Vulnerabilities > CVE-2018-2825

047910
CVSS 8.3 - HIGH
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
high complexity
oracle
canonical
netapp
nessus

Summary

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Libraries). The supported version that is affected is Java SE: 10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

Nessus

  • NASL familyWindows
    NASL idORACLE_JAVA_CPU_APR_2018.NASL
    descriptionThe version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 10 Update 1, 8 Update 171, 7 Update 181, or 6 Update 191. It is, therefore, affected by multiple vulnerabilities related to the following components : - AWT - Concurrency - Hotspot - Install - JAXP - JMX - Libraries - RMI - Security - Serialization
    last seen2020-06-01
    modified2020-06-02
    plugin id109202
    published2018-04-20
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109202
    titleOracle Java SE Multiple Vulnerabilities (April 2018 CPU)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(109202);
      script_version("1.4");
      script_cvs_date("Date: 2019/11/08");
    
      script_cve_id(
        "CVE-2018-2783",
        "CVE-2018-2790",
        "CVE-2018-2794",
        "CVE-2018-2795",
        "CVE-2018-2796",
        "CVE-2018-2797",
        "CVE-2018-2798",
        "CVE-2018-2799",
        "CVE-2018-2800",
        "CVE-2018-2811",
        "CVE-2018-2814",
        "CVE-2018-2815",
        "CVE-2018-2825",
        "CVE-2018-2826"
      );
      script_bugtraq_id(
        103796,
        103810,
        103817,
        103832,
        103848,
        103849,
        103872
      );
    
      script_name(english:"Oracle Java SE Multiple Vulnerabilities (April 2018 CPU)");
      script_summary(english:"Checks the version of the JRE.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host contains a programming platform that is
    affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Oracle (formerly Sun) Java SE or Java for Business
    installed on the remote host is prior to 10 Update 1, 8 Update 171,
    7 Update 181, or 6 Update 191. It is, therefore, affected by
    multiple vulnerabilities related to the following components :
    
      - AWT
      - Concurrency
      - Hotspot
      - Install
      - JAXP
      - JMX
      - Libraries
      - RMI
      - Security
      - Serialization");
      # http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?76507bf8");
      # https://www.oracle.com/technetwork/java/javase/10-0-1-relnotes-4308875.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6f630e2b");
      # https://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9bf6e180");
      # https://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2fbcacca");
      # http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?726f7054");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Oracle JDK / JRE 10 Update 1, 8 Update 171 / 7 Update 181 /
    6 Update 191 or later. If necessary, remove any affected versions.
    
    Note that an Extended Support contract with Oracle is needed to obtain
    JDK / JRE 6 Update 95 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-2783");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/04/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/04/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/20");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jre");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jdk");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("sun_java_jre_installed.nasl");
      script_require_keys("SMB/Java/JRE/Installed");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    # Check each installed JRE.
    installs = get_kb_list_or_exit("SMB/Java/JRE/*");
    
    info = "";
    vuln = 0;
    installed_versions = "";
    
    foreach install (list_uniq(keys(installs)))
    {
      ver = install - "SMB/Java/JRE/";
      if (ver !~ "^[0-9.]+") continue;
    
      installed_versions = installed_versions + " & " + ver;
    
      # Fixes : (JDK|JRE) 10 Update 1 / 8 Update 171 / 7 Update 181 / 6 Update 191
      if (
        ver =~ '^1\\.6\\.0_([0-9]|[0-9][0-9]|1[0-8][0-9]|190)([^0-9]|$)' ||
        ver =~ '^1\\.7\\.0_([0-9]|[0-9][0-9]|1[0-7][0-9]|180)([^0-9]|$)' ||
        ver =~ '^1\\.8\\.0_([0-9]|[0-9][0-9]|1[0-6][0-9]|170)([^0-9]|$)' ||
        ver =~ '^1\\.10\\.0_(00|0?0)([^0-9]|$)'
      )
      {
        dirs = make_list(get_kb_list(install));
        vuln += max_index(dirs);
    
        foreach dir (dirs)
          info += '\n  Path              : ' + dir;
    
        info += '\n  Installed version : ' + ver;
        info += '\n  Fixed version     : 1.6.0_191 / 1.7.0_181 / 1.8.0_171 / 1.10.0_1\n';
      }
    }
    
