update 171, or 6 Update 1888888881. It is, therefore, affected by multiple vulnerabilities related to the following components : - AWT - Deployment - Hotspot - I18n - Installer - JCE - JGSS - JMX - JNDI - JavaFX - LDAP - Libraries - Serialization last seen 2020-06-01 modified 2020-06-02 plugin id 106191 published 2018-01-19 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106191 title Oracle Java SE Multiple Vulnerabilities (January 2018 CPU) (Unix) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(106191); script_version("1.7"); script_cvs_date("Date: 2019/11/08"); script_cve_id( "CVE-2018-2579", "CVE-2018-2581", "CVE-2018-2582", "CVE-2018-2588", "CVE-2018-2599", "CVE-2018-2602", "CVE-2018-2603", "CVE-2018-2618", "CVE-2018-2627", "CVE-2018-2629", "CVE-2018-2633", "CVE-2018-2634", "CVE-2018-2637", "CVE-2018-2638", "CVE-2018-2639", "CVE-2018-2641", "CVE-2018-2657", "CVE-2018-2663", "CVE-2018-2677", "CVE-2018-2678" ); script_bugtraq_id( 102546, 102556, 102557, 102576, 102584, 102592, 102597, 102605, 102612, 102615, 102625, 102629, 102633, 102636, 102642, 102656, 102659, 102661, 102662, 102663 ); script_name(english:"Oracle Java SE Multiple Vulnerabilities (January 2018 CPU) (Unix)"); script_summary(english:"Checks the version of the JRE."); script_set_attribute(attribute:"synopsis", value: "The remote Unix host contains a programming platform that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 9 Update 4, 8 Update 161, 7 Update 171, or 6 Update 1888888881. It is, therefore, affected by multiple vulnerabilities related to the following components : - AWT - Deployment - Hotspot - I18n - Installer - JCE - JGSS - JMX - JNDI - JavaFX - LDAP - Libraries - Serialization"); # https://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixJAVA script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?29ce2b01"); # https://www.oracle.com/technetwork/java/javase/9-0-4-relnotes-4021191.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?793c3773"); # https://www.oracle.com/technetwork/java/javase/8u162-relnotes-4021436.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?cc061f9a"); # https://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2fbcacca"); # http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?726f7054"); script_set_attribute(attribute:"solution", value: "Upgrade to Oracle JDK / JRE 9 Update 4, 8 Update 161 / 7 Update 171 / 6 Update 181 or later. If necessary, remove any affected versions. Note that an Extended Support contract with Oracle is needed to obtain JDK / JRE 6 Update 95 or later."); script_set_attribute(attribute:"agent", value:"unix"); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-2639"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/01/16"); script_set_attribute(attribute:"patch_publication_date", value:"2018/01/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/19"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jre"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jdk"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("sun_java_jre_installed_unix.nasl"); script_require_keys("Host/Java/JRE/Installed"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); # Check each installed JRE. installs = get_kb_list_or_exit("Host/Java/JRE/Unmanaged/*"); info = ""; vuln = 0; vuln2 = 0; installed_versions = ""; granular = ""; foreach install (list_uniq(keys(installs))) { ver = install - "Host/Java/JRE/Unmanaged/"; if (ver !~ "^[0-9.]+") continue; installed_versions = installed_versions + " & " + ver; # Fixes : (JDK|JRE) 9 Update 4 / 8 Update 161 / 7 Update 171 / 6 Update 181 if ( ver =~ '^1\\.6\\.0_([0-9]|[0-9][0-9]|1[0-7][0-9]|180)([^0-9]|$)' || ver =~ '^1\\.7\\.0_([0-9]|[0-9][0-9]|1[0-6][0-9]|170)([^0-9]|$)' || ver =~ '^1\\.8\\.0_([0-9]|[0-9][0-9]|1[0-5][0-9]|160)([^0-9]|$)' || ver =~ '^1\\.9\\.0_(00|0?[0-3])([^0-9]|$)' ) { dirs = make_list(get_kb_list(install)); vuln += max_index(dirs); foreach dir (dirs) info += '\n Path : ' + dir; info += '\n Installed version : ' + ver; info += '\n Fixed version : 1.6.0_181 / 1.7.0_171 / 1.8.0_161 / 1.9.0_4\n'; } else if (ver =~ "^[\d\.]