Vulnerabilities > CVE-2018-3183

047910
CVSS 9.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
high complexity
oracle
redhat
debian
canonical
hp
critical
nessus

Summary

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Scripting). Supported versions that are affected are Java SE: 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. While the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201908-10.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201908-10 (Oracle JDK/JRE: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Oracle’s JDK and JRE software suites. Please review the CVE identifiers referenced below for details. Impact : Please review the referenced CVE identifiers for details. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id127959
    published2019-08-20
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127959
    titleGLSA-201908-10 : Oracle JDK/JRE: Multiple vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 201908-10.
    #
    # The advisory text is Copyright (C) 2001-2019 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(127959);
      script_version("1.2");
      script_cvs_date("Date: 2019/09/24 11:01:33");
    
      script_cve_id("CVE-2018-13785", "CVE-2018-3136", "CVE-2018-3139", "CVE-2018-3149", "CVE-2018-3150", "CVE-2018-3157", "CVE-2018-3169", "CVE-2018-3180", "CVE-2018-3183", "CVE-2018-3209", "CVE-2018-3211", "CVE-2018-3214", "CVE-2019-2602", "CVE-2019-2684", "CVE-2019-2697", "CVE-2019-2698", "CVE-2019-2699");
      script_xref(name:"GLSA", value:"201908-10");
    
      script_name(english:"GLSA-201908-10 : Oracle JDK/JRE: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-201908-10
    (Oracle JDK/JRE: Multiple vulnerabilities)
    
        Multiple vulnerabilities have been discovered in Oracle’s JDK and JRE
          software suites. Please review the CVE identifiers referenced below for
          details.
      
    Impact :
    
        Please review the referenced CVE identifiers for details.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/201908-10"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All Oracle JDK bin users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose
          '>=dev-java/oracle-jdk-bin-1.8.0.202:1.8'
        All Oracle JRE bin users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose
          '>=dev-java/oracle-jre-bin-1.8.0.202:1.8'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:oracle-jdk-bin");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:oracle-jre-bin");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/08/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/20");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"dev-java/oracle-jre-bin", unaffected:make_list("ge 1.8.0.202"), vulnerable:make_list("lt 1.8.0.202"))) flag++;
    if (qpkg_check(package:"dev-java/oracle-jdk-bin", unaffected:make_list("ge 1.8.0.202"), vulnerable:make_list("lt 1.8.0.202"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Oracle JDK/JRE");
    }
    
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2018-1097.NASL
    descriptionVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).(CVE-2018-3139) Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Sound). Supported versions that are affected are Java SE: 6u201, 7u191 and 8u182; Java SE Embedded: 8u181; JRockit: R28.3.19. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2018-3214) Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).(CVE-2018-3169) Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Scripting). Supported versions that are affected are Java SE: 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. While the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).(CVE-2018-3183) Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JSSE). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploit vulnerability allows unauthenticated attacker with network access via SSL/TLS to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded, JRockit accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded, JRockit accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).(CVE-2018-3180) Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JNDI). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).(CVE-2018-3149) Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 Base Score 3.4 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N).(CVE-2018-3136)
    last seen2020-06-01
    modified2020-06-02
    plugin id118404
    published2018-10-26
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118404
    titleAmazon Linux 2 : java-1.8.0-openjdk (ALAS-2018-1097)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0035_JAVA-1.8.0-OPENJDK.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has java-1.8.0-openjdk packages installed that are affected by multiple vulnerabilities: - Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Sound). Supported versions that are affected are Java SE: 6u201, 7u191 and 8u182; Java SE Embedded: 8u181; JRockit: R28.3.19. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2018-3214) - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N). (CVE-2018-3139) - Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JSSE). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploit vulnerability allows unauthenticated attacker with network access via SSL/TLS to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded, JRockit accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded, JRockit accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L). (CVE-2018-3180) - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 Base Score 3.4 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N). (CVE-2018-3136) - Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JNDI). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). (CVE-2018-3149) - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). (CVE-2018-3169) - Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Scripting). Supported versions that are affected are Java SE: 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. While the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H). (CVE-2018-3183) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id127205
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127205
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : java-1.8.0-openjdk Multiple Vulnerabilities (NS-SA-2019-0035)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2018-1_0-0192.NASL
    descriptionAn update of 'openjdk' packages of Photon OS has been released.
    last seen2019-02-08
    modified2019-02-07
    plugin id118494
    published2018-10-29
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=118494