    # Report if any were found to be vulnerable.
    if (info)
    {
      port = get_kb_item("SMB/transport");
      if (!port) port = 445;
    
      if (report_verbosity > 0)
      {
        if (vuln > 1) s = "s of Java are";
        else s = " of Java is";
    
        report =
          '\n' +
          'The following vulnerable instance'+s+' installed on the\n' +
          'remote host :\n' +
          info;
        security_warning(port:port, extra:report);
      }
      else security_warning(port);
      exit(0);
    }
    else
    {
      installed_versions = substr(installed_versions, 3);
      if (" & " >< installed_versions)
        exit(0, "The Java "+installed_versions+" installations on the remote host are not affected.");
      else
        audit(AUDIT_INST_VER_NOT_VULN, "Java", installed_versions);
    }
    
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2018-1_0-0130.NASL
    descriptionAn update of 'mysql', 'openjdk',openjre packages of Photon OS has been released.
    last seen2019-02-21
    modified2019-02-07
    plugin id111932
    published2018-08-17
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=111932
    titlePhoton OS 1.0: Mysql / Openjdk PHSA-2018-1.0-0130 (deprecated)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # @DEPRECATED@
    #
    # Disabled on 2/7/2019
    #
    
    # The descriptive text and package checks in this plugin were
    # extracted from VMware Security Advisory PHSA-2018-1.0-0130. The text
    # itself is copyright (C) VMware, Inc.
    
    include("compat.inc");
    
    if (description)
    {
      script_id(111932);
      script_version("1.2");
      script_cvs_date("Date: 2019/02/07 18:59:50");
    
      script_cve_id(
        "CVE-2018-2755",
        "CVE-2018-2783",
        "CVE-2018-2794",
        "CVE-2018-2795",
        "CVE-2018-2796",
        "CVE-2018-2797",
        "CVE-2018-2798",
        "CVE-2018-2799",
        "CVE-2018-2811",
        "CVE-2018-2814",
        "CVE-2018-2815",
        "CVE-2018-2825",
        "CVE-2018-2826"
      );
    
      script_name(english:"Photon OS 1.0: Mysql / Openjdk PHSA-2018-1.0-0130 (deprecated)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "This plugin has been deprecated.");
      script_set_attribute(attribute:"description", value:
    "An update of 'mysql', 'openjdk',openjre packages of Photon OS has been
    released.");
      # https://github.com/vmware/photon/wiki/Security-Updates-1.0-130
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8e96d19b");
      script_set_attribute(attribute:"solution", value:"n/a.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-2783");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/04/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/17");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:mysql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:openjdk");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:1.0");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"PhotonOS Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list");
    
      exit(0);
    }
    
    exit(0, "This plugin has been deprecated.");
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/PhotonOS/release");
    if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS");
    if (release !~ "^VMware Photon (?:Linux|OS) 1\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 1.0");
    
    if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu);
    
    flag = 0;
    
    pkgs = [
      "mysql-5.7.22-1.ph1",
      "mysql-debuginfo-5.7.22-1.ph1",
      "mysql-devel-5.7.22-1.ph1",
      "openjdk-1.8.0.172-1.ph1",
      "openjdk-debuginfo-1.8.0.172-1.ph1",
      "openjdk-doc-1.8.0.172-1.ph1",
      "openjdk-sample-1.8.0.172-1.ph1",
      "openjdk-src-1.8.0.172-1.ph1"
    ];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"PhotonOS-1.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mysql / openjdk");
    }
    