+$") { dirs = make_list(get_kb_list(install)); foreach dir (dirs) granular += "The Oracle Java version "+ver+" at "+dir+" is not granular enough to make a determination."+'\n'; } else { dirs = make_list(get_kb_list(install)); vuln2 += max_index(dirs); } } # Report if any were found to be vulnerable. if (info) { if (report_verbosity > 0) { if (vuln > 1) s = "s of Java are"; else s = " of Java is"; report = '\n' + 'The following vulnerable instance'+s+' installed on the\n' + 'remote host :\n' + info; security_warning(port:0, extra:report); } else security_warning(0); if (granular) exit(0, granular); } else { if (granular) exit(0, granular); installed_versions = substr(installed_versions, 3); if (vuln2 > 1) exit(0, "The Java "+installed_versions+" installations on the remote host are not affected."); else audit(AUDIT_INST_VER_NOT_VULN, "Java", installed_versions); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-0100.NASL description An update for java-1.7.0-oracle is now available for Oracle Java for Red Hat Enterprise Linux 6 and Oracle Java for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Oracle Java SE version 7 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update upgrades Oracle Java SE 7 to version 7 Update 171. Security Fix(es) : * This update fixes multiple vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page listed in the References section. (CVE-2018-2579, CVE-2018-2581, CVE-2018-2588, CVE-2018-2599, CVE-2018-2602, CVE-2018-2603, CVE-2018-2618, CVE-2018-2629, CVE-2018-2633, CVE-2018-2634, CVE-2018-2637, CVE-2018-2641, CVE-2018-2657, CVE-2018-2663, CVE-2018-2677, CVE-2018-2678) last seen 2020-06-01 modified 2020-06-02 plugin id 106183 published 2018-01-19 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106183 title RHEL 6 / 7 : java-1.7.0-oracle (RHSA-2018:0100) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-0458.NASL description An update for java-1.7.1-ibm is now available for Red Hat Enterprise Linux 7 Supplementary. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 7 to version 7R1 SR4-FP20. Security Fix(es) : * OpenJDK: insufficient validation of the invokeinterface instruction (Hotspot, 8174962) (CVE-2018-2582) * OpenJDK: LDAPCertStore insecure handling of LDAP referrals (JNDI, 8186606) (CVE-2018-2633) * OpenJDK: use of global credentials for HTTP/SPNEGO (JGSS, 8186600) (CVE-2018-2634) * OpenJDK: SingleEntryRegistry incorrect setup of deserialization filter (JMX, 8186998) (CVE-2018-2637) * OpenJDK: GTK library loading use-after-free (AWT, 8185325) (CVE-2018-2641) * OpenJDK: LdapLoginModule insufficient username encoding in LDAP query (LDAP, 8178449) (CVE-2018-2588) * OpenJDK: DnsClient missing source port randomization (JNDI, 8182125) (CVE-2018-2599) * OpenJDK: loading of classes from untrusted locations (I18n, 8182601) (CVE-2018-2602) * OpenJDK: DerValue unbounded memory allocation (Libraries, 8182387) (CVE-2018-2603) * OpenJDK: insufficient strength of key agreement (JCE, 8185292) (CVE-2018-2618) * Oracle JDK: unspecified vulnerability fixed in 6u181 and 7u171 (Serialization) (CVE-2018-2657) * OpenJDK: ArrayBlockingQueue deserialization to an inconsistent state (Libraries, 8189284) (CVE-2018-2663) * OpenJDK: unbounded memory allocation during deserialization (AWT, 8190289) (CVE-2018-2677) * OpenJDK: unbounded memory allocation in BasicAttributes deserialization (JNDI, 8191142) (CVE-2018-2678) * OpenJDK: unsynchronized access to encryption key data (Libraries, 8172525) (CVE-2018-2579) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 107207 published 2018-03-08 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107207 title RHEL 7 : java-1.7.1-ibm (RHSA-2018:0458) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-0630-1.NASL description This update for java-1_7_1-ibm provides the following fix: The version was updated to 7.1.4.20 [bsc#1082810] - Security fixes : - CVE-2018-2633 CVE-2018-2637 CVE-2018-2634 CVE-2018-2582 CVE-2018-2641 CVE-2018-2618 CVE-2018-2657 CVE-2018-2603 CVE-2018-2599 CVE-2018-2602 CVE-2018-2678 CVE-2018-2677 CVE-2018-2663 CVE-2018-2588 CVE-2018-2579 - Defect fixes : - IJ04281 Class Libraries: Startup time increase