Vulnerabilities > CVE-2018-2794

047910
CVSS 7.7 - HIGH
Attack vector
LOCAL
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH

Summary

Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162, 10 and JRockit: R28.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE, JRockit executes to compromise Java SE, JRockit. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-1278.NASL
    descriptionAn update for java-1.7.0-openjdk is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix(es) : * OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) (CVE-2018-2814) * OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794) * OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795) * OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796) * OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797) * OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798) * OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) (CVE-2018-2799) * OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800) * OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) (CVE-2018-2815) * OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id109546
    published2018-05-03
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109546
    titleRHEL 7 : java-1.7.0-openjdk (RHSA-2018:1278)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2018:1278. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(109546);
      script_version("1.10");
      script_cvs_date("Date: 2019/10/24 15:35:44");
    
      script_cve_id("CVE-2018-2790", "CVE-2018-2794", "CVE-2018-2795", "CVE-2018-2796", "CVE-2018-2797", "CVE-2018-2798", "CVE-2018-2799", "CVE-2018-2800", "CVE-2018-2814", "CVE-2018-2815");
      script_xref(name:"RHSA", value:"2018:1278");
    
      script_name(english:"RHEL 7 : java-1.7.0-openjdk (RHSA-2018:1278)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for java-1.7.0-openjdk is now available for Red Hat
    Enterprise Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime
    Environment and the OpenJDK 7 Java Software Development Kit.
    
    Security Fix(es) :
    
    * OpenJDK: incorrect handling of Reference clones can lead to sandbox
    bypass (Hotspot, 8192025) (CVE-2018-2814)
    
    * OpenJDK: unrestricted deserialization of data from JCEKS key stores
    (Security, 8189997) (CVE-2018-2794)
    
    * OpenJDK: insufficient consistency checks in deserialization of
    multiple classes (Security, 8189977) (CVE-2018-2795)
    
    * OpenJDK: unbounded memory allocation during deserialization in
    PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796)
    
    * OpenJDK: unbounded memory allocation during deserialization in
    TabularDataSupport (JMX, 8189985) (CVE-2018-2797)
    
    * OpenJDK: unbounded memory allocation during deserialization in
    Container (AWT, 8189989) (CVE-2018-2798)
    
    * OpenJDK: unbounded memory allocation during deserialization in
    NamedNodeMapImpl (JAXP, 8189993) (CVE-2018-2799)
    
    * OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833)
    (CVE-2018-2800)
    
    * OpenJDK: unbounded memory allocation during deserialization in
    StubIORImpl (Serialization, 8192757) (CVE-2018-2815)
    
    * OpenJDK: incorrect merging of sections in the JAR manifest
    (Security, 8189969) (CVE-2018-2790)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, and other related information, refer to the CVE page(s)
    listed in the References section."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2018:1278"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-2790"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-2794"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-2795"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-2796"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-2797"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-2798"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-2799"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-2800"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-2814"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-2815"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-accessibility");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-demo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-headless");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-src");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/04/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/05/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/03");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2018:1278";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"java-1.7.0-openjdk-1.7.0.181-2.6.14.5.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.7.0-openjdk-1.7.0.181-2.6.14.5.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"java-1.7.0-openjdk-accessibility-1.7.0.181-2.6.14.5.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.7.0-openjdk-accessibility-1.7.0.181-2.6.14.5.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"java-1.7.0-openjdk-debuginfo-1.7.0.181-2.6.14.5.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.7.0-openjdk-debuginfo-1.7.0.181-2.6.14.5.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"java-1.7.0-openjdk-demo-1.7.0.181-2.6.14.5.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.7.0-openjdk-demo-1.7.0.181-2.6.14.5.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"java-1.7.0-openjdk-devel-1.7.0.181-2.6.14.5.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.7.0-openjdk-devel-1.7.0.181-2.6.14.5.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"java-1.7.0-openjdk-headless-1.7.0.181-2.6.14.5.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.7.0-openjdk-headless-1.7.0.181-2.6.14.5.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"java-1.7.0-openjdk-javadoc-1.7.0.181-2.6.14.5.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"java-1.7.0-openjdk-src-1.7.0.181-2.6.14.5.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.7.0-openjdk-src-1.7.0.181-2.6.14.5.el7")) flag++;
    
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "java-1.7.0-openjdk / java-1.7.0-openjdk-accessibility / etc");
      }
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-1723.NASL
    descriptionAn update for java-1.7.1-ibm is now available for Red Hat Enterprise Linux 7 Supplementary. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 7 to version 7R1 SR4-FP25. Security Fix(es) : * OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794) * Oracle JDK: unspecified vulnerability fixed in 6u191, 7u171, and 8u161 (Security) (CVE-2018-2783) * OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795) * OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796) * OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797) * OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798) * OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) (CVE-2018-2799) * OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800) * OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id110117
    published2018-05-25
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110117
    titleRHEL 7 : java-1.7.1-ibm (RHSA-2018:1723)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2018:1723. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(110117);
      script_version("1.8");
      script_cvs_date("Date: 2019/10/24 15:35:45");
    
      script_cve_id("CVE-2018-2783", "CVE-2018-2790", "CVE-2018-2794", "CVE-2018-2795", "CVE-2018-2796", "CVE-2018-2797", "CVE-2018-2798", "CVE-2018-2799", "CVE-2018-2800");
      script_xref(name:"RHSA", value:"2018:1723");
    
      script_name(english:"RHEL 7 : java-1.7.1-ibm (RHSA-2018:1723)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for java-1.7.1-ibm is now available for Red Hat Enterprise
    Linux 7 Supplementary.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    IBM Java SE version 7 Release 1 includes the IBM Java Runtime
    Environment and the IBM Java Software Development Kit.
    
    This update upgrades IBM Java SE 7 to version 7R1 SR4-FP25.
    
    Security Fix(es) :
    
    * OpenJDK: unrestricted deserialization of data from JCEKS key stores
    (Security, 8189997) (CVE-2018-2794)
    
    * Oracle JDK: unspecified vulnerability fixed in 6u191, 7u171, and
    8u161 (Security) (CVE-2018-2783)
    
    * OpenJDK: insufficient consistency checks in deserialization of
    multiple classes (Security, 8189977) (CVE-2018-2795)
    
    * OpenJDK: unbounded memory allocation during deserialization in
    PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796)
    
    * OpenJDK: unbounded memory allocation during deserialization in
    TabularDataSupport (JMX, 8189985) (CVE-2018-2797)
    
    * OpenJDK: unbounded memory allocation during deserialization in
    Container (AWT, 8189989) (CVE-2018-2798)
    
    * OpenJDK: unbounded memory allocation during deserialization in
    NamedNodeMapImpl (JAXP, 8189993) (CVE-2018-2799)
    
    * OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833)
    (CVE-2018-2800)
    
    * OpenJDK: incorrect merging of sections in the JAR manifest
    (Security, 8189969) (CVE-2018-2790)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, and other related information, refer to the CVE page(s)
    listed in the References section."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2018:1723"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-2783"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-2790"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-2794"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-2795"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-2796"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-2797"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-2798"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-2799"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-2800"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-demo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-jdbc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-plugin");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-src");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/04/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/05/24");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/25");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2018:1723";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"java-1.7.1-ibm-1.7.1.4.25-1jpp.3.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.7.1-ibm-1.7.1.4.25-1jpp.3.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"java-1.7.1-ibm-demo-1.7.1.4.25-1jpp.3.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.7.1-ibm-demo-1.7.1.4.25-1jpp.3.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"java-1.7.1-ibm-devel-1.7.1.4.25-1jpp.3.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.7.1-ibm-devel-1.7.1.4.25-1jpp.3.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"java-1.7.1-ibm-jdbc-1.7.1.4.25-1jpp.3.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.7.1-ibm-jdbc-1.7.1.4.25-1jpp.3.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.7.1-ibm-plugin-1.7.1.4.25-1jpp.3.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"java-1.7.1-ibm-src-1.7.1.4.25-1jpp.3.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.7.1-ibm-src-1.7.1.4.25-1jpp.3.el7")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "java-1.7.1-ibm / java-1.7.1-ibm-demo / java-1.7.1-ibm-devel / etc");
      }
    }
    