  • NASL familyMisc.
    NASL idORACLE_JAVA_CPU_APR_2018_UNIX.NASL
    descriptionThe version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 10 Update 1, 8 Update 171, 7 Update 181, or 6 Update 191. It is, therefore, affected by multiple vulnerabilities related to the following components : - AWT - Concurrency - Hotspot - Install - JAXP - JMX - Libraries - RMI - Security - Serialization
    last seen2020-06-01
    modified2020-06-02
    plugin id109203
    published2018-04-20
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109203
    titleOracle Java SE Multiple Vulnerabilities (April 2018 CPU) (Unix)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2018-1_0-0130_OPENJDK.NASL
    descriptionAn update of the openjdk package has been released.
    last seen2020-03-17
    modified2019-02-07
    plugin id121835
    published2019-02-07
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121835
    titlePhoton OS 1.0: Openjdk PHSA-2018-1.0-0130
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1738-2.NASL
    descriptionIBM Java was updated to version 8.0.5.15 [bsc#1093311, bsc#1085449] Security fixes : CVE-2018-2826 CVE-2018-2825 CVE-2018-2814 CVE-2018-2794 CVE-2018-2783 CVE-2018-2799 CVE-2018-2798 CVE-2018-2797 CVE-2018-2796 CVE-2018-2795 CVE-2018-2800 CVE-2018-2790 CVE-2018-1417 Removed translations in the java-1_8_0-ibm-devel-32bit package as they conflict with those in java-1_8_0-ibm-devel. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id118267
    published2018-10-22
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118267
    titleSUSE SLES12 Security Update : java-1_8_0-ibm (SUSE-SU-2018:1738-2)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2018-2_0-0039_OPENJDK8.NASL
    descriptionAn update of the openjdk8 package has been released.
    last seen2020-03-17
    modified2019-02-07
    plugin id121938
    published2019-02-07
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121938
    titlePhoton OS 2.0: Openjdk8 PHSA-2018-2.0-0039
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1738-1.NASL
    descriptionIBM Java was updated to version 8.0.5.15 [bsc#1093311, bsc#1085449] Security fixes : - CVE-2018-2826 CVE-2018-2825 CVE-2018-2814 CVE-2018-2794 CVE-2018-2783 CVE-2018-2799 CVE-2018-2798 CVE-2018-2797 CVE-2018-2796 CVE-2018-2795 CVE-2018-2800 CVE-2018-2790 CVE-2018-1417 - Removed translations in the java-1_8_0-ibm-devel-32bit package as they conflict with those in java-1_8_0-ibm-devel. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id110620
    published2018-06-20
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110620
    titleSUSE SLES12 Security Update : java-1_8_0-ibm (SUSE-SU-2018:1738-1)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2018-2_0-0039.NASL
    descriptionAn update of {'openjdk8', 'httpd', 'librelp', 'zsh', 'libvirt', 'libtiff'} packages of Photon OS has been released.
    last seen2019-02-21
    modified2019-02-07
    plugin id111298
    published2018-07-24
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=111298
    titlePhoton OS 2.0 : openjdk8 / httpd / librelp / zsh / libvirt (PhotonOS-PHSA-2018-2.0-0039) (deprecated)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3747-1.NASL
    descriptionIt was discovered that OpenJDK did not properly validate types in some situations. An attacker could use this to construct a Java class that could possibly bypass sandbox restrictions. (CVE-2018-2825, CVE-2018-2826) It was discovered that the PatternSyntaxException class in OpenJDK did not properly validate arguments passed to it. An attacker could use this to potentially construct a class that caused a denial of service (excessive memory consumption). (CVE-2018-2952) Daniel Bleichenbacher discovered a vulnerability in the Galois/Counter Mode (GCM) mode of operation for symmetric block ciphers in OpenJDK. An attacker could use this to expose sensitive information. (CVE-2018-2972). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id112033
    published2018-08-21
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/112033
    titleUbuntu 18.04 LTS : openjdk-lts vulnerabilities (USN-3747-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3747-2.NASL
    descriptionUSN-3747-1 fixed vulnerabilities in OpenJDK 10 for Ubuntu 18.04 LTS. Unfortunately, that update introduced a regression around accessability support that prevented some Java applications from starting. This update fixes the problem. We apologize for the inconvenience. Original advisory details : It was discovered that OpenJDK did not properly validate types in some situations. An attacker could use this to construct a Java class that could possibly bypass sandbox restrictions. (CVE-2018-2825, CVE-2018-2826) It was discovered that the PatternSyntaxException class in OpenJDK did not properly validate arguments passed to it. An attacker could use this to potentially construct a class that caused a denial of service (excessive memory consumption). (CVE-2018-2952) Daniel Bleichenbacher discovered a vulnerability in the Galois/Counter Mode (GCM) mode of operation for symmetric block ciphers in OpenJDK. An attacker could use this to expose sensitive information. (CVE-2018-2972). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id117479
    published2018-09-13
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/117479
    titleUbuntu 18.04 LTS : openjdk-lts regression (USN-3747-2)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-2068-1.NASL
    descriptionIBM Java was updated to version 8.0.5.15 [bsc#1093311, bsc#1085449] Security fixes : - CVE-2018-2826 CVE-2018-2825 CVE-2018-2814 CVE-2018-2794 CVE-2018-2783 CVE-2018-2799 CVE-2018-2798 CVE-2018-2797 CVE-2018-2796 CVE-2018-2795 CVE-2018-2800 CVE-2018-2790 CVE-2018-1417 - Removed translations in the java-1_8_0-ibm-devel-32bit package as they conflict with those in java-1_8_0-ibm-devel. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-21
    modified2019-01-02
    plugin id120060
    published2019-01-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120060
    titleSUSE SLES15 Security Update : java-1_8_0-ibm (SUSE-SU-2018:2068-1)