    titlePhoton OS 1.0: Openjdk PHSA-2018-1.0-0192 (deprecated)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-3534.NASL
    descriptionAn update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 7 Supplementary. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR5-FP25. Security Fix(es) : * OpenJDK: Improper field access checks (Hotspot, 8199226) (CVE-2018-3169) * OpenJDK: Unrestricted access to scripting engine (Scripting, 8202936) (CVE-2018-3183) * OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (JNDI, 8199177) (CVE-2018-3149) * OpenJDK: Incorrect handling of unsigned attributes in signed Jar manifests (Security, 8194534) (CVE-2018-3136) * OpenJDK: Leak of sensitive header data via HTTP redirect (Networking, 8196902) (CVE-2018-3139) * OpenJDK: Missing endpoint identification algorithm check during TLS session resumption (JSSE, 8202613) (CVE-2018-3180) * OpenJDK: Infinite loop in RIFF format reader (Sound, 8205361) (CVE-2018-3214) * libpng: Integer overflow and resultant divide-by-zero in pngrutil.c:png_check_chunk_length() allows for denial of service (CVE-2018-13785) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id118865
    published2018-11-11
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118865
    titleRHEL 7 : java-1.8.0-ibm (RHSA-2018:3534)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-0058-1.NASL
    descriptionThis update for java-1_8_0-openjdk to version 8u191 fixes the following issues : Security issues fixed : CVE-2018-3136: Manifest better support (bsc#1112142) CVE-2018-3139: Better HTTP Redirection (bsc#1112143) CVE-2018-3149: Enhance JNDI lookups (bsc#1112144) CVE-2018-3169: Improve field accesses (bsc#1112146) CVE-2018-3180: Improve TLS connections stability (bsc#1112147) CVE-2018-3214: Better RIFF reading support (bsc#1112152) CVE-2018-13785: Upgrade JDK 8u to libpng 1.6.35 (bsc#1112153) CVE-2018-3183: Improve script engine support (bsc#1112148) CVE-2018-16435: heap-based buffer overflow in SetData function in cmsIT8LoadFromFile Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-18
    modified2019-01-11
    plugin id121092
    published2019-01-11
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121092
    titleSUSE SLED15 / SLES15 Security Update : java-1_8_0-openjdk (SUSE-SU-2019:0058-1)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2018-3521.NASL
    descriptionFrom Red Hat Security Advisory 2018:3521 : An update for java-11-openjdk is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fix(es) : * OpenJDK: Improper field access checks (Hotspot, 8199226) (CVE-2018-3169) * OpenJDK: Unrestricted access to scripting engine (Scripting, 8202936) (CVE-2018-3183) * OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (JNDI, 8199177) (CVE-2018-3149) * OpenJDK: Incorrect handling of unsigned attributes in signed Jar manifests (Security, 8194534) (CVE-2018-3136) * OpenJDK: Leak of sensitive header data via HTTP redirect (Networking, 8196902) (CVE-2018-3139) * OpenJDK: Multi-Release attribute read from outside of the main manifest attributes (Utility, 8199171) (CVE-2018-3150) * OpenJDK: Missing endpoint identification algorithm check during TLS session resumption (JSSE, 8202613) (CVE-2018-3180) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id118849
    published2018-11-09
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118849
    titleOracle Linux 7 : java-11-openjdk (ELSA-2018-3521)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4326.NASL
    descriptionSeveral vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in denial of service, sandbox bypass, incomplete TLS identity verification, information disclosure or the execution of arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id118472
    published2018-10-29
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118472
    titleDebian DSA-4326-1 : openjdk-8 - security update
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-3533.NASL
    descriptionAn update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR5-FP25. Security Fix(es) : * OpenJDK: Improper field access checks (Hotspot, 8199226) (CVE-2018-3169) * OpenJDK: Unrestricted access to scripting engine (Scripting, 8202936) (CVE-2018-3183) * OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (JNDI, 8199177) (CVE-2018-3149) * OpenJDK: Incorrect handling of unsigned attributes in signed Jar manifests (Security, 8194534) (CVE-2018-3136) * OpenJDK: Leak of sensitive header data via HTTP redirect (Networking, 8196902) (CVE-2018-3139) * OpenJDK: Missing endpoint identification algorithm check during TLS session resumption (JSSE, 8202613) (CVE-2018-3180) * OpenJDK: Infinite loop in RIFF format reader (Sound, 8205361) (CVE-2018-3214) * libpng: Integer overflow and resultant divide-by-zero in pngrutil.c:png_check_chunk_length() allows for denial of service (CVE-2018-13785) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id118864
    published2018-11-11
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118864
    titleRHEL 6 : java-1.8.0-ibm (RHSA-2018:3533)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-3868-1.NASL
    descriptionjava-1_8_0-ibm was updated to Java 8.0 Service Refresh 5 Fix Pack 25 (bsc#1116574) Class Libraries : - IJ10934 CVE-2018-13785 - IJ10935 CVE-2018-3136 - IJ10895 CVE-2018-3139 - IJ10932 CVE-2018-3149 - IJ10894 CVE-2018-3180 - IJ10930 CVE-2018-3183 - IJ10933 CVE-2018-3214 - IJ09315 FLOATING POINT EXCEPTION FROM JAVA.TEXT.DECIMALFORMAT. FORMAT - IJ09088 INTRODUCING A NEW PROPERTY FOR TURKEY TIMEZONE FOR PRODUCTS NOT IDENTIFYING TRT - IJ10800 REMOVE EXPIRING ROOT CERTIFICATES IN IBM JDK’S CACERTS. - IJ10566 SUPPORT EBCDIC CODE PAGE IBM-274 – BELGIUM EBCDIC Java Virtual Machine - IJ08730 APPLICATION SIGNAL HANDLER NOT INVOKED FOR SIGABRT - IJ10453 ASSERTION FAILURE AT CLASSPATHITEM.CPP - IJ09574 CLASSLOADER DEFINED THROUGH SYSTEM PROPERTY ‘JAVA.SYSTEM.CLAS S.LOADE R’ IS NOT HONORED. - IJ10931 CVE-2018-3169 - IJ10618 GPU SORT: UNSPECIFIED LAUNCH FAILURE - IJ10619 INCORRECT ILLEGALARGUMENTEXCEPTION BECAUSE OBJECT IS NOT AN INSTANCE OF DECLARING CLASS ON REFLECTIVE INVOCATION - IJ10135 JVM HUNG IN GARBAGECOLLECTORMXBEAN.G ETLASTGCINFO() API - IJ10680 RECURRENT ABORTED SCAVENGE ORB - IX90187 CLIENTREQUESTIMPL.REINVO KE FAILS WITH JAVA.LANG.INDEXOUTOFBOUN DSEXCEPTION Reliability and Serviceability - IJ09600 DTFJ AND JDMPVIEW FAIL TO PARSE WIDE REGISTER VALUES Security - IJ10492
    last seen2020-03-18
    modified2019-01-02
    plugin id120167
    published2019-01-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120167
    titleSUSE SLES15 Security Update : java-1_8_0-ibm (SUSE-SU-2018:3868-1)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2020-1_0-0290_OPENJDK11.NASL
    descriptionAn update of the openjdk11 package has been released.