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20180419_JAVA_1_8_0_OPENJDK_ON_SL6_X.NASL
    descriptionSecurity Fix(es) : - OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) (CVE-2018-2814) - OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794) - OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795) - OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796) - OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797) - OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798) - OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) (CVE-2018-2799) - OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800) - OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) (CVE-2018-2815) - OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790) Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website.
    last seen2020-03-18
    modified2018-04-20
    plugin id109196
    published2018-04-20
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109196
    titleScientific Linux Security Update : java-1.8.0-openjdk on SL6.x i386/x86_64 (20180419)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-637.NASL
    descriptionThis update for java-1_7_0-openjdk to version 7u181 fixes the following issues : + S8162488: JDK should be updated to use LittleCMS 2.8 + S8180881: Better packaging of deserialization + S8182362: Update CipherOutputStream Usage + S8183032: Upgrade to LittleCMS 2.9 + S8189123: More consistent classloading + S8190478: Improved interface method selection + S8190877: Better handling of abstract classes + S8191696: Better mouse positioning + S8192030: Better MTSchema support + S8193409: Improve AES supporting classes + S8193414: Improvements in MethodType lookups + S8189969, CVE-2018-2790, bsc#1090023: Manifest better manifest entries + S8189977, CVE-2018-2795, bsc#1090025: Improve permission portability + S8189981, CVE-2018-2796, bsc#1090026: Improve queuing portability + S8189985, CVE-2018-2797, bsc#1090027: Improve tabular data portability + S8189989, CVE-2018-2798, bsc#1090028: Improve container portability + S8189993, CVE-2018-2799, bsc#1090029: Improve document portability + S8189997, CVE-2018-2794, bsc#1090024: Enhance keystore mechanisms + S8192025, CVE-2018-2814, bsc#1090032: Less referential references + S8192757, CVE-2018-2815, bsc#1090033: Improve stub classes implementation + S8193833, CVE-2018-2800, bsc#1090030: Better RMI connection support For additional changes please consult the changelog. This update was imported from the SUSE:SLE-12:Update update project.
    last seen2020-06-05
    modified2018-06-18
    plugin id110587
    published2018-06-18
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110587
    titleopenSUSE Security Update : java-1_7_0-openjdk (openSUSE-2018-637)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-1722.NASL
    descriptionAn update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR5-FP15. Security Fix(es) : * OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794) * Oracle JDK: unspecified vulnerability fixed in 6u191, 7u171, and 8u161 (Security) (CVE-2018-2783) * OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795) * OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796) * OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797) * OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798) * OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) (CVE-2018-2799) * OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800) * OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id110116
    published2018-05-25
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110116
    titleRHEL 6 : java-1.8.0-ibm (RHSA-2018:1722)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2018-1270.NASL
    descriptionFrom Red Hat Security Advisory 2018:1270 : An update for java-1.7.0-openjdk is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix(es) : * OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) (CVE-2018-2814) * OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794) * OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795) * OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796) * OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797) * OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798) * OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) (CVE-2018-2799) * OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800) * OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) (CVE-2018-2815) * OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id109440
    published2018-05-01
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109440
    titleOracle Linux 6 : java-1.7.0-openjdk (ELSA-2018-1270)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201903-14.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201903-14 (Oracle JDK/JRE: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Oracle&rsquo;s JDK and JRE software suites. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process, gain access to information, or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id122836
    published2019-03-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122836
    titleGLSA-201903-14 : Oracle JDK/JRE: Multiple vulnerabilities
  • NASL familyWindows
    NASL idORACLE_JAVA_CPU_APR_2018.NASL
    descriptionThe version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 10 Update 1, 8 Update 171, 7 Update 181, or 6 Update 191. It is, therefore, affected by multiple vulnerabilities related to the following components : - AWT - Concurrency - Hotspot - Install - JAXP - JMX - Libraries - RMI - Security - Serialization
    last seen2020-06-01
    modified2020-06-02
    plugin id109202
    published2018-04-20
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109202
    titleOracle Java SE Multiple Vulnerabilities (April 2018 CPU)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1195.NASL
    descriptionAccording to the versions of the java-1.8.0-openjdk packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass.(CVE-2018-2814) - OpenJDK: unrestricted deserialization of data from JCEKS key stores.(CVE-2018-2794) - OpenJDK: insufficient consistency checks in deserialization of multiple classes.(CVE-2018-2795) - OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue.(CVE-2018-2796) - OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport. (CVE-2018-2797) - OpenJDK: unbounded memory allocation during deserialization in Container.(CVE-2018-2798) - OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl.(CVE-2018-2799) - OpenJDK: RMI HTTP transport enabled by default.(CVE-2018-2800) - OpenJDK: unbounded memory allocation during deserialization in StubIORImpl.(CVE-2018-2815) - OpenJDK: incorrect merging of sections in the JAR manifest.(CVE-2018-2790) - An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load i1/4+ Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor
    last seen2020-05-06
    modified2018-07-03
    plugin id110859
    published2018-07-03
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110859
    titleEulerOS 2.0 SP3 : java-1.8.0-openjdk (EulerOS-SA-2018-1195)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2018-1191.NASL
    descriptionFrom Red Hat Security Advisory 2018:1191 : An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es) : * OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) (CVE-2018-2814) * OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794) * OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795) * OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796) * OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797) * OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798) * OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) (CVE-2018-2799) * OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800) * OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) (CVE-2018-2815) * OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website.
    last seen2020-06-01
    modified2020-06-02
    plugin id109193
    published2018-04-20
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109193
    titleOracle Linux 7 : java-1.8.0-openjdk (ELSA-2018-1191)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3691-1.NASL
    descriptionIt was discovered that the Security component of OpenJDK did not correctly perform merging of multiple sections for the same file listed in JAR archive file manifests. An attacker could possibly use this to modify attributes in a manifest without invalidating the signature. (CVE-2018-2790) Francesco Palmarini, Marco Squarcina, Mauro Tempesta, and Riccardo Focardi discovered that the Security component of OpenJDK did not restrict which classes could be used when deserializing keys from the JCEKS key stores. An attacker could use this to specially craft a JCEKS key store to execute arbitrary code. (CVE-2018-2794) It was discovered that the Security component of OpenJDK in some situations did not properly limit the amount of memory allocated when performing deserialization. An attacker could use this to cause a denial of service (memory exhaustion). (CVE-2018-2795) It was discovered that the Concurrency component of OpenJDK in some situations did not properly limit the amount of memory allocated when performing deserialization. An attacker could use this to cause a denial of service (memory exhaustion). (CVE-2018-2796) It was discovered that the JMX component of OpenJDK in some situations did not properly limit the amount of memory allocated when performing deserialization. An attacker could use this to cause a denial of service (memory exhaustion). (CVE-2018-2797) It was discovered that the AWT component of OpenJDK in some situations did not properly limit the amount of memory allocated when performing deserialization. An attacker could use this to cause a denial of service (memory exhaustion). (CVE-2018-2798) It was discovered that the JAXP component of OpenJDK in some situations did not properly limit the amount of memory allocated when performing deserialization. An attacker could use this to cause a denial of service (memory exhaustion). (CVE-2018-2799) Moritz Bechler discovered that the RMI component of OpenJDK enabled HTTP transport for RMI servers by default. A remote attacker could use this to gain access to restricted services. (CVE-2018-2800) It was discovered that a vulnerability existed in the Hotspot component of OpenJDK affecting confidentiality, data integrity, and availability. An attacker could use this to specially craft an Java application that caused a denial of service or bypassed sandbox restrictions. (CVE-2018-2814) Apostolos Giannakidis discovered that the Serialization component of OpenJDK did not properly bound memory allocations in some situations. An attacker could use this to cause a denial of service (memory exhaustion). (CVE-2018-2815). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id110662
    published2018-06-22
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110662
    titleUbuntu 14.04 LTS : openjdk-7 vulnerabilities (USN-3691-1)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4225.NASL
    descriptionSeveral vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in denial of service, sandbox bypass, execution of arbitrary code or bypass of JAR signature validation.
    last seen2020-06-01
    modified2020-06-02
    plugin id110424
    published2018-06-11
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110424
    titleDebian DSA-4225-1 : openjdk-7 - security update
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1193.NASL
    descriptionAccording to the versions of the java-1.7.0-openjdk packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass.(CVE-2018-2814) - OpenJDK: unrestricted deserialization of data from JCEKS key stores.(CVE-2018-2794) - OpenJDK: insufficient consistency checks in deserialization of multiple classes.(CVE-2018-2795) - OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue.(CVE-2018-2796) - OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport. (CVE-2018-2797) - OpenJDK: unbounded memory allocation during deserialization in Container.(CVE-2018-2798) - OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl.(CVE-2018-2799) - OpenJDK: RMI HTTP transport enabled by default.(CVE-2018-2800) - OpenJDK: unbounded memory allocation during deserialization in StubIORImpl.(CVE-2018-2815) - OpenJDK: incorrect merging of sections in the JAR manifest.(CVE-2018-2790) - An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load i1/4+ Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor
    last seen2020-05-06
    modified2018-07-03
    plugin id110857
    published2018-07-03
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110857
    titleEulerOS 2.0 SP3 : java-1.7.0-openjdk (EulerOS-SA-2018-1193)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1129.NASL
    descriptionAccording to the versions of the java-1.7.0-openjdk packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass.(CVE-2018-2814) - OpenJDK: unrestricted deserialization of data from JCEKS key stores.(CVE-2018-2794) - OpenJDK: insufficient consistency checks in deserialization of multiple classes.(CVE-2018-2795) - OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue.(CVE-2018-2796) - OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport. (CVE-2018-2797) - OpenJDK: unbounded memory allocation during deserialization in Container.(CVE-2018-2798) - OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl.(CVE-2018-2799) - OpenJDK: RMI HTTP transport enabled by default.(CVE-2018-2800) - OpenJDK: unbounded memory allocation during deserialization in StubIORImpl.(CVE-2018-2815) - OpenJDK: incorrect merging of sections in the JAR manifest.(CVE-2018-2790) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2018-05-29
    plugin id110133
    published2018-05-29
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110133
    titleEulerOS 2.0 SP2 : java-1.7.0-openjdk (EulerOS-SA-2018-1129)
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2018-1002.NASL
    descriptionUnbounded memory allocation during deserialization in Container (AWT, 8189989) Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. (CVE-2018-2798) Unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. (CVE-2018-2815) Unrestricted deserialization of data from JCEKS key stores (Security, 8189997) Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162, 10 and JRockit: R28.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE, JRockit executes to compromise Java SE, JRockit. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. (CVE-2018-2794) Insufficient consistency checks in deserialization of multiple classes (Security, 8189977) Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. (CVE-2018-2795) Unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. (CVE-2018-2799) RMI HTTP transport enabled by default (RMI, 8193833) Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u181, 7u171 and 8u162; JRockit: R28.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, JRockit accessible data as well as unauthorized read access to a subset of Java SE, JRockit accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. (CVE-2018-2800) Incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). (CVE-2018-2814) Unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JMX). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. (CVE-2018-2797) Incorrect merging of sections in the JAR manifest (Security, 8189969) Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). (CVE-2018-2790) Unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Concurrency). Supported versions that are affected are Java SE: 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. (CVE-2018-2796)
    last seen2020-06-01
    modified2020-06-02
    plugin id109363
    published2018-04-27
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109363
    titleAmazon Linux 2 : java-1.8.0-openjdk (ALAS-2018-1002)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0032_JAVA-1.7.0-OPENJDK.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has java-1.7.0-openjdk packages installed that are affected by multiple vulnerabilities: - An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor
    last seen2020-06-01
    modified2020-06-02
    plugin id127199
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127199
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : java-1.7.0-openjdk Multiple Vulnerabilities (NS-SA-2019-0032)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-1721.NASL
    descriptionAn update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 7 Supplementary. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR5-FP15. Security Fix(es) : * OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794) * Oracle JDK: unspecified vulnerability fixed in 6u191, 7u171, and 8u161 (Security) (CVE-2018-2783) * OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795) * OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796) * OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797) * OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798) * OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) (CVE-2018-2799) * OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800) * OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id110115
    published2018-05-25
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110115
    titleRHEL 7 : java-1.8.0-ibm (RHSA-2018:1721)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2018-1188.NASL
    descriptionAn update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es) : * OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) (CVE-2018-2814) * OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794) * OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795) * OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796) * OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797) * OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798) * OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) (CVE-2018-2799) * OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800) * OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) (CVE-2018-2815) * OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website.
    last seen2020-06-01
    modified2020-06-02
    plugin id109527
    published2018-05-03
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109527
    titleCentOS 6 : java-1.8.0-openjdk (CESA-2018:1188)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0137_JAVA-1.8.0-OPENJDK.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 4.05, has java-1.8.0-openjdk packages installed that are affected by multiple vulnerabilities: - An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor
    last seen2020-06-01
    modified2020-06-02
    plugin id127397
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127397
    titleNewStart CGSL MAIN 4.05 : java-1.8.0-openjdk Multiple Vulnerabilities (NS-SA-2019-0137)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-1205.NASL
    descriptionAn update for java-1.6.0-sun is now available for Oracle Java for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Oracle Java SE version 6 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update upgrades Oracle Java SE 6 to version 6 Update 191. Security Fix(es) : * OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) (CVE-2018-2814) * OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794) * Oracle JDK: unspecified vulnerability fixed in 6u191, 7u171, and 8u161 (Security) (CVE-2018-2783) * OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795) * OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797) * OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798) * OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800) * OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) (CVE-2018-2815) * OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id109306
    published2018-04-24
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109306
    titleRHEL 7 : java-1.6.0-sun (RHSA-2018:1205)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20180430_JAVA_1_7_0_OPENJDK_ON_SL6_X.NASL
    descriptionSecurity Fix(es) : - OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) (CVE-2018-2814) - OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794) - OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795) - OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796) - OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797) - OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798) - OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) (CVE-2018-2799) - OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800) - OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) (CVE-2018-2815) - OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790)
    last seen2020-03-18
    modified2018-05-01
    plugin id109465
    published2018-05-01
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109465
    titleScientific Linux Security Update : java-1.7.0-openjdk on SL6.x i386/x86_64 (20180430)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1938-2.NASL
    descriptionThis update for java-1_8_0-openjdk to version 8u171 fixes the following issues: These security issues were fixed : - S8180881: Better packaging of deserialization - S8182362: Update CipherOutputStream Usage - S8183032: Upgrade to LittleCMS 2.9 - S8189123: More consistent classloading - S8189969, CVE-2018-2790, bsc#1090023: Manifest better manifest entries - S8189977, CVE-2018-2795, bsc#1090025: Improve permission portability - S8189981, CVE-2018-2796, bsc#1090026: Improve queuing portability - S8189985, CVE-2018-2797, bsc#1090027: Improve tabular data portability - S8189989, CVE-2018-2798, bsc#1090028: Improve container portability - S8189993, CVE-2018-2799, bsc#1090029: Improve document portability - S8189997, CVE-2018-2794, bsc#1090024: Enhance keystore mechanisms - S8190478: Improved interface method selection - S8190877: Better handling of abstract classes - S8191696: Better mouse positioning - S8192025, CVE-2018-2814, bsc#1090032: Less referential references - S8192030: Better MTSchema support - S8192757, CVE-2018-2815, bsc#1090033: Improve stub classes implementation - S8193409: Improve AES supporting classes - S8193414: Improvements in MethodType lookups - S8193833, CVE-2018-2800, bsc#1090030: Better RMI connection support For other changes please consult the changelog. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-21
    modified2019-01-02
    plugin id120046
    published2019-01-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120046
    titleSUSE SLES15 Security Update : java-1_8_0-openjdk (SUSE-SU-2018:1938-2)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-1204.NASL
    descriptionAn update for java-1.8.0-oracle is now available for Oracle Java for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Oracle Java SE version 8 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update upgrades Oracle Java SE 8 to version 8 Update 171. Security Fix(es) : * OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) (CVE-2018-2814) * OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794) * Oracle JDK: unspecified vulnerability fixed in 8u171 and 10.0.1 (Install) (CVE-2018-2811) * OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795) * OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796) * OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797) * OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798) * OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) (CVE-2018-2799) * OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800) * OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) (CVE-2018-2815) * OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id109305
    published2018-04-24
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109305
    titleRHEL 7 : java-1.8.0-oracle (RHSA-2018:1204)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2018-1191.NASL
    descriptionAn update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es) : * OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) (CVE-2018-2814) * OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794) * OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795) * OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796) * OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797) * OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798) * OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) (CVE-2018-2799) * OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800) * OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) (CVE-2018-2815) * OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website.