after applying apar IV96905 - IJ03822 Class Libraries: Update timezone information to tzdata2017c - IJ03605 Java Virtual Machine: Legacy security for com.ibm.jvm.dump, trace, log was not enabled by default - IJ03607 JIT Compiler: Result String contains a redundant dot when converted from BigDecimal with 0 on all platforms - IX90185 ORB: Upgrade ibmcfw.jar to version O1800.01 - IJ04282 Security: Change in location and default of jurisdiction policy files - IJ03853 Security: IBMCAC provider does not support SHA224 - IJ02679 Security: IBMPKCS11Impl – Bad sessions are being allocated internally - IJ02706 Security: IBMPKCS11Impl – Bad sessions are being allocated internally - IJ03552 Security: IBMPKCS11Impl - Config file problem with the slot specification attribute - IJ01901 Security: IBMPKCS11Impl – SecureRandom.setSeed() exception - IJ03801 Security: Issue with same DN certs, iKeyman GUI error with stash, JKS Chain issue and JVM argument parse issue with iKeyman - IJ03256 Security: javax.security.auth.Subject.toString() throws NPE - IJ02284 JIT Compiler: Division by zero in JIT compiler - Make it possible to run Java jnlp files from Firefox. (bsc#1057460) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 107213 published 2018-03-08 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107213 title SUSE SLES11 Security Update : java-1_7_1-ibm (SUSE-SU-2018:0630-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-0115.NASL description An update for java-1.6.0-sun is now available for Oracle Java for Red Hat Enterprise Linux 6 and Oracle Java for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Oracle Java SE version 6 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update upgrades Oracle Java SE 6 to version 6 Update 181. Security Fix(es) : * This update fixes multiple vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page listed in the References section. (CVE-2018-2579, CVE-2018-2588, CVE-2018-2599, CVE-2018-2602, CVE-2018-2603, CVE-2018-2618, CVE-2018-2629, CVE-2018-2633, CVE-2018-2637, CVE-2018-2641, CVE-2018-2657, CVE-2018-2663, CVE-2018-2677, CVE-2018-2678) last seen 2020-06-01 modified 2020-06-02 plugin id 106256 published 2018-01-23 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106256 title RHEL 6 / 7 : java-1.6.0-sun (RHSA-2018:0115) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-1463.NASL description An update for java-1.8.0-ibm is now available for Red Hat Satellite 5.8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR5-FP10. Security Fix(es) : * IBM JDK: J9 JVM allows untrusted code running under a security manager to elevate its privileges (CVE-2018-1417) * Oracle JDK: unspecified vulnerability fixed in 8u161 and 9.0.4 (Deployment) (CVE-2018-2638) * Oracle JDK: unspecified vulnerability fixed in 8u161 and 9.0.4 (Deployment) (CVE-2018-2639) * OpenJDK: insufficient validation of the invokeinterface instruction (Hotspot, 8174962) (CVE-2018-2582) * Oracle JDK: unspecified vulnerability fixed in 8u161 and 9.0.4 (Installer) (CVE-2018-2627) * OpenJDK: LDAPCertStore insecure handling of LDAP referrals (JNDI, 8186606) (CVE-2018-2633) * OpenJDK: use of global credentials for HTTP/SPNEGO (JGSS, 8186600) (CVE-2018-2634) * OpenJDK: SingleEntryRegistry incorrect setup of deserialization filter (JMX, 8186998) (CVE-2018-2637) * OpenJDK: GTK library loading use-after-free (AWT, 8185325) (CVE-2018-2641) * Oracle JDK: unspecified vulnerability fixed in 7u171, 8u161, and 9.0.4 (JavaFX) (CVE-2018-2581) * OpenJDK: LdapLoginModule insufficient username encoding in LDAP query (LDAP, 8178449) (CVE-2018-2588) * OpenJDK: DnsClient missing source port randomization (JNDI, 8182125) (CVE-2018-2599) * OpenJDK: loading of classes from untrusted locations (I18n, 8182601) (CVE-2018-2602) * OpenJDK: DerValue unbounded memory allocation (Libraries, 8182387) (CVE-2018-2603) * OpenJDK: insufficient strength of key agreement (JCE, 8185292) (CVE-2018-2618) * OpenJDK: GSS context use-after-free (JGSS, 8186212) (CVE-2018-2629) * Oracle JDK: unspecified vulnerability fixed in 6u181 and 7u171 (Serialization) (CVE-2018-2657) * OpenJDK: ArrayBlockingQueue