    last seen2020-05-03
    modified2020-04-29
    plugin id136109
    published2020-04-29
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136109
    titlePhoton OS 1.0: Openjdk11 PHSA-2020-1.0-0290
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-818.NASL
    descriptionThis update for java-11-openjdk fixes the following issues : Update to upstream tag jdk-11.0.1+13 (Oracle October 2018 CPU) Security fixes : - S8202936, CVE-2018-3183, bsc#1112148: Improve script engine support - S8199226, CVE-2018-3169, bsc#1112146: Improve field accesses - S8199177, CVE-2018-3149, bsc#1112144: Enhance JNDI lookups - S8202613, CVE-2018-3180, bsc#1112147: Improve TLS connections stability - S8208209, CVE-2018-3180, bsc#1112147: Improve TLS connection stability again - S8199172, CVE-2018-3150, bsc#1112145: Improve jar attribute checks - S8200648, CVE-2018-3157, bsc#1112149: Make midi code more sound - S8194534, CVE-2018-3136, bsc#1112142: Manifest better support - S8208754, CVE-2018-3136, bsc#1112142: The fix for JDK-8194534 needs updates - S8196902, CVE-2018-3139, bsc#1112143: Better HTTP Redirection Security-In-Depth fixes : - S8194546: Choosier FileManagers - S8195874: Improve jar specification adherence - S8196897: Improve PRNG support - S8197881: Better StringBuilder support - S8201756: Improve cipher inputs - S8203654: Improve cypher state updates - S8204497: Better formatting of decimals - S8200666: Improve LDAP support - S8199110: Address Internet Addresses Update to upstream tag jdk-11+28 (OpenJDK 11 rc1) - S8207317: SSLEngine negotiation fail exception behavior changed from fail-fast to fail-lazy - S8207838: AArch64: Float registers incorrectly restored in JNI call - S8209637: [s390x] Interpreter doesn
    last seen2020-06-01
    modified2020-06-02
    plugin id123345
    published2019-03-27
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123345
    titleopenSUSE Security Update : java-11-openjdk (openSUSE-2019-818)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2018-2942.NASL
    descriptionAn update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es) : * OpenJDK: Improper field access checks (Hotspot, 8199226) (CVE-2018-3169) * OpenJDK: Unrestricted access to scripting engine (Scripting, 8202936) (CVE-2018-3183) * OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (JNDI, 8199177) (CVE-2018-3149) * OpenJDK: Incorrect handling of unsigned attributes in singed Jar manifests (Security, 8194534) (CVE-2018-3136) * OpenJDK: Leak of sensitive header data via HTTP redirect (Networking, 8196902) (CVE-2018-3139) * OpenJDK: Missing endpoint identification algorithm check during TLS session resumption (JSSE, 8202613) (CVE-2018-3180) * OpenJDK: Infinite loop in RIFF format reader (Sound, 8205361) (CVE-2018-3214) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id118311
    published2018-10-23
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118311
    titleCentOS 7 : java-1.8.0-openjdk (CESA-2018:2942)
  • NASL familyWindows
    NASL idORACLE_JAVA_CPU_OCT_2018.NASL
    descriptionThe version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 11 Update 1, 8 Update 191, 7 Update 201, or 6 Update 211. It is, therefore, affected by multiple vulnerabilities related to the following components : - An unspecified vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE in the Deployment (libpng) subcomponent could allow an unauthenticated, remote attacker with network access via HTTP to compromise Java SE, Java SE Embedded. (CVE-2018-13785) - An unspecified vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE in the Hotspot subcomponent could allow an unauthenticated, remote attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. (CVE-2018-3169) - An unspecified vulnerability in the Java SE component of Oracle Java SE in the JavaFX subcomponent could allow an unauthenticated, remote attacker with network access via multiple protocols to compromise Java SE. (CVE-2018-3209) - An unspecified vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE in the JNDI subcomponent could allow an unauthenticated, remote attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. (CVE-2018-3149) - An unspecified vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE in the JSSE subcomponent could allow an unauthenticated, remote attacker with network access via SSL/TLS to compromise Java SE, Java SE Embedded, JRockit. (CVE-2018-3180) - An unspecified vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE in the Networking subcomponent could allow an unauthenticated, remote attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. (CVE-2018-3139) - An unspecified vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE in the Scripting subcomponent could allow an unauthenticated, remote attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. (CVE-2018-3183) - An unspecified vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE in the Security subcomponent could allow an unauthenticated, remote attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. (CVE-2018-3136) - An unspecified vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE in the Serviceability subcomponent could allow a low privileged attacker with logon to the infrastructure where Java SE, Java SE Embedded executes to compromise Java SE, Java SE Embedded. (CVE-2018-3211) - An unspecified vulnerability in the Java SE component of Oracle Java SE in the Sound subcomponent could allow an unauthenticated, remote attacker with network access via multiple protocols to compromise Java SE. (CVE-2018-3157) - An unspecified vulnerability in the Java SE component of Oracle Java SE in the Utility subcomponent could allow an unauthenticated, remote attacker with network access via multiple protocols to compromise Java SE. (CVE-2018-3150) Please consult the CVRF details for the applicable CVEs for additional information. Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id118228
    published2018-10-19
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118228
    titleOracle Java SE Multiple Vulnerabilities (October 2018 CPU)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20181018_JAVA_1_8_0_OPENJDK_ON_SL6_X.NASL
    descriptionSecurity Fix(es) : - OpenJDK: Improper field access checks (Hotspot, 8199226) (CVE-2018-3169) - OpenJDK: Unrestricted access to scripting engine (Scripting, 8202936) (CVE-2018-3183) - OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (JNDI, 8199177) (CVE-2018-3149) - OpenJDK: Incorrect handling of unsigned attributes in singed Jar manifests (Security, 8194534) (CVE-2018-3136) - OpenJDK: Leak of sensitive header data via HTTP redirect (Networking, 8196902) (CVE-2018-3139) - OpenJDK: Missing endpoint identification algorithm check during TLS session resumption (JSSE, 8202613) (CVE-2018-3180) - OpenJDK: Infinite loop in RIFF format reader (Sound, 8205361) (CVE-2018-3214)
    last seen2020-03-18
    modified2018-10-19
    plugin id118217
    published2018-10-19
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118217