    last seen2020-06-01
    modified2020-06-02
    plugin id110240
    published2018-05-31
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110240
    titleCentOS 7 : java-1.8.0-openjdk (CESA-2018:1191)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2018-1278.NASL
    descriptionAn update for java-1.7.0-openjdk is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix(es) : * OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) (CVE-2018-2814) * OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794) * OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795) * OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796) * OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797) * OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798) * OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) (CVE-2018-2799) * OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800) * OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) (CVE-2018-2815) * OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id110244
    published2018-05-31
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110244
    titleCentOS 7 : java-1.7.0-openjdk (CESA-2018:1278)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1447-1.NASL
    descriptionIBM Java was updated to 7.1.4.25 [bsc#1093311, bsc#1085449] Security fixes : - CVE-2018-2814 CVE-2018-2794 CVE-2018-2783 CVE-2018-2799 CVE-2018-2798 CVE-2018-2797 CVE-2018-2796 CVE-2018-2795 CVE-2018-2800 CVE-2018-2790 CVE-2018-1417 Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id110186
    published2018-05-29
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110186
    titleSUSE SLES11 Security Update : java-1_7_1-ibm (SUSE-SU-2018:1447-1)
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2018-1007.NASL
    descriptionUnbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. (CVE-2018-2799) Incorrect merging of sections in the JAR manifest (Security, 8189969) Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). (CVE-2018-2790) RMI HTTP transport enabled by default (RMI, 8193833) Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u181, 7u171 and 8u162; JRockit: R28.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, JRockit accessible data as well as unauthorized read access to a subset of Java SE, JRockit accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.(CVE-2018-2800) Unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Concurrency). Supported versions that are affected are Java SE: 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.(CVE-2018-2796) Unbounded memory allocation during deserialization in Container (AWT, 8189989) Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.(CVE-2018-2798) Incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).(CVE-2018-2814) Unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.(CVE-2018-2815) Unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JMX). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.(CVE-2018-2797) Unrestricted deserialization of data from JCEKS key stores (Security, 8189997) Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162, 10 and JRockit: R28.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE, JRockit executes to compromise Java SE, JRockit. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.(CVE-2018-2794) Insufficient consistency checks in deserialization of multiple classes (Security, 8189977) Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.(CVE-2018-2795)
    last seen2020-06-01
    modified2020-06-02
    plugin id109686
    published2018-05-11
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109686
    titleAmazon Linux 2 : java-1.7.0-openjdk (ALAS-2018-1007)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-1724.NASL
    descriptionAn update for java-1.7.1-ibm is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 7 to version 7R1 SR4-FP25. Security Fix(es) : * OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794) * Oracle JDK: unspecified vulnerability fixed in 6u191, 7u171, and 8u161 (Security) (CVE-2018-2783) * OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795) * OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796) * OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797) * OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798) * OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) (CVE-2018-2799) * OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800) * OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id110118
    published2018-05-25
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110118
    titleRHEL 6 : java-1.7.1-ibm (RHSA-2018:1724)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-641.NASL
    descriptionThis update for java-1_8_0-openjdk to version 8u171 fixes the following issues : These security issues were fixed : - S8180881: Better packaging of deserialization - S8182362: Update CipherOutputStream Usage - S8183032: Upgrade to LittleCMS 2.9 - S8189123: More consistent classloading - S8189969, CVE-2018-2790, bsc#1090023: Manifest better manifest entries - S8189977, CVE-2018-2795, bsc#1090025: Improve permission portability - S8189981, CVE-2018-2796, bsc#1090026: Improve queuing portability - S8189985, CVE-2018-2797, bsc#1090027: Improve tabular data portability - S8189989, CVE-2018-2798, bsc#1090028: Improve container portability - S8189993, CVE-2018-2799, bsc#1090029: Improve document portability - S8189997, CVE-2018-2794, bsc#1090024: Enhance keystore mechanisms - S8190478: Improved interface method selection - S8190877: Better handling of abstract classes - S8191696: Better mouse positioning - S8192025, CVE-2018-2814, bsc#1090032: Less referential references - S8192030: Better MTSchema support - S8192757, CVE-2018-2815, bsc#1090033: Improve stub classes implementation - S8193409: Improve AES supporting classes - S8193414: Improvements in MethodType lookups - S8193833, CVE-2018-2800, bsc#1090030: Better RMI connection support For other changes please consult the changelog. This update was imported from the SUSE:SLE-12-SP1:Update update project.
    last seen2020-06-05
    modified2018-06-18
    plugin id110590
    published2018-06-18
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110590
    titleopenSUSE Security Update : java-1_8_0-openjdk (openSUSE-2018-641)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-1974.NASL
    descriptionAn update for java-1.7.1-ibm is now available for Red Hat Satellite 5.6 and Red Hat Satellite 5.7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 7 to version 7R1 SR4-FP25. Security Fix(es) : * OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794) * Oracle JDK: unspecified vulnerability fixed in 6u191, 7u171, and 8u161 (Security) (CVE-2018-2783) * OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795) * OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796) * OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797) * OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798) * OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) (CVE-2018-2799) * OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800) * OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id110692
    published2018-06-26
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110692
    titleRHEL 6 : java-1.7.1-ibm (RHSA-2018:1974)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1764-1.NASL
    descriptionIBM Java was updated to 7.1.4.25 [bsc#1093311, bsc#1085449]: Security fixes : - CVE-2018-2814 CVE-2018-2794 CVE-2018-2783 CVE-2018-2799 CVE-2018-2798 CVE-2018-2797 CVE-2018-2796 CVE-2018-2795 CVE-2018-2800 CVE-2018-2790 CVE-2018-1417 Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id110638
    published2018-06-21
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110638
    titleSUSE SLES12 Security Update : java-1_7_1-ibm (SUSE-SU-2018:1764-1)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2018-1188.NASL
    descriptionFrom Red Hat Security Advisory 2018:1188 : An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es) : * OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) (CVE-2018-2814) * OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794) * OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795) * OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796) * OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797) * OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798) * OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) (CVE-2018-2799) * OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800) * OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) (CVE-2018-2815) * OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website.
    last seen2020-06-01
    modified2020-06-02
    plugin id109192
    published2018-04-20
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109192
    titleOracle Linux 6 : java-1.8.0-openjdk (ELSA-2018-1188)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1692-2.NASL
    descriptionThis update for java-1_7_0-openjdk to version 7u181 fixes the following issues : S8162488: JDK should be updated to use LittleCMS 2.8 S8180881: Better packaging of deserialization S8182362: Update CipherOutputStream Usage S8183032: Upgrade to LittleCMS 2.9 S8189123: More consistent classloading S8190478: Improved interface method selection S8190877: Better handling of abstract classes S8191696: Better mouse positioning S8192030: Better MTSchema support S8193409: Improve AES supporting classes S8193414: Improvements in MethodType lookups S8189969, CVE-2018-2790, bsc#1090023: Manifest better manifest entries S8189977, CVE-2018-2795, bsc#1090025: Improve permission portability S8189981, CVE-2018-2796, bsc#1090026: Improve queuing portability S8189985, CVE-2018-2797, bsc#1090027: Improve tabular data portability S8189989, CVE-2018-2798, bsc#1090028: Improve container portability S8189993, CVE-2018-2799, bsc#1090029: Improve document portability S8189997, CVE-2018-2794, bsc#1090024: Enhance keystore mechanisms S8192025, CVE-2018-2814, bsc#1090032: Less referential references S8192757, CVE-2018-2815, bsc#1090033: Improve stub classes implementation S8193833, CVE-2018-2800, bsc#1090030: Better RMI connection support For additional changes please consult the changelog. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id118264
    published2018-10-22
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118264
    titleSUSE SLES12 Security Update : java-1_7_0-openjdk (SUSE-SU-2018:1692-2)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1690-1.NASL
    descriptionThis update for java-1_8_0-openjdk to version 8u171 fixes the following issues: These security issues were fixed : - S8180881: Better packaging of deserialization - S8182362: Update CipherOutputStream Usage - S8183032: Upgrade to LittleCMS 2.9 - S8189123: More consistent classloading - S8189969, CVE-2018-2790, bsc#1090023: Manifest better manifest entries - S8189977, CVE-2018-2795, bsc#1090025: Improve permission portability - S8189981, CVE-2018-2796, bsc#1090026: Improve queuing portability - S8189985, CVE-2018-2797, bsc#1090027: Improve tabular data portability - S8189989, CVE-2018-2798, bsc#1090028: Improve container portability - S8189993, CVE-2018-2799, bsc#1090029: Improve document portability - S8189997, CVE-2018-2794, bsc#1090024: Enhance keystore mechanisms - S8190478: Improved interface method selection - S8190877: Better handling of abstract classes - S8191696: Better mouse positioning - S8192025, CVE-2018-2814, bsc#1090032: Less referential references - S8192030: Better MTSchema support - S8192757, CVE-2018-2815, bsc#1090033: Improve stub classes implementation - S8193409: Improve AES supporting classes - S8193414: Improvements in MethodType lookups - S8193833, CVE-2018-2800, bsc#1090030: Better RMI connection support For other changes please consult the changelog. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id110544
    published2018-06-15
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110544
    titleSUSE SLED12 / SLES12 Security Update : java-1_8_0-openjdk (SUSE-SU-2018:1690-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-1975.NASL