deserialization to an inconsistent state (Libraries, 8189284) (CVE-2018-2663) * OpenJDK: unbounded memory allocation during deserialization (AWT, 8190289) (CVE-2018-2677) * OpenJDK: unbounded memory allocation in BasicAttributes deserialization (JNDI, 8191142) (CVE-2018-2678) * OpenJDK: unsynchronized access to encryption key data (Libraries, 8172525) (CVE-2018-2579) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 109908 published 2018-05-18 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109908 title RHEL 6 : java-1.8.0-ibm (RHSA-2018:1463) NASL family Windows NASL id ORACLE_JAVA_CPU_JAN_2018.NASL description The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 9 Update 4, 8 Update 161, 7 Update 171, or 6 Update 181. It is, therefore, affected by multiple vulnerabilities related to the following components : - AWT - Deployment - Hotspot - I18n - Installer - JCE - JGSS - JMX - JNDI - JavaFX - LDAP - Libraries - Serialization last seen 2020-06-01 modified 2020-06-02 plugin id 106190 published 2018-01-19 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106190 title Oracle Java SE Multiple Vulnerabilities (January 2018 CPU) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-0694-1.NASL description This update for java-1_7_1-ibm fixes the following issues: The version was updated to 7.1.4.20 [bsc#1082810] - Security fixes : - CVE-2018-2633 CVE-2018-2637 CVE-2018-2634 CVE-2018-2582 CVE-2018-2641 CVE-2018-2618 CVE-2018-2657 CVE-2018-2603 CVE-2018-2599 CVE-2018-2602 CVE-2018-2678 CVE-2018-2677 CVE-2018-2663 CVE-2018-2588 CVE-2018-2579 - Defect fixes : - IJ04281 Class Libraries: Startup time increase after applying apar IV96905 - IJ03822 Class Libraries: Update timezone information to tzdata2017c - IJ03605 Java Virtual Machine: Legacy security for com.ibm.jvm.dump, trace, log was not enabled by default - IJ03607 JIT Compiler: Result String contains a redundant dot when converted from BigDecimal with 0 on all platforms - IX90185 ORB: Upgrade ibmcfw.jar to version O1800.01 - IJ04282 Security: Change in location and default of jurisdiction policy files - IJ03853 Security: IBMCAC provider does not support SHA224 - IJ02679 Security: IBMPKCS11Impl -- Bad sessions are being allocated internally - IJ02706 Security: IBMPKCS11Impl -- Bad sessions are being allocated internally - IJ03552 Security: IBMPKCS11Impl -- Config file problem with the slot specification attribute - IJ01901 Security: IBMPKCS11Impl -- SecureRandom.setSeed() exception - IJ03801 Security: Issue with same DN certs, iKeyman GUI error with stash, JKS Chain issue and JVM argument parse issue with iKeyman - IJ03256 Security: javax.security.auth.Subject.toString() throws NPE - IJ02284 JIT Compiler: Division by zero in JIT compiler - SUSE fixes : - Make it possible to run Java jnlp files from Firefox. (bsc#1057460) - Fixed symlinks to policy files on update [bsc#1085018] - Fixed jpackage-java-1_7_1-ibm-webstart.desktop file to allow Java jnlp files run from Firefox. [bsc#1057460, bsc#1076390] - Fix javaws segfaults when java expiration timer has elapsed. [bsc#929900] - Provide IBM Java updates for IBMs PMR 55931,671,760 and for SUSEs SR 110991601735. [bsc#966304] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 108400 published 2018-03-16 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108400 title SUSE SLES12 Security Update : java-1_7_1-ibm (SUSE-SU-2018:0694-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-1812.NASL description An update for java-1.7.1-ibm is now available for Red Hat Satellite 5.6 and Red Hat Satellite 5.7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 7 to version 7R1 SR4-FP20. Security Fix(es) : * OpenJDK: LDAPCertStore insecure handling of LDAP referrals (JNDI, 8186606) (CVE-2018-2633) * OpenJDK: use of global credentials for HTTP/SPNEGO (JGSS, 8186600) (CVE-2018-2634) * OpenJDK: SingleEntryRegistry incorrect setup of deserialization filter (JMX, 8186998) (CVE-2018-2637) * OpenJDK: GTK library loading use-after-free (AWT, 8185325) (CVE-2018-2641) * Oracle JDK: unspecified vulnerability fixed in 7u171, 8u161, and 9.0.4 (JavaFX) (CVE-2018-2581) * OpenJDK: LdapLoginModule insufficient username encoding in LDAP query (LDAP, 8178449) (CVE-2018-2588) * OpenJDK: DnsClient missing source port randomization (JNDI, 8182125) (CVE-2018-2599) * OpenJDK: loading of classes from untrusted locations (I18n, 8182601) (CVE-2018-2602) * OpenJDK: DerValue unbounded memory allocation (Libraries, 8182387) (CVE-2018-2603) * OpenJDK: insufficient strength of key agreement (JCE, 8185292) (CVE-2018-2618) * OpenJDK: GSS context use-after-free (JGSS, 8186212) (CVE-2018-2629) * Oracle JDK: unspecified vulnerability fixed in 6u181 and 7u171 (Serialization) (CVE-2018-2657) * OpenJDK: ArrayBlockingQueue deserialization to an inconsistent state (Libraries, 8189284) (CVE-2018-2663) * OpenJDK: unbounded memory allocation during deserialization (AWT, 8190289) (CVE-2018-2677) * OpenJDK: unbounded memory allocation in BasicAttributes deserialization (JNDI, 8191142) (CVE-2018-2678) * OpenJDK: unsynchronized access to encryption key data (Libraries, 8172525) (CVE-2018-2579) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 110405 published 2018-06-08 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110405 title RHEL 6 : java-1.7.1-ibm (RHSA-2018:1812) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-0645-1.NASL description This update for java-1_7_0-ibm provides the following fixes: The version was updated to 7.0.10.20 [bsc#1082810] : - Following security issues were fixed : - CVE-2018-2633 CVE-2018-2637 CVE-2018-2634 CVE-2018-2582 CVE-2018-2641 CVE-2018-2618 CVE-2018-2657 CVE-2018-2603 CVE-2018-2599 CVE-2018-2602 CVE-2018-2678 CVE-2018-2677 CVE-2018-2663 CVE-2018-2588 CVE-2018-2579 - Defect fixes : - IJ04281 Class Libraries: Startup time increase after applying apar IV96905 - IJ03822 Class Libraries: Update timezone information to tzdata2017c - IJ03605 Java Virtual Machine: Legacy security for com.ibm.jvm.dump, trace, log was not enabled by default - IJ03607 JIT Compiler: Result String contains a redundant dot when converted from BigDecimal with 0 on all platforms - IX90185 ORB: Upgrade ibmcfw.jar to version O1800.01 - IJ04282 Security: Change in location and default of jurisdiction policy files - IJ03853 Security: IBMCAC provider does not support SHA224 - IJ02679 Security: IBMPKCS11Impl – Bad sessions are being allocated internally - IJ02706 Security: IBMPKCS11Impl – Bad sessions are being allocated internally - IJ03552 Security: IBMPKCS11Impl - Config file problem with the slot specification attribute - IJ01901 Security: IBMPKCS11Impl – SecureRandom.setSeed() exception - IJ03801 Security: Issue with same DN certs, iKeyman GUI error with stash, JKS Chain issue and JVM argument parse issue with iKeyman - IJ02284 JIT Compiler: Division by zero in JIT compiler - Make it possible to run Java jnlp files from Firefox. (bsc#1057460) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 107288 published 2018-03-12 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107288 title SUSE SLES11 Security Update : java-1_7_0-ibm (SUSE-SU-2018:0645-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-0743-1.NASL description This update for java-1_7_1-ibm fixes the following issue: The version was updated to 7.1.4.20 [bsc#1082810] - Security fixes : - CVE-2018-2633 CVE-2018-2637 CVE-2018-2634 CVE-2018-2582 CVE-2018-2641 CVE-2018-2618 CVE-2018-2657 CVE-2018-2603 CVE-2018-2599 CVE-2018-2602 CVE-2018-2678 CVE-2018-2677 CVE-2018-2663 CVE-2018-2588 CVE-2018-2579 - Defect fixes : - IJ04281 Class Libraries: Startup time increase after applying apar IV96905 - IJ03822 Class Libraries: Update timezone information to tzdata2017c - IJ03605 Java Virtual Machine: Legacy security for com.ibm.jvm.dump, trace, log was not enabled by default - IJ03607 JIT Compiler: Result String contains a redundant dot when converted from BigDecimal with 0 on all platforms - IX90185 ORB: Upgrade ibmcfw.jar to version O1800.01 - IJ04282 Security: Change in location and default of jurisdiction policy files - IJ03853 Security: IBMCAC provider does not support SHA224 - IJ02679 Security: IBMPKCS11Impl -- Bad sessions are being allocated internally - IJ02706 Security: IBMPKCS11Impl -- Bad