    titleScientific Linux Security Update : java-1.8.0-openjdk on SL6.x i386/x86_64 (20181018)
  • NASL familyVirtuozzo Local Security Checks
    NASL idVIRTUOZZO_VZLSA-2018-2942.NASL
    descriptionAn update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es) : * OpenJDK: Improper field access checks (Hotspot, 8199226) (CVE-2018-3169) * OpenJDK: Unrestricted access to scripting engine (Scripting, 8202936) (CVE-2018-3183) * OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (JNDI, 8199177) (CVE-2018-3149) * OpenJDK: Incorrect handling of unsigned attributes in singed Jar manifests (Security, 8194534) (CVE-2018-3136) * OpenJDK: Leak of sensitive header data via HTTP redirect (Networking, 8196902) (CVE-2018-3139) * OpenJDK: Missing endpoint identification algorithm check during TLS session resumption (JSSE, 8202613) (CVE-2018-3180) * OpenJDK: Infinite loop in RIFF format reader (Sound, 8205361) (CVE-2018-3214) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-03
    modified2018-11-21
    plugin id119088
    published2018-11-21
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119088
    titleVirtuozzo 7 : java-1.8.0-openjdk / etc (VZLSA-2018-2942)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-2942.NASL
    descriptionAn update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es) : * OpenJDK: Improper field access checks (Hotspot, 8199226) (CVE-2018-3169) * OpenJDK: Unrestricted access to scripting engine (Scripting, 8202936) (CVE-2018-3183) * OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (JNDI, 8199177) (CVE-2018-3149) * OpenJDK: Incorrect handling of unsigned attributes in singed Jar manifests (Security, 8194534) (CVE-2018-3136) * OpenJDK: Leak of sensitive header data via HTTP redirect (Networking, 8196902) (CVE-2018-3139) * OpenJDK: Missing endpoint identification algorithm check during TLS session resumption (JSSE, 8202613) (CVE-2018-3180) * OpenJDK: Infinite loop in RIFF format reader (Sound, 8205361) (CVE-2018-3214) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id118186
    published2018-10-18
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118186
    titleRHEL 7 : java-1.8.0-openjdk (RHSA-2018:2942)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-3521.NASL
    descriptionAn update for java-11-openjdk is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fix(es) : * OpenJDK: Improper field access checks (Hotspot, 8199226) (CVE-2018-3169) * OpenJDK: Unrestricted access to scripting engine (Scripting, 8202936) (CVE-2018-3183) * OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (JNDI, 8199177) (CVE-2018-3149) * OpenJDK: Incorrect handling of unsigned attributes in signed Jar manifests (Security, 8194534) (CVE-2018-3136) * OpenJDK: Leak of sensitive header data via HTTP redirect (Networking, 8196902) (CVE-2018-3139) * OpenJDK: Multi-Release attribute read from outside of the main manifest attributes (Utility, 8199171) (CVE-2018-3150) * OpenJDK: Missing endpoint identification algorithm check during TLS session resumption (JSSE, 8202613) (CVE-2018-3180) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id118815
    published2018-11-08
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118815
    titleRHEL 7 : java-11-openjdk (RHSA-2018:3521)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2018-1_0-0192_OPENJDK.NASL
    descriptionAn update of the openjdk package has been released.
    last seen2020-03-17
    modified2019-02-07
    plugin id121892
    published2019-02-07
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121892
    titlePhoton OS 1.0: Openjdk PHSA-2018-1.0-0192
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2018-1097.NASL
    descriptionVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 Base Score 3.4 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N).(CVE-2018-3136) Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Sound). Supported versions that are affected are Java SE: 6u201, 7u191 and 8u182; Java SE Embedded: 8u181; JRockit: R28.3.19. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2018-3214) Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JNDI). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).(CVE-2018-3149) Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Scripting). Supported versions that are affected are Java SE: 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. While the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).(CVE-2018-3183) Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).(CVE-2018-3139) Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).(CVE-2018-3169) Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JSSE). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploit vulnerability allows unauthenticated attacker with network access via SSL/TLS to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded, JRockit accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded, JRockit accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).(CVE-2018-3180)
    last seen2020-06-01
    modified2020-06-02
    plugin id118802
    published2018-11-08
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118802
    titleAmazon Linux AMI : java-1.8.0-openjdk (ALAS-2018-1097)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3804-1.NASL
    descriptionIt was discovered that the Security component of OpenJDK did not properly ensure that manifest elements were signed before use. An attacker could possibly use this to specially construct an untrusted Java application or applet that could escape sandbox restrictions. (CVE-2018-3136) Artem Smotrakov discovered that the HTTP client redirection handler implementation in OpenJDK did not clear potentially sensitive information in HTTP headers when following redirections to different hosts. An attacker could use this to expose sensitive information. (CVE-2018-3139) It was discovered that the Java Naming and Directory Interface (JNDI) implementation in OpenJDK did not properly enforce restrictions specified by system properties in some situations. An attacker could potentially use this to execute arbitrary code. (CVE-2018-3149) It was discovered that the Utility component of OpenJDK did not properly ensure all attributes in a JAR were signed before use. An attacker could use this to specially construct an untrusted Java application or applet that could escape sandbox restrictions. This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-3150) It was discovered that the Hotspot component of OpenJDK did not properly perform access checks in certain cases when performing field link resolution. An attacker could use this to specially construct an untrusted Java application or applet that could escape sandbox restrictions. (CVE-2018-3169) Felix Dorre discovered that the Java Secure Socket Extension (JSSE) implementation in OpenJDK did not ensure that the same endpoint identification algorithm was used during TLS session resumption as during initial session setup. An attacker could use this to expose sensitive information. (CVE-2018-3180) Krzysztof Szafranski discovered that the Scripting component did not properly restrict access to the scripting engine in some situations. An attacker could use this to specially construct an untrusted Java application or applet that could escape sandbox restrictions. (CVE-2018-3183) Tobias Ospelt discovered that the Resource Interchange File Format (RIFF) reader implementation in OpenJDK contained an infinite loop. An attacker could use this to cause a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2018-3214). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id118568