    descriptionAn update for java-1.8.0-ibm is now available for Red Hat Satellite 5.8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR5-FP15. Security Fix(es) : * OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794) * Oracle JDK: unspecified vulnerability fixed in 6u191, 7u171, and 8u161 (Security) (CVE-2018-2783) * OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795) * OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796) * OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797) * OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798) * OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) (CVE-2018-2799) * OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800) * OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id110793
    published2018-06-29
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110793
    titleRHEL 6 : java-1.8.0-ibm (RHSA-2018:1975)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0027_JAVA-1.8.0-OPENJDK.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has java-1.8.0-openjdk packages installed that are affected by multiple vulnerabilities: - An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor
    last seen2020-06-01
    modified2020-06-02
    plugin id127190
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127190
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : java-1.8.0-openjdk Multiple Vulnerabilities (NS-SA-2019-0027)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2018-1_0-0130.NASL
    descriptionAn update of 'mysql', 'openjdk',openjre packages of Photon OS has been released.
    last seen2019-02-21
    modified2019-02-07
    plugin id111932
    published2018-08-17
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=111932
    titlePhoton OS 1.0: Mysql / Openjdk PHSA-2018-1.0-0130 (deprecated)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1130.NASL
    descriptionAccording to the versions of the java-1.8.0-openjdk packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass.(CVE-2018-2814) - OpenJDK: unrestricted deserialization of data from JCEKS key stores.(CVE-2018-2794) - OpenJDK: insufficient consistency checks in deserialization of multiple classes.(CVE-2018-2795) - OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue.(CVE-2018-2796) - OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport. (CVE-2018-2797) - OpenJDK: unbounded memory allocation during deserialization in Container.(CVE-2018-2798) - OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl.(CVE-2018-2799) - OpenJDK: RMI HTTP transport enabled by default.(CVE-2018-2800) - OpenJDK: unbounded memory allocation during deserialization in StubIORImpl.(CVE-2018-2815) - OpenJDK: incorrect merging of sections in the JAR manifest.(CVE-2018-2790) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2018-05-29
    plugin id110134
    published2018-05-29
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110134
    titleEulerOS 2.0 SP1 : java-1.8.0-openjdk (EulerOS-SA-2018-1130)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-1202.NASL
    descriptionAn update for java-1.8.0-oracle is now available for Oracle Java for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Oracle Java SE version 8 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update upgrades Oracle Java SE 8 to version 8 Update 171. Security Fix(es) : * OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) (CVE-2018-2814) * OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794) * Oracle JDK: unspecified vulnerability fixed in 8u171 and 10.0.1 (Install) (CVE-2018-2811) * OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795) * OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796) * OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797) * OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798) * OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) (CVE-2018-2799) * OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800) * OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) (CVE-2018-2815) * OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id109303
    published2018-04-24
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109303
    titleRHEL 6 : java-1.8.0-oracle (RHSA-2018:1202)
  • NASL familyMisc.
    NASL idORACLE_JAVA_CPU_APR_2018_UNIX.NASL
    descriptionThe version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 10 Update 1, 8 Update 171, 7 Update 181, or 6 Update 191. It is, therefore, affected by multiple vulnerabilities related to the following components : - AWT - Concurrency - Hotspot - Install - JAXP - JMX - Libraries - RMI - Security - Serialization
    last seen2020-06-01
    modified2020-06-02
    plugin id109203
    published2018-04-20
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109203
    titleOracle Java SE Multiple Vulnerabilities (April 2018 CPU) (Unix)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2018-1_0-0130_OPENJDK.NASL
    descriptionAn update of the openjdk package has been released.
    last seen2020-03-17
    modified2019-02-07
    plugin id121835
    published2019-02-07
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121835
    titlePhoton OS 1.0: Openjdk PHSA-2018-1.0-0130
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4185.NASL
    descriptionSeveral vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in denial of service, sandbox bypass, execution of arbitrary code or bypass of JAR signature validation.
    last seen2020-06-01
    modified2020-06-02
    plugin id109414
    published2018-04-30
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109414
    titleDebian DSA-4185-1 : openjdk-8 - security update
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1128.NASL
    descriptionAccording to the versions of the java-1.7.0-openjdk packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass.(CVE-2018-2814) - OpenJDK: unrestricted deserialization of data from JCEKS key stores.(CVE-2018-2794) - OpenJDK: insufficient consistency checks in deserialization of multiple classes.(CVE-2018-2795) - OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue.(CVE-2018-2796) - OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport. (CVE-2018-2797) - OpenJDK: unbounded memory allocation during deserialization in Container.(CVE-2018-2798) - OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl.(CVE-2018-2799) - OpenJDK: RMI HTTP transport enabled by default.(CVE-2018-2800) - OpenJDK: unbounded memory allocation during deserialization in StubIORImpl.(CVE-2018-2815) - OpenJDK: incorrect merging of sections in the JAR manifest.(CVE-2018-2790) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2018-05-29
    plugin id110132
    published2018-05-29
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110132
    titleEulerOS 2.0 SP1 : java-1.7.0-openjdk (EulerOS-SA-2018-1128)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20180419_JAVA_1_8_0_OPENJDK_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) (CVE-2018-2814) - OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794) - OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795) - OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796) - OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797) - OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798) - OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) (CVE-2018-2799) - OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800) - OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) (CVE-2018-2815) - OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790) Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website.
    last seen2020-03-18
    modified2018-05-01
    plugin id109461
    published2018-05-01
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109461
    titleScientific Linux Security Update : java-1.8.0-openjdk on SL7.x x86_64 (20180419)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1131.NASL
    descriptionAccording to the versions of the java-1.8.0-openjdk packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass.(CVE-2018-2814) - OpenJDK: unrestricted deserialization of data from JCEKS key stores.(CVE-2018-2794) - OpenJDK: insufficient consistency checks in deserialization of multiple classes.(CVE-2018-2795) - OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue.(CVE-2018-2796) - OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport. (CVE-2018-2797) - OpenJDK: unbounded memory allocation during deserialization in Container.(CVE-2018-2798) - OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl.(CVE-2018-2799) - OpenJDK: RMI HTTP transport enabled by default.(CVE-2018-2800) - OpenJDK: unbounded memory allocation during deserialization in StubIORImpl.(CVE-2018-2815) - OpenJDK: incorrect merging of sections in the JAR manifest.(CVE-2018-2790) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2018-05-29
    plugin id110135
    published2018-05-29
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110135
    titleEulerOS 2.0 SP2 : java-1.8.0-openjdk (EulerOS-SA-2018-1131)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1938-1.NASL
    descriptionThis update for java-1_8_0-openjdk to version 8u171 fixes the following issues: These security issues were fixed : - S8180881: Better packaging of deserialization - S8182362: Update CipherOutputStream Usage - S8183032: Upgrade to LittleCMS 2.9 - S8189123: More consistent classloading - S8189969, CVE-2018-2790, bsc#1090023: Manifest better manifest entries - S8189977, CVE-2018-2795, bsc#1090025: Improve permission portability - S8189981, CVE-2018-2796, bsc#1090026: Improve queuing portability - S8189985, CVE-2018-2797, bsc#1090027: Improve tabular data portability - S8189989, CVE-2018-2798, bsc#1090028: Improve container portability - S8189993, CVE-2018-2799, bsc#1090029: Improve document portability - S8189997, CVE-2018-2794, bsc#1090024: Enhance keystore mechanisms - S8190478: Improved interface method selection - S8190877: Better handling of abstract classes - S8191696: Better mouse positioning - S8192025, CVE-2018-2814, bsc#1090032: Less referential references - S8192030: Better MTSchema support - S8192757, CVE-2018-2815, bsc#1090033: Improve stub classes implementation - S8193409: Improve AES supporting classes - S8193414: Improvements in MethodType lookups - S8193833, CVE-2018-2800, bsc#1090030: Better RMI connection support For other changes please consult the changelog. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-21
    modified2019-01-02
    plugin id120045
    published2019-01-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120045
    titleSUSE SLES15 Security Update : java-1_8_0-openjdk (SUSE-SU-2018:1938-1)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2018-1002.NASL
    descriptionUnbounded memory allocation during deserialization in Container (AWT, 8189989) Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. (CVE-2018-2798) Unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. (CVE-2018-2815) Unrestricted deserialization of data from JCEKS key stores (Security, 8189997) Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162, 10 and JRockit: R28.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE, JRockit executes to compromise Java SE, JRockit. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. (CVE-2018-2794) Insufficient consistency checks in deserialization of multiple classes (Security, 8189977) Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. (CVE-2018-2795) Unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. (CVE-2018-2799) RMI HTTP transport enabled by default (RMI, 8193833) Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u181, 7u171 and 8u162; JRockit: R28.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, JRockit accessible data as well as unauthorized read access to a subset of Java SE, JRockit accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. (CVE-2018-2800) Incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). (CVE-2018-2814) Unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JMX). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. (CVE-2018-2797) Incorrect merging of sections in the JAR manifest (Security, 8189969) Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). (CVE-2018-2790) Unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Concurrency). Supported versions that are affected are Java SE: 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. (CVE-2018-2796)
    last seen2020-06-01
    modified2020-06-02
    plugin id109367
    published2018-04-27
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109367
    titleAmazon Linux AMI : java-1.8.0-openjdk (ALAS-2018-1002)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1764-2.NASL
    descriptionIBM Java was updated to 7.1.4.25 [bsc#1093311, bsc#1085449] : Security fixes : CVE-2018-2814 CVE-2018-2794 CVE-2018-2783 CVE-2018-2799 CVE-2018-2798 CVE-2018-2797 CVE-2018-2796 CVE-2018-2795 CVE-2018-2800 CVE-2018-2790 CVE-2018-1417 Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id118268
    published2018-10-22
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118268
    titleSUSE SLES12 Security Update : java-1_7_1-ibm (SUSE-SU-2018:1764-2)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1738-2.NASL
    descriptionIBM Java was updated to version 8.0.5.15 [bsc#1093311, bsc#1085449] Security fixes : CVE-2018-2826 CVE-2018-2825 CVE-2018-2814 CVE-2018-2794 CVE-2018-2783 CVE-2018-2799 CVE-2018-2798 CVE-2018-2797 CVE-2018-2796 CVE-2018-2795 CVE-2018-2800 CVE-2018-2790 CVE-2018-1417 Removed translations in the java-1_8_0-ibm-devel-32bit package as they conflict with those in java-1_8_0-ibm-devel. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id118267
    published2018-10-22
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118267
    titleSUSE SLES12 Security Update : java-1_8_0-ibm (SUSE-SU-2018:1738-2)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-1191.NASL
    descriptionAn update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es) : * OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) (CVE-2018-2814) * OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794) * OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795) * OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796) * OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797) * OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798) * OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) (CVE-2018-2799) * OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800) * OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) (CVE-2018-2815) * OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website.
    last seen2020-06-01
    modified2020-06-02
    plugin id109195
    published2018-04-20
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109195
    titleRHEL 7 : java-1.8.0-openjdk (RHSA-2018:1191)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0131_JAVA-1.7.0-OPENJDK.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 4.05, has java-1.7.0-openjdk packages installed that are affected by multiple vulnerabilities: - An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor
    last seen2020-06-01
    modified2020-06-02
    plugin id127385
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127385
    titleNewStart CGSL MAIN 4.05 : java-1.7.0-openjdk Multiple Vulnerabilities (NS-SA-2019-0131)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1458-1.NASL
    descriptionThis update for java-1_7_0-ibm fixes the following issues: IBM Java was updated to 7.1.4.25 (bsc#1093311, bsc#1085449) Security fixes : - CVE-2018-2814 CVE-2018-2794 CVE-2018-2783 CVE-2018-2799 CVE-2018-2798 CVE-2018-2797 CVE-2018-2796 CVE-2018-2795 CVE-2018-2800 CVE-2018-2790 CVE-2018-1417 Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id110223
    published2018-05-30
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110223
    titleSUSE SLES11 Security Update : java-1_7_0-ibm (SUSE-SU-2018:1458-1)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2018-1270.NASL
    descriptionAn update for java-1.7.0-openjdk is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix(es) : * OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) (CVE-2018-2814) * OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794) * OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795) * OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796) * OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797) * OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798) * OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) (CVE-2018-2799) * OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800) * OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) (CVE-2018-2815) * OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id109530
    published2018-05-03
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109530
    titleCentOS 6 : java-1.7.0-openjdk (CESA-2018:1270)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-479.NASL
    descriptionThis update for java-1_8_0-openjdk to version 8u171 fixes the following issues : These security issues were fixed : - S8180881: Better packaging of deserialization - S8182362: Update CipherOutputStream Usage - S8183032: Upgrade to LittleCMS 2.9 - S8189123: More consistent classloading - S8189969, CVE-2018-2790, bsc#1090023: Manifest better manifest entries - S8189977, CVE-2018-2795, bsc#1090025: Improve permission portability - S8189981, CVE-2018-2796, bsc#1090026: Improve queuing portability - S8189985, CVE-2018-2797, bsc#1090027: Improve tabular data portability - S8189989, CVE-2018-2798, bsc#1090028: Improve container portability - S8189993, CVE-2018-2799, bsc#1090029: Improve document portability - S8189997, CVE-2018-2794, bsc#1090024: Enhance keystore mechanisms - S8190478: Improved interface method selection - S8190877: Better handling of abstract classes - S8191696: Better mouse positioning - S8192025, CVE-2018-2814, bsc#1090032: Less referential references - S8192030: Better MTSchema support - S8192757, CVE-2018-2815, bsc#1090033: Improve stub classes implementation - S8193409: Improve AES supporting classes - S8193414: Improvements in MethodType lookups - S8193833, CVE-2018-2800, bsc#1090030: Better RMI connection support For other changes please consult the changelog. This update was imported from the SUSE:SLE-12-SP1:Update update project.
    last seen2020-05-31
    modified2019-03-27
    plugin id123197
    published2019-03-27
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123197
    titleopenSUSE Security Update : java-1_8_0-openjdk (openSUSE-2019-479)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2018-2_0-0039_OPENJDK8.NASL
    descriptionAn update of the openjdk8 package has been released.
    last seen2020-03-17
    modified2019-02-07
    plugin id121938
    published2019-02-07
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121938
    titlePhoton OS 2.0: Openjdk8 PHSA-2018-2.0-0039
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1738-1.NASL
    descriptionIBM Java was updated to version 8.0.5.15 [bsc#1093311, bsc#1085449] Security fixes : - CVE-2018-2826 CVE-2018-2825 CVE-2018-2814 CVE-2018-2794 CVE-2018-2783 CVE-2018-2799 CVE-2018-2798 CVE-2018-2797 CVE-2018-2796 CVE-2018-2795 CVE-2018-2800 CVE-2018-2790 CVE-2018-1417 - Removed translations in the java-1_8_0-ibm-devel-32bit package as they conflict with those in java-1_8_0-ibm-devel. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id110620
    published2018-06-20
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110620
    titleSUSE SLES12 Security Update : java-1_8_0-ibm (SUSE-SU-2018:1738-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-1188.NASL
    descriptionAn update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es) : * OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) (CVE-2018-2814) * OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794) * OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795) * OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796) * OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797) * OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798) * OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) (CVE-2018-2799) * OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800) * OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) (CVE-2018-2815) * OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website.
    last seen2020-06-01
    modified2020-06-02
    plugin id109194
    published2018-04-20
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109194
    titleRHEL 6 : java-1.8.0-openjdk (RHSA-2018:1188)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-1206.NASL
    descriptionAn update for java-1.7.0-oracle is now available for Oracle Java for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Oracle Java SE version 7 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update upgrades Oracle Java SE 7 to version 7 Update 181. Security Fix(es) : * OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) (CVE-2018-2814) * OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794) * OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795) * OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796) * OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797) * OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798) * OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) (CVE-2018-2799) * OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800) * OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) (CVE-2018-2815) * OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id109307
    published2018-04-24
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109307
    titleRHEL 6 : java-1.7.0-oracle (RHSA-2018:1206)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2018-2_0-0039.NASL
    descriptionAn update of {'openjdk8', 'httpd', 'librelp', 'zsh', 'libvirt', 'libtiff'} packages of Photon OS has been released.
    last seen2019-02-21
    modified2019-02-07
    plugin id111298
    published2018-07-24
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=111298
    titlePhoton OS 2.0 : openjdk8 / httpd / librelp / zsh / libvirt (PhotonOS-PHSA-2018-2.0-0039) (deprecated)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2018-1278.NASL
    descriptionFrom Red Hat Security Advisory 2018:1278 : An update for java-1.7.0-openjdk is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix(es) : * OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) (CVE-2018-2814) * OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794) * OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795) * OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796) * OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797) * OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798) * OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) (CVE-2018-2799) * OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800) * OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) (CVE-2018-2815) * OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id109542
    published2018-05-03
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109542
    titleOracle Linux 7 : java-1.7.0-openjdk (ELSA-2018-1278)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3644-1.NASL
    descriptionIt was discovered that the Security component of OpenJDK did not correctly perform merging of multiple sections for the same file listed in JAR archive file manifests. An attacker could possibly use this to modify attributes in a manifest without invalidating the signature. (CVE-2018-2790) Francesco Palmarini, Marco Squarcina, Mauro Tempesta, and Riccardo Focardi discovered that the Security component of OpenJDK did not restrict which classes could be used when deserializing keys from the JCEKS key stores. An attacker could use this to specially craft a JCEKS key store to execute arbitrary code. (CVE-2018-2794) It was discovered that the Security component of OpenJDK in some situations did not properly limit the amount of memory allocated when performing deserialization. An attacker could use this to cause a denial of service (memory exhaustion). (CVE-2018-2795) It was discovered that the Concurrency component of OpenJDK in some situations did not properly limit the amount of memory allocated when performing deserialization. An attacker could use this to cause a denial of service (memory exhaustion). (CVE-2018-2796) It was discovered that the JMX component of OpenJDK in some situations did not properly limit the amount of memory allocated when performing deserialization. An attacker could use this to cause a denial of service (memory exhaustion). (CVE-2018-2797) It was discovered that the AWT component of OpenJDK in some situations did not properly limit the amount of memory allocated when performing deserialization. An attacker could use this to cause a denial of service (memory exhaustion). (CVE-2018-2798) It was discovered that the JAXP component of OpenJDK in some situations did not properly limit the amount of memory allocated when performing deserialization. An attacker could use this to cause a denial of service (memory exhaustion). (CVE-2018-2799) Moritz Bechler discovered that the RMI component of OpenJDK enabled HTTP transport for RMI servers by default. A remote attacker could use this to gain access to restricted services. (CVE-2018-2800) It was discovered that a vulnerability existed in the Hotspot component of OpenJDK affecting confidentiality, data integrity, and availability. An attacker could use this to specially craft an Java application that caused a denial of service or bypassed sandbox restrictions. (CVE-2018-2814) Apostolos Giannakidis discovered that the Serialization component of OpenJDK did not properly bound memory allocations in some situations. An attacker could use this to cause a denial of service (memory exhaustion). (CVE-2018-2815) David Benjamin discovered a vulnerability in the Security component of OpenJDK related to data integrity and confidentiality. A remote attacker could possibly use this to expose sensitive information. (CVE-2018-2783). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id109723
    published2018-05-11
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109723
    titleUbuntu 16.04 LTS / 17.10 : openjdk-8 vulnerabilities (USN-3644-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-1203.NASL
    descriptionAn update for java-1.6.0-sun is now available for Oracle Java for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Oracle Java SE version 6 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update upgrades Oracle Java SE 6 to version 6 Update 191. Security Fix(es) : * OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) (CVE-2018-2814) * OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794) * Oracle JDK: unspecified vulnerability fixed in 6u191, 7u171, and 8u161 (Security) (CVE-2018-2783) * OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795) * OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797) * OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798) * OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800) * OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) (CVE-2018-2815) * OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id109304
    published2018-04-24
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109304
    titleRHEL 6 : java-1.6.0-sun (RHSA-2018:1203)
  • NASL familyWindows
    NASL idORACLE_JROCKIT_CPU_APR_2018.NASL
    descriptionThe version of Oracle JRockit installed on the remote Windows host is R28.3.17. It is, therefore, affected by multiple vulnerabilities. See advisory for details.
    last seen2020-06-01
    modified2020-06-02
    plugin id109207
    published2018-04-20
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109207
    titleOracle JRockit R28.3.17 Multiple Vulnerabilities (April 2018 CPU)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1692-1.NASL
    descriptionThis update for java-1_7_0-openjdk to version 7u181 fixes the following issues : + S8162488: JDK should be updated to use LittleCMS 2.8 + S8180881: Better packaging of deserialization + S8182362: Update CipherOutputStream Usage + S8183032: Upgrade to LittleCMS 2.9 + S8189123: More consistent classloading + S8190478: Improved interface method selection + S8190877: Better handling of abstract classes + S8191696: Better mouse positioning + S8192030: Better MTSchema support + S8193409: Improve AES supporting classes + S8193414: Improvements in MethodType lookups + S8189969, CVE-2018-2790, bsc#1090023: Manifest better manifest entries + S8189977, CVE-2018-2795, bsc#1090025: Improve permission portability + S8189981, CVE-2018-2796, bsc#1090026: Improve queuing portability + S8189985, CVE-2018-2797, bsc#1090027: Improve tabular data portability + S8189989, CVE-2018-2798, bsc#1090028: Improve container portability + S8189993, CVE-2018-2799, bsc#1090029: Improve document portability + S8189997, CVE-2018-2794, bsc#1090024: Enhance keystore mechanisms + S8192025, CVE-2018-2814, bsc#1090032: Less referential references + S8192757, CVE-2018-2815, bsc#1090033: Improve stub classes implementation + S8193833, CVE-2018-2800, bsc#1090030: Better RMI connection support For additional changes please consult the changelog. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id110546
    published2018-06-15
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110546
    titleSUSE SLED12 / SLES12 Security Update : java-1_7_0-openjdk (SUSE-SU-2018:1692-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1690-2.NASL
    descriptionThis update for java-1_8_0-openjdk to version 8u171 fixes the following issues : These security issues were fixed : S8180881: Better packaging of deserialization S8182362: Update CipherOutputStream Usage S8183032: Upgrade to LittleCMS 2.9 S8189123: More consistent classloading S8189969, CVE-2018-2790, bsc#1090023: Manifest better manifest entries S8189977, CVE-2018-2795, bsc#1090025: Improve permission portability S8189981, CVE-2018-2796, bsc#1090026: Improve queuing portability S8189985, CVE-2018-2797, bsc#1090027: Improve tabular data portability S8189989, CVE-2018-2798, bsc#1090028: Improve container portability S8189993, CVE-2018-2799, bsc#1090029: Improve document portability S8189997, CVE-2018-2794, bsc#1090024: Enhance keystore mechanisms S8190478: Improved interface method selection S8190877: Better handling of abstract classes S8191696: Better mouse positioning S8192025, CVE-2018-2814, bsc#1090032: Less referential references S8192030: Better MTSchema support S8192757, CVE-2018-2815, bsc#1090033: Improve stub classes implementation S8193409: Improve AES supporting classes S8193414: Improvements in MethodType lookups S8193833, CVE-2018-2800, bsc#1090030: Better RMI connection support For other changes please consult the changelog. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id118263
    published2018-10-22
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118263
    titleSUSE SLES12 Security Update : java-1_8_0-openjdk (SUSE-SU-2018:1690-2)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20180502_JAVA_1_7_0_OPENJDK_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) (CVE-2018-2814) - OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794) - OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795) - OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796) - OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797) - OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798) - OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) (CVE-2018-2799) - OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800) - OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) (CVE-2018-2815) - OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790)
    last seen2020-03-18
    modified2018-05-04
    plugin id109571
    published2018-05-04
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109571
    titleScientific Linux Security Update : java-1.7.0-openjdk on SL7.x x86_64 (20180502)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-2068-1.NASL
    descriptionIBM Java was updated to version 8.0.5.15 [bsc#1093311, bsc#1085449] Security fixes : - CVE-2018-2826 CVE-2018-2825 CVE-2018-2814 CVE-2018-2794 CVE-2018-2783 CVE-2018-2799 CVE-2018-2798 CVE-2018-2797 CVE-2018-2796 CVE-2018-2795 CVE-2018-2800 CVE-2018-2790 CVE-2018-1417 - Removed translations in the java-1_8_0-ibm-devel-32bit package as they conflict with those in java-1_8_0-ibm-devel. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-21
    modified2019-01-02
    plugin id120060
    published2019-01-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120060
    titleSUSE SLES15 Security Update : java-1_8_0-ibm (SUSE-SU-2018:2068-1)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2018-1007.NASL
    descriptionUnbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. (CVE-2018-2799) Incorrect merging of sections in the JAR manifest (Security, 8189969) Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). (CVE-2018-2790) RMI HTTP transport enabled by default (RMI, 8193833) Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u181, 7u171 and 8u162; JRockit: R28.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, JRockit accessible data as well as unauthorized read access to a subset of Java SE, JRockit accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.(CVE-2018-2800) Unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Concurrency). Supported versions that are affected are Java SE: 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.(CVE-2018-2796) Unbounded memory allocation during deserialization in Container (AWT, 8189989) Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.(CVE-2018-2798) Incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).(CVE-2018-2814) Unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.(CVE-2018-2815) Unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JMX). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.(CVE-2018-2797) Unrestricted deserialization of data from JCEKS key stores (Security, 8189997) Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162, 10 and JRockit: R28.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE, JRockit executes to compromise Java SE, JRockit. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.(CVE-2018-2794) Insufficient consistency checks in deserialization of multiple classes (Security, 8189977) Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.(CVE-2018-2795)
    last seen2020-06-01
    modified2020-06-02
    plugin id109695
    published2018-05-11
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109695
    titleAmazon Linux AMI : java-1.7.0-openjdk (ALAS-2018-1007)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-1201.NASL
    descriptionAn update for java-1.7.0-oracle is now available for Oracle Java for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Oracle Java SE version 7 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update upgrades Oracle Java SE 7 to version 7 Update 181. Security Fix(es) : * OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) (CVE-2018-2814) * OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794) * OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795) * OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796) * OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797) * OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798) * OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) (CVE-2018-2799) * OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800) * OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) (CVE-2018-2815) * OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id109302
    published2018-04-24
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109302
    titleRHEL 7 : java-1.7.0-oracle (RHSA-2018:1201)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-1270.NASL
    descriptionAn update for java-1.7.0-openjdk is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix(es) : * OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) (CVE-2018-2814) * OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794) * OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795) * OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796) * OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797) * OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798) * OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) (CVE-2018-2799) * OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800) * OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) (CVE-2018-2815) * OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id109444
    published2018-05-01
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109444
    titleRHEL 6 : java-1.7.0-openjdk (RHSA-2018:1270)