sessions are being allocated internally - IJ03552 Security: IBMPKCS11Impl -- Config file problem with the slot specification attribute - IJ01901 Security: IBMPKCS11Impl -- SecureRandom.setSeed() exception - IJ03801 Security: Issue with same DN certs, iKeyman GUI error with stash, JKS Chain issue and JVM argument parse issue with iKeyman - IJ03256 Security: javax.security.auth.Subject.toString() throws NPE - IJ02284 JIT Compiler: Division by zero in JIT compiler - SUSE fixes : - Make it possible to run Java jnlp files from Firefox. (bsc#1057460) - Fixed jpackage-java-1_7_1-ibm-webstart.desktop file to allow Java jnlp files run from Firefox. [bsc#1057460, bsc#1076390] - Fix javaws segfaults when java expiration timer has elapsed. [bsc#929900] - Provide IBM Java updates for IBMs PMR 55931,671,760 and for SUSEs SR 110991601735. [bsc#966304] - Ensure that all Java policy files are symlinked into the proper file system locations. Without those symlinks, several OES iManager plugins did not function properly. [bsc#1085018] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 108482 published 2018-03-20 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108482 title SUSE SLES12 Security Update : java-1_7_1-ibm (SUSE-SU-2018:0743-1) NASL family Windows NASL id ORACLE_JROCKIT_CPU_JAN_2018.NASL description The version of Oracle JRockit installed on the remote Windows host is R28.3.16. It is, therefore, affected by multiple vulnerabilities. See advisory for details. last seen 2020-06-01 modified 2020-06-02 plugin id 106139 published 2018-01-18 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106139 title Oracle JRockit R28.3.16 Multiple Vulnerabilities (January 2018 CPU) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-0521.NASL description An update for java-1.7.1-ibm is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 7 to version 7R1 SR4-FP20. Security Fix(es) : * OpenJDK: insufficient validation of the invokeinterface instruction (Hotspot, 8174962) (CVE-2018-2582) * OpenJDK: LDAPCertStore insecure handling of LDAP referrals (JNDI, 8186606) (CVE-2018-2633) * OpenJDK: use of global credentials for HTTP/SPNEGO (JGSS, 8186600) (CVE-2018-2634) * OpenJDK: SingleEntryRegistry incorrect setup of deserialization filter (JMX, 8186998) (CVE-2018-2637) * OpenJDK: GTK library loading use-after-free (AWT, 8185325) (CVE-2018-2641) * OpenJDK: LdapLoginModule insufficient username encoding in LDAP query (LDAP, 8178449) (CVE-2018-2588) * OpenJDK: DnsClient missing source port randomization (JNDI, 8182125) (CVE-2018-2599) * OpenJDK: loading of classes from untrusted locations (I18n, 8182601) (CVE-2018-2602) * OpenJDK: DerValue unbounded memory allocation (Libraries, 8182387) (CVE-2018-2603) * OpenJDK: insufficient strength of key agreement (JCE, 8185292) (CVE-2018-2618) * Oracle JDK: unspecified vulnerability fixed in 6u181 and 7u171 (Serialization) (CVE-2018-2657) * OpenJDK: ArrayBlockingQueue deserialization to an inconsistent state (Libraries, 8189284) (CVE-2018-2663) * OpenJDK: unbounded memory allocation during deserialization (AWT, 8190289) (CVE-2018-2677) * OpenJDK: unbounded memory allocation in BasicAttributes deserialization (JNDI, 8191142) (CVE-2018-2678) * OpenJDK: unsynchronized access to encryption key data (Libraries, 8172525) (CVE-2018-2579) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 108362 published 2018-03-15 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108362 title RHEL 6 : java-1.7.1-ibm (RHSA-2018:0521)
Redhat
| advisories |
| ||||||||||||||||||||||||
| rpms |
|
References
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
- https://security.netapp.com/advisory/ntap-20180117-0001/
- http://www.securitytracker.com/id/1040203
- http://www.securityfocus.com/bid/102629
- https://access.redhat.com/errata/RHSA-2018:0100
- https://access.redhat.com/errata/RHSA-2018:0115
- https://access.redhat.com/errata/RHSA-2018:0458
- https://access.redhat.com/errata/RHSA-2018:0521
- https://access.redhat.com/errata/RHSA-2018:1463
- https://access.redhat.com/errata/RHSA-2018:1812
- https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03911en_us