    published2018-10-31
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118568
    titleUbuntu 16.04 LTS / 18.04 LTS / 18.10 : openjdk-8, openjdk-lts vulnerabilities (USN-3804-1)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2018-2943.NASL
    descriptionFrom Red Hat Security Advisory 2018:2943 : An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es) : * OpenJDK: Improper field access checks (Hotspot, 8199226) (CVE-2018-3169) * OpenJDK: Unrestricted access to scripting engine (Scripting, 8202936) (CVE-2018-3183) * OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (JNDI, 8199177) (CVE-2018-3149) * OpenJDK: Incorrect handling of unsigned attributes in singed Jar manifests (Security, 8194534) (CVE-2018-3136) * OpenJDK: Leak of sensitive header data via HTTP redirect (Networking, 8196902) (CVE-2018-3139) * OpenJDK: Missing endpoint identification algorithm check during TLS session resumption (JSSE, 8202613) (CVE-2018-3180) * OpenJDK: Infinite loop in RIFF format reader (Sound, 8205361) (CVE-2018-3214) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id118184
    published2018-10-18
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118184
    titleOracle Linux 6 : java-1.8.0-openjdk (ELSA-2018-2943)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20181018_JAVA_1_8_0_OPENJDK_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - OpenJDK: Improper field access checks (Hotspot, 8199226) (CVE-2018-3169) - OpenJDK: Unrestricted access to scripting engine (Scripting, 8202936) (CVE-2018-3183) - OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (JNDI, 8199177) (CVE-2018-3149) - OpenJDK: Incorrect handling of unsigned attributes in singed Jar manifests (Security, 8194534) (CVE-2018-3136) - OpenJDK: Leak of sensitive header data via HTTP redirect (Networking, 8196902) (CVE-2018-3139) - OpenJDK: Missing endpoint identification algorithm check during TLS session resumption (JSSE, 8202613) (CVE-2018-3180) - OpenJDK: Infinite loop in RIFF format reader (Sound, 8205361) (CVE-2018-3214)
    last seen2020-03-18
    modified2018-10-19
    plugin id118218
    published2018-10-19
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118218
    titleScientific Linux Security Update : java-1.8.0-openjdk on SL7.x x86_64 (20181018)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2018-2943.NASL
    descriptionAn update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es) : * OpenJDK: Improper field access checks (Hotspot, 8199226) (CVE-2018-3169) * OpenJDK: Unrestricted access to scripting engine (Scripting, 8202936) (CVE-2018-3183) * OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (JNDI, 8199177) (CVE-2018-3149) * OpenJDK: Incorrect handling of unsigned attributes in singed Jar manifests (Security, 8194534) (CVE-2018-3136) * OpenJDK: Leak of sensitive header data via HTTP redirect (Networking, 8196902) (CVE-2018-3139) * OpenJDK: Missing endpoint identification algorithm check during TLS session resumption (JSSE, 8202613) (CVE-2018-3180) * OpenJDK: Infinite loop in RIFF format reader (Sound, 8205361) (CVE-2018-3214) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id118312
    published2018-10-23
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118312
    titleCentOS 6 : java-1.8.0-openjdk (CESA-2018:2943)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-2943.NASL
    descriptionAn update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es) : * OpenJDK: Improper field access checks (Hotspot, 8199226) (CVE-2018-3169) * OpenJDK: Unrestricted access to scripting engine (Scripting, 8202936) (CVE-2018-3183) * OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (JNDI, 8199177) (CVE-2018-3149) * OpenJDK: Incorrect handling of unsigned attributes in singed Jar manifests (Security, 8194534) (CVE-2018-3136) * OpenJDK: Leak of sensitive header data via HTTP redirect (Networking, 8196902) (CVE-2018-3139) * OpenJDK: Missing endpoint identification algorithm check during TLS session resumption (JSSE, 8202613) (CVE-2018-3180) * OpenJDK: Infinite loop in RIFF format reader (Sound, 8205361) (CVE-2018-3214) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id118187
    published2018-10-18
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118187
    titleRHEL 6 : java-1.8.0-openjdk (RHSA-2018:2943)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2018-3521.NASL
    descriptionAn update for java-11-openjdk is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fix(es) : * OpenJDK: Improper field access checks (Hotspot, 8199226) (CVE-2018-3169) * OpenJDK: Unrestricted access to scripting engine (Scripting, 8202936) (CVE-2018-3183) * OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (JNDI, 8199177) (CVE-2018-3149) * OpenJDK: Incorrect handling of unsigned attributes in signed Jar manifests (Security, 8194534) (CVE-2018-3136) * OpenJDK: Leak of sensitive header data via HTTP redirect (Networking, 8196902) (CVE-2018-3139) * OpenJDK: Multi-Release attribute read from outside of the main manifest attributes (Utility, 8199171) (CVE-2018-3150) * OpenJDK: Missing endpoint identification algorithm check during TLS session resumption (JSSE, 8202613) (CVE-2018-3180) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id119048
    published2018-11-21
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119048
    titleCentOS 7 : java-11-openjdk (CESA-2018:3521)
  • NASL familyMisc.
    NASL idORACLE_JAVA_CPU_OCT_2018_UNIX.NASL
    descriptionThe version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 11 Update 1, 8 Update 191, 7 Update 201, or 6 Update 211. It is, therefore, affected by multiple vulnerabilities : - An unspecified vulnerability in the Java SE Embedded component of Oracle Java SE in the Deployment (libpng) subcomponent could allow an unauthenticated, remote attacker with network access via HTTP to compromise Java SE. (CVE-2018-13785) - An unspecified vulnerability in the Java SE Embedded component of Oracle Java SE in the Hotspot subcomponent that could allow an unauthenticated, remote attacker with network access via multiple protocols to compromise Java SE (CVE-2018-3169) - An unspecified vulnerability in the Java SE component of Oracle Java SE in the JavaFX subcomponent could allow an unauthenticated, remote attacker with network access via multiple protocols to compromise Java SE. (CVE-2018-3209) - An unspecified vulnerability in the Java SE, Java SE Embedded, and JRockit component of Oracle Java SE in the JNDI subcomponent could allow an unauthenticated, remote attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, and JRockit. (CVE-2018-3149) - An unspecified vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE in the JSSE subcomponent could allow an unauthenticated, remote attacker with network access via SSL/TLS to compromise Java SE, Java SE Embedded, or JRockit. (CVE-2018-3180) - An unspecified vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE in the Networking subcomponent could allow an unauthenticated, remote attacker with network access via multiple protocols to compromise Java SE or Java SE Embedded. (CVE-2018-3139) - An unspecified vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE in the Scripting subcomponent could allow an unauthenticated, remote attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, or JRockit. (CVE-2018-3183) - An unspecified vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE in the Security subcomponent could allow an unauthenticated, remote attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. (CVE-2018-3136) - An unspecified vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE in the Serviceability subcomponent could allow a low privileged attacker with logon to the infrastructure where Java SE, Java SE Embedded executes to compromise Java SE, Java SE Embedded. (CVE-2018-3211) - An unspecified vulnerability in the Java SE component of Oracle Java SE in the Sound subcomponent could allow an unauthenticated, remote attacker with network access via multiple protocols to compromise Java SE. (CVE-2018-3157) - An unspecified vulnerability in the Java SE component of Oracle Java SE in the Utility subcomponent could allow an unauthenticated, remote attacker with network access via multiple protocols to compromise Java SE. (CVE-2018-3150) Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id118227
    published2018-10-19
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118227
    titleOracle Java SE Multiple Vulnerabilities (October 2018 CPU) (Unix)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-0057-1.NASL
    descriptionThis update for java-1_8_0-openjdk to version 8u191 fixes the following issues : Security issues fixed : CVE-2018-3136: Manifest better support (bsc#1112142) CVE-2018-3139: Better HTTP Redirection (bsc#1112143) CVE-2018-3149: Enhance JNDI lookups (bsc#1112144) CVE-2018-3169: Improve field accesses (bsc#1112146) CVE-2018-3180: Improve TLS connections stability (bsc#1112147) CVE-2018-3214: Better RIFF reading support (bsc#1112152) CVE-2018-13785: Upgrade JDK 8u to libpng 1.6.35 (bsc#1112153) CVE-2018-3183: Improve script engine support (bsc#1112148) CVE-2018-16435: heap-based buffer overflow in SetData function in cmsIT8LoadFromFile Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-18
    modified2019-01-11
    plugin id121091
    published2019-01-11
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121091
    titleSUSE SLED12 / SLES12 Security Update : java-1_8_0-openjdk (SUSE-SU-2019:0057-1)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2018-2942.NASL
    descriptionFrom Red Hat Security Advisory 2018:2942 : An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es) : * OpenJDK: Improper field access checks (Hotspot, 8199226) (CVE-2018-3169) * OpenJDK: Unrestricted access to scripting engine (Scripting, 8202936) (CVE-2018-3183) * OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (JNDI, 8199177) (CVE-2018-3149) * OpenJDK: Incorrect handling of unsigned attributes in singed Jar manifests (Security, 8194534) (CVE-2018-3136) * OpenJDK: Leak of sensitive header data via HTTP redirect (Networking, 8196902) (CVE-2018-3139) * OpenJDK: Missing endpoint identification algorithm check during TLS session resumption (JSSE, 8202613) (CVE-2018-3180) * OpenJDK: Infinite loop in RIFF format reader (Sound, 8205361) (CVE-2018-3214) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id118183
    published2018-10-18
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118183
    titleOracle Linux 7 : java-1.8.0-openjdk (ELSA-2018-2942)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0146_JAVA-1.8.0-OPENJDK.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 4.05, has java-1.8.0-openjdk packages installed that are affected by multiple vulnerabilities: - Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Sound). Supported versions that are affected are Java SE: 6u201, 7u191 and 8u182; Java SE Embedded: 8u181; JRockit: R28.3.19. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2018-3214) - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N). (CVE-2018-3139) - Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JSSE). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploit vulnerability allows unauthenticated attacker with network access via SSL/TLS to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded, JRockit accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded, JRockit accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L). (CVE-2018-3180) - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 Base Score 3.4 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N). (CVE-2018-3136) - Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JNDI). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). (CVE-2018-3149) - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). (CVE-2018-3169) - Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Scripting). Supported versions that are affected are Java SE: 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. While the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H). (CVE-2018-3183) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id127414
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127414
    titleNewStart CGSL MAIN 4.05 : java-1.8.0-openjdk Multiple Vulnerabilities (NS-SA-2019-0146)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-3002.NASL
    descriptionAn update for java-1.8.0-oracle is now available for Oracle Java for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Oracle Java SE version 8 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update upgrades Oracle Java SE 8 to version 8 Update 191. Security Fix(es) : * OpenJDK: Improper field access checks (Hotspot, 8199226) (CVE-2018-3169) * OpenJDK: Unrestricted access to scripting engine (Scripting, 8202936) (CVE-2018-3183) * Oracle JDK: unspecified vulnerability fixed in 8u191 (JavaFX) (CVE-2018-3209) * OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (JNDI, 8199177) (CVE-2018-3149) * OpenJDK: Incorrect handling of unsigned attributes in signed Jar manifests (Security, 8194534) (CVE-2018-3136) * OpenJDK: Leak of sensitive header data via HTTP redirect (Networking, 8196902) (CVE-2018-3139) * OpenJDK: Missing endpoint identification algorithm check during TLS session resumption (JSSE, 8202613) (CVE-2018-3180) * Oracle JDK: unspecified vulnerability fixed in 8u191 and 11.0.1 (Serviceability) (CVE-2018-3211) * OpenJDK: Infinite loop in RIFF format reader (Sound, 8205361) (CVE-2018-3214) * libpng: Integer overflow and resultant divide-by-zero in pngrutil.c:png_check_chunk_length() allows for denial of service (CVE-2018-13785) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id118371
    published2018-10-25
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118371
    titleRHEL 7 : java-1.8.0-oracle (RHSA-2018:3002)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-3003.NASL
    descriptionAn update for java-1.8.0-oracle is now available for Oracle Java for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Oracle Java SE version 8 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update upgrades Oracle Java SE 8 to version 8 Update 191. Security Fix(es) : * OpenJDK: Improper field access checks (Hotspot, 8199226) (CVE-2018-3169) * OpenJDK: Unrestricted access to scripting engine (Scripting, 8202936) (CVE-2018-3183) * Oracle JDK: unspecified vulnerability fixed in 8u191 (JavaFX) (CVE-2018-3209) * OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (JNDI, 8199177) (CVE-2018-3149) * OpenJDK: Incorrect handling of unsigned attributes in signed Jar manifests (Security, 8194534) (CVE-2018-3136) * OpenJDK: Leak of sensitive header data via HTTP redirect (Networking, 8196902) (CVE-2018-3139) * OpenJDK: Missing endpoint identification algorithm check during TLS session resumption (JSSE, 8202613) (CVE-2018-3180) * Oracle JDK: unspecified vulnerability fixed in 8u191 and 11.0.1 (Serviceability) (CVE-2018-3211) * OpenJDK: Infinite loop in RIFF format reader (Sound, 8205361) (CVE-2018-3214) * libpng: Integer overflow and resultant divide-by-zero in pngrutil.c:png_check_chunk_length() allows for denial of service (CVE-2018-13785) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id118372
    published2018-10-25
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118372
    titleRHEL 6 : java-1.8.0-oracle (RHSA-2018:3003)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1386.NASL
    descriptionAccording to the versions of the java-1.8.0-openjdk packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - OpenJDK: Improper field access checks (CVE-2018-3169) - OpenJDK: Unrestricted access to scripting engine (CVE-2018-3183) - OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (CVE-2018-3149) - OpenJDK: Incorrect handling of unsigned attributes in singed Jar manifests (CVE-2018-3136) - OpenJDK: Leak of sensitive header data via HTTP redirect (CVE-2018-3139) - OpenJDK: Missing endpoint identification algorithm check during TLS session resumption (CVE-2018-3180) - OpenJDK: Infinite loop in RIFF format reader (CVE-2018-3214) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-15
    modified2018-12-10
    plugin id119514
    published2018-12-10
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119514
    titleEulerOS 2.0 SP3 : java-1.8.0-openjdk (EulerOS-SA-2018-1386)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1416.NASL
    descriptionAccording to the versions of the java-1.8.0-openjdk packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - OpenJDK: Improper field access checks (CVE-2018-3169) - OpenJDK: Unrestricted access to scripting engine (CVE-2018-3183) - OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (CVE-2018-3149) - OpenJDK: Incorrect handling of unsigned attributes in singed Jar manifests (CVE-2018-3136) - OpenJDK: Leak of sensitive header data via HTTP redirect (CVE-2018-3139) - OpenJDK: Missing endpoint identification algorithm check during TLS session resumption (CVE-2018-3180) - OpenJDK: Infinite loop in RIFF format reader (CVE-2018-3214) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2018-12-28
    plugin id119905
    published2018-12-28
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119905
    titleEulerOS 2.0 SP2 : java-1.8.0-openjdk (EulerOS-SA-2018-1416)
  • NASL familyVirtuozzo Local Security Checks
    NASL idVIRTUOZZO_VZLSA-2018-2943.NASL
    descriptionAn update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es) : * OpenJDK: Improper field access checks (Hotspot, 8199226) (CVE-2018-3169) * OpenJDK: Unrestricted access to scripting engine (Scripting, 8202936) (CVE-2018-3183) * OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (JNDI, 8199177) (CVE-2018-3149) * OpenJDK: Incorrect handling of unsigned attributes in singed Jar manifests (Security, 8194534) (CVE-2018-3136) * OpenJDK: Leak of sensitive header data via HTTP redirect (Networking, 8196902) (CVE-2018-3139) * OpenJDK: Missing endpoint identification algorithm check during TLS session resumption (JSSE, 8202613) (CVE-2018-3180) * OpenJDK: Infinite loop in RIFF format reader (Sound, 8205361) (CVE-2018-3214) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-03
    modified2018-11-21
    plugin id119089
    published2018-11-21
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119089
    titleVirtuozzo 6 : java-1.8.0-openjdk / java-1.8.0-openjdk-debug / etc (VZLSA-2018-2943)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-4064-1.NASL
    descriptionjava-1_8_0-ibm was updated to Java 8.0 Service Refresh 5 Fix Pack 25 (bsc#1116574) Class Libraries : - IJ10934 CVE-2018-13785 - IJ10935 CVE-2018-3136 - IJ10895 CVE-2018-3139 - IJ10932 CVE-2018-3149 - IJ10894 CVE-2018-3180 - IJ10930 CVE-2018-3183 - IJ10933 CVE-2018-3214 - IJ09315 FLOATING POINT EXCEPTION FROM JAVA.TEXT.DECIMALFORMAT. FORMAT - IJ09088 INTRODUCING A NEW PROPERTY FOR TURKEY TIMEZONE FOR PRODUCTS NOT IDENTIFYING TRT - IJ10800 REMOVE EXPIRING ROOT CERTIFICATES IN IBM JDK’S CACERTS. - IJ10566 SUPPORT EBCDIC CODE PAGE IBM-274 – BELGIUM EBCDIC Java Virtual Machine - IJ08730 APPLICATION SIGNAL HANDLER NOT INVOKED FOR SIGABRT - IJ10453 ASSERTION FAILURE AT CLASSPATHITEM.CPP - IJ09574 CLASSLOADER DEFINED THROUGH SYSTEM PROPERTY ‘JAVA.SYSTEM.CLAS S.LOADE R’ IS NOT HONORED. - IJ10931 CVE-2018-3169 - IJ10618 GPU SORT: UNSPECIFIED LAUNCH FAILURE - IJ10619 INCORRECT ILLEGALARGUMENTEXCEPTION BECAUSE OBJECT IS NOT AN INSTANCE OF DECLARING CLASS ON REFLECTIVE INVOCATION - IJ10135 JVM HUNG IN GARBAGECOLLECTORMXBEAN.G ETLASTGCINFO() API - IJ10680 RECURRENT ABORTED SCAVENGE ORB - IX90187 CLIENTREQUESTIMPL.REINVO KE FAILS WITH JAVA.LANG.INDEXOUTOFBOUN DSEXCEPTION Reliability and Serviceability - IJ09600 DTFJ AND JDMPVIEW FAIL TO PARSE WIDE REGISTER VALUES Security - IJ10492
    last seen2020-04-30
    modified2018-12-11
    plugin id119578
    published2018-12-11
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119578
    titleSUSE SLES12 Security Update : java-1_8_0-ibm (SUSE-SU-2018:4064-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-1205.NASL
    descriptionThis update for java-11-openjdk fixes the following issues : Update to upstream tag jdk-11.0.1+13 (Oracle October 2018 CPU) Security fixes : - S8202936, CVE-2018-3183, bsc#1112148: Improve script engine support - S8199226, CVE-2018-3169, bsc#1112146: Improve field accesses - S8199177, CVE-2018-3149, bsc#1112144: Enhance JNDI lookups - S8202613, CVE-2018-3180, bsc#1112147: Improve TLS connections stability - S8208209, CVE-2018-3180, bsc#1112147: Improve TLS connection stability again - S8199172, CVE-2018-3150, bsc#1112145: Improve jar attribute checks - S8200648, CVE-2018-3157, bsc#1112149: Make midi code more sound - S8194534, CVE-2018-3136, bsc#1112142: Manifest better support - S8208754, CVE-2018-3136, bsc#1112142: The fix for JDK-8194534 needs updates - S8196902, CVE-2018-3139, bsc#1112143: Better HTTP Redirection Security-In-Depth fixes : - S8194546: Choosier FileManagers - S8195874: Improve jar specification adherence - S8196897: Improve PRNG support - S8197881: Better StringBuilder support - S8201756: Improve cipher inputs - S8203654: Improve cypher state updates - S8204497: Better formatting of decimals - S8200666: Improve LDAP support - S8199110: Address Internet Addresses Update to upstream tag jdk-11+28 (OpenJDK 11 rc1) - S8207317: SSLEngine negotiation fail exception behavior changed from fail-fast to fail-lazy - S8207838: AArch64: Float registers incorrectly restored in JNI call - S8209637: [s390x] Interpreter doesn
    last seen2020-06-05
    modified2018-10-19
    plugin id118221
    published2018-10-19
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118221
    titleopenSUSE Security Update : java-11-openjdk (openSUSE-2018-1205)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-43.NASL
    descriptionThis update for java-1_8_0-openjdk to version 8u191 fixes the following issues : Security issues fixed : - CVE-2018-3136: Manifest better support (bsc#1112142) - CVE-2018-3139: Better HTTP Redirection (bsc#1112143) - CVE-2018-3149: Enhance JNDI lookups (bsc#1112144) - CVE-2018-3169: Improve field accesses (bsc#1112146) - CVE-2018-3180: Improve TLS connections stability (bsc#1112147) - CVE-2018-3214: Better RIFF reading support (bsc#1112152) - CVE-2018-13785: Upgrade JDK 8u to libpng 1.6.35 (bsc#1112153) - CVE-2018-3183: Improve script engine support (bsc#1112148) - CVE-2018-16435: heap-based buffer overflow in SetData function in cmsIT8LoadFromFile This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-05-31
    modified2019-01-14
    plugin id121152
    published2019-01-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121152
    titleopenSUSE Security Update : java-1_8_0-openjdk (openSUSE-2019-43)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20181107_JAVA_11_OPENJDK_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - OpenJDK: Improper field access checks (Hotspot, 8199226) (CVE-2018-3169) - OpenJDK: Unrestricted access to scripting engine (Scripting, 8202936) (CVE-2018-3183) - OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (JNDI, 8199177) (CVE-2018-3149) - OpenJDK: Incorrect handling of unsigned attributes in signed Jar manifests (Security, 8194534) (CVE-2018-3136) - OpenJDK: Leak of sensitive header data via HTTP redirect (Networking, 8196902) (CVE-2018-3139) - OpenJDK: Multi-Release attribute read from outside of the main manifest attributes (Utility, 8199171) (CVE-2018-3150) - OpenJDK: Missing endpoint identification algorithm check during TLS session resumption (JSSE, 8202613) (CVE-2018-3180)
    last seen2020-03-18
    modified2018-11-27
    plugin id119209
    published2018-11-27
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119209
    titleScientific Linux Security Update : java-11-openjdk on SL7.x x86_64 (20181107)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2018-2_0-0106_OPENJDK8.NASL
    descriptionAn update of the openjdk8 package has been released.
    last seen2020-03-17
    modified2019-02-07
    plugin id122001
    published2019-02-07
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122001
    titlePhoton OS 2.0: Openjdk8 PHSA-2018-2.0-0106
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2020-3_0-0084_OPENJDK11.NASL
    descriptionAn update of the openjdk11 package has been released.
    last seen2020-05-03
    modified2020-04-29
    plugin id136100
    published2020-04-29
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136100
    titlePhoton OS 3.0: Openjdk11 PHSA-2020-3.0-0084
  • NASL familyWindows
    NASL idORACLE_JROCKIT_CPU_OCT_2018.NASL
    descriptionThe version of Oracle JRockit JDK installed on the remote Windows host is R28.3.19. It is, therefore, affected by multiple vulnerabilities. See advisory for details.
    last seen2020-06-01
    modified2020-06-02
    plugin id118572
    published2018-10-31
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118572
    titleOracle JRockit JDK R28.3.19 Multiple Vulnerabilities (October 2018 CPU)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-3852.NASL
    descriptionAn update for java-1.8.0-ibm is now available for Red Hat Satellite 5.8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR5-FP25. Security Fix(es) : * OpenJDK: Improper field access checks (Hotspot, 8199226) (CVE-2018-3169) * OpenJDK: Unrestricted access to scripting engine (Scripting, 8202936) (CVE-2018-3183) * OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (JNDI, 8199177) (CVE-2018-3149) * OpenJDK: Incorrect handling of unsigned attributes in signed Jar manifests (Security, 8194534) (CVE-2018-3136) * OpenJDK: Leak of sensitive header data via HTTP redirect (Networking, 8196902) (CVE-2018-3139) * OpenJDK: Missing endpoint identification algorithm check during TLS session resumption (JSSE, 8202613) (CVE-2018-3180) * OpenJDK: Infinite loop in RIFF format reader (Sound, 8205361) (CVE-2018-3214) * libpng: Integer overflow and resultant divide-by-zero in pngrutil.c:png_check_chunk_length() allows for denial of service (CVE-2018-13785) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-03-28
    modified2018-12-20
    plugin id119801
    published2018-12-20
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119801
    titleRHEL 6 : java-1.8.0-ibm (RHSA-2018:3852)

Redhat

advisories
  • bugzilla
    id1642321
    titleCVE-2018-3150 OpenJDK: Multi-Release attribute read from outside of the main manifest attributes (Utility, 8199171)
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 7 is installed
        ovaloval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • commentjava-11-openjdk-headless is earlier than 1:11.0.1.13-3.el7_6
            ovaloval:com.redhat.rhsa:tst:20183521001
          • commentjava-11-openjdk-headless is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20183521002
        • AND
          • commentjava-11-openjdk-devel is earlier than 1:11.0.1.13-3.el7_6
            ovaloval:com.redhat.rhsa:tst:20183521003
          • commentjava-11-openjdk-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20183521004
        • AND
          • commentjava-11-openjdk is earlier than 1:11.0.1.13-3.el7_6
            ovaloval:com.redhat.rhsa:tst:20183521005
          • commentjava-11-openjdk is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20183521006
        • AND
          • commentjava-11-openjdk-headless-debug is earlier than 1:11.0.1.13-3.el7_6
            ovaloval:com.redhat.rhsa:tst:20183521007
          • commentjava-11-openjdk-headless-debug is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20183521008
        • AND
          • commentjava-11-openjdk-src-debug is earlier than 1:11.0.1.13-3.el7_6
            ovaloval:com.