Redhat

advisories
  • rhsa
    idRHSA-2018:1188
  • rhsa
    idRHSA-2018:1191
  • rhsa
    idRHSA-2018:1201
  • rhsa
    idRHSA-2018:1202
  • rhsa
    idRHSA-2018:1203
  • rhsa
    idRHSA-2018:1204
  • rhsa
    idRHSA-2018:1205
  • rhsa
    idRHSA-2018:1206
  • rhsa
    idRHSA-2018:1270
  • rhsa
    idRHSA-2018:1278
  • rhsa
    idRHSA-2018:1721
  • rhsa
    idRHSA-2018:1722
  • rhsa
    idRHSA-2018:1723
  • rhsa
    idRHSA-2018:1724
  • rhsa
    idRHSA-2018:1974
  • rhsa
    idRHSA-2018:1975
rpms
  • java-1.8.0-openjdk-1:1.8.0.171-3.b10.el6_9
  • java-1.8.0-openjdk-debug-1:1.8.0.171-3.b10.el6_9
  • java-1.8.0-openjdk-debuginfo-1:1.8.0.171-3.b10.el6_9
  • java-1.8.0-openjdk-demo-1:1.8.0.171-3.b10.el6_9
  • java-1.8.0-openjdk-demo-debug-1:1.8.0.171-3.b10.el6_9
  • java-1.8.0-openjdk-devel-1:1.8.0.171-3.b10.el6_9
  • java-1.8.0-openjdk-devel-debug-1:1.8.0.171-3.b10.el6_9
  • java-1.8.0-openjdk-headless-1:1.8.0.171-3.b10.el6_9
  • java-1.8.0-openjdk-headless-debug-1:1.8.0.171-3.b10.el6_9
  • java-1.8.0-openjdk-javadoc-1:1.8.0.171-3.b10.el6_9
  • java-1.8.0-openjdk-javadoc-debug-1:1.8.0.171-3.b10.el6_9
  • java-1.8.0-openjdk-src-1:1.8.0.171-3.b10.el6_9
  • java-1.8.0-openjdk-src-debug-1:1.8.0.171-3.b10.el6_9
  • java-1.8.0-openjdk-1:1.8.0.171-7.b10.el7
  • java-1.8.0-openjdk-accessibility-1:1.8.0.171-7.b10.el7
  • java-1.8.0-openjdk-accessibility-debug-1:1.8.0.171-7.b10.el7
  • java-1.8.0-openjdk-debug-1:1.8.0.171-7.b10.el7
  • java-1.8.0-openjdk-debuginfo-1:1.8.0.171-7.b10.el7
  • java-1.8.0-openjdk-demo-1:1.8.0.171-7.b10.el7
  • java-1.8.0-openjdk-demo-debug-1:1.8.0.171-7.b10.el7
  • java-1.8.0-openjdk-devel-1:1.8.0.171-7.b10.el7
  • java-1.8.0-openjdk-devel-debug-1:1.8.0.171-7.b10.el7
  • java-1.8.0-openjdk-headless-1:1.8.0.171-7.b10.el7
  • java-1.8.0-openjdk-headless-debug-1:1.8.0.171-7.b10.el7
  • java-1.8.0-openjdk-javadoc-1:1.8.0.171-7.b10.el7
  • java-1.8.0-openjdk-javadoc-debug-1:1.8.0.171-7.b10.el7
  • java-1.8.0-openjdk-javadoc-zip-1:1.8.0.171-7.b10.el7
  • java-1.8.0-openjdk-javadoc-zip-debug-1:1.8.0.171-7.b10.el7
  • java-1.8.0-openjdk-src-1:1.8.0.171-7.b10.el7
  • java-1.8.0-openjdk-src-debug-1:1.8.0.171-7.b10.el7
  • java-1.7.0-oracle-1:1.7.0.181-1jpp.1.el7
  • java-1.7.0-oracle-devel-1:1.7.0.181-1jpp.1.el7
  • java-1.7.0-oracle-javafx-1:1.7.0.181-1jpp.1.el7
  • java-1.7.0-oracle-jdbc-1:1.7.0.181-1jpp.1.el7
  • java-1.7.0-oracle-plugin-1:1.7.0.181-1jpp.1.el7
  • java-1.7.0-oracle-src-1:1.7.0.181-1jpp.1.el7
  • java-1.8.0-oracle-1:1.8.0.171-1jpp.2.el6
  • java-1.8.0-oracle-devel-1:1.8.0.171-1jpp.2.el6
  • java-1.8.0-oracle-javafx-1:1.8.0.171-1jpp.2.el6
  • java-1.8.0-oracle-jdbc-1:1.8.0.171-1jpp.2.el6
  • java-1.8.0-oracle-plugin-1:1.8.0.171-1jpp.2.el6
  • java-1.8.0-oracle-src-1:1.8.0.171-1jpp.2.el6
  • java-1.6.0-sun-1:1.6.0.191-1jpp.2.el6
  • java-1.6.0-sun-demo-1:1.6.0.191-1jpp.2.el6
  • java-1.6.0-sun-devel-1:1.6.0.191-1jpp.2.el6
  • java-1.6.0-sun-jdbc-1:1.6.0.191-1jpp.2.el6
  • java-1.6.0-sun-plugin-1:1.6.0.191-1jpp.2.el6
  • java-1.6.0-sun-src-1:1.6.0.191-1jpp.2.el6
  • java-1.8.0-oracle-1:1.8.0.171-1jpp.1.el7
  • java-1.8.0-oracle-devel-1:1.8.0.171-1jpp.1.el7
  • java-1.8.0-oracle-javafx-1:1.8.0.171-1jpp.1.el7
  • java-1.8.0-oracle-jdbc-1:1.8.0.171-1jpp.1.el7
  • java-1.8.0-oracle-plugin-1:1.8.0.171-1jpp.1.el7
  • java-1.8.0-oracle-src-1:1.8.0.171-1jpp.1.el7
  • java-1.6.0-sun-1:1.6.0.191-1jpp.1.el7
  • java-1.6.0-sun-demo-1:1.6.0.191-1jpp.1.el7
  • java-1.6.0-sun-devel-1:1.6.0.191-1jpp.1.el7
  • java-1.6.0-sun-jdbc-1:1.6.0.191-1jpp.1.el7
  • java-1.6.0-sun-plugin-1:1.6.0.191-1jpp.1.el7
  • java-1.6.0-sun-src-1:1.6.0.191-1jpp.1.el7
  • java-1.7.0-oracle-1:1.7.0.181-1jpp.1.el6
  • java-1.7.0-oracle-devel-1:1.7.0.181-1jpp.1.el6
  • java-1.7.0-oracle-javafx-1:1.7.0.181-1jpp.1.el6
  • java-1.7.0-oracle-jdbc-1:1.7.0.181-1jpp.1.el6
  • java-1.7.0-oracle-plugin-1:1.7.0.181-1jpp.1.el6
  • java-1.7.0-oracle-src-1:1.7.0.181-1jpp.1.el6
  • java-1.7.0-openjdk-1:1.7.0.181-2.6.14.1.el6_9
  • java-1.7.0-openjdk-debuginfo-1:1.7.0.181-2.6.14.1.el6_9
  • java-1.7.0-openjdk-demo-1:1.7.0.181-2.6.14.1.el6_9
  • java-1.7.0-openjdk-devel-1:1.7.0.181-2.6.14.1.el6_9
  • java-1.7.0-openjdk-javadoc-1:1.7.0.181-2.6.14.1.el6_9
  • java-1.7.0-openjdk-src-1:1.7.0.181-2.6.14.1.el6_9
  • java-1.7.0-openjdk-1:1.7.0.181-2.6.14.5.el7
  • java-1.7.0-openjdk-accessibility-1:1.7.0.181-2.6.14.5.el7
  • java-1.7.0-openjdk-debuginfo-1:1.7.0.181-2.6.14.5.el7
  • java-1.7.0-openjdk-demo-1:1.7.0.181-2.6.14.5.el7
  • java-1.7.0-openjdk-devel-1:1.7.0.181-2.6.14.5.el7
  • java-1.7.0-openjdk-headless-1:1.7.0.181-2.6.14.5.el7
  • java-1.7.0-openjdk-javadoc-1:1.7.0.181-2.6.14.5.el7
  • java-1.7.0-openjdk-src-1:1.7.0.181-2.6.14.5.el7
  • java-1.8.0-ibm-1:1.8.0.5.15-1jpp.5.el7
  • java-1.8.0-ibm-demo-1:1.8.0.5.15-1jpp.5.el7
  • java-1.8.0-ibm-devel-1:1.8.0.5.15-1jpp.5.el7
  • java-1.8.0-ibm-jdbc-1:1.8.0.5.15-1jpp.5.el7
  • java-1.8.0-ibm-plugin-1:1.8.0.5.15-1jpp.5.el7
  • java-1.8.0-ibm-src-1:1.8.0.5.15-1jpp.5.el7
  • java-1.8.0-ibm-1:1.8.0.5.15-1jpp.2.el6_9
  • java-1.8.0-ibm-demo-1:1.8.0.5.15-1jpp.2.el6_9
  • java-1.8.0-ibm-devel-1:1.8.0.5.15-1jpp.2.el6_9
  • java-1.8.0-ibm-jdbc-1:1.8.0.5.15-1jpp.2.el6_9
  • java-1.8.0-ibm-plugin-1:1.8.0.5.15-1jpp.2.el6_9
  • java-1.8.0-ibm-src-1:1.8.0.5.15-1jpp.2.el6_9
  • java-1.7.1-ibm-1:1.7.1.4.25-1jpp.3.el7
  • java-1.7.1-ibm-demo-1:1.7.1.4.25-1jpp.3.el7
  • java-1.7.1-ibm-devel-1:1.7.1.4.25-1jpp.3.el7
  • java-1.7.1-ibm-jdbc-1:1.7.1.4.25-1jpp.3.el7
  • java-1.7.1-ibm-plugin-1:1.7.1.4.25-1jpp.3.el7
  • java-1.7.1-ibm-src-1:1.7.1.4.25-1jpp.3.el7
  • java-1.7.1-ibm-1:1.7.1.4.25-1jpp.2.el6_9
  • java-1.7.1-ibm-demo-1:1.7.1.4.25-1jpp.2.el6_9
  • java-1.7.1-ibm-devel-1:1.7.1.4.25-1jpp.2.el6_9
  • java-1.7.1-ibm-jdbc-1:1.7.1.4.25-1jpp.2.el6_9
  • java-1.7.1-ibm-plugin-1:1.7.1.4.25-1jpp.2.el6_9
  • java-1.7.1-ibm-src-1:1.7.1.4.25-1jpp.2.el6_9
  • java-1.7.1-ibm-1:1.7.1.4.25-1jpp.3.el6
  • java-1.7.1-ibm-devel-1:1.7.1.4.25-1jpp.3.el6
  • java-1.8.0-ibm-1:1.8.0.5.15-1jpp.2.el6
  • java-1.8.0-ibm-devel-1:1.8.0.5.15-1jpp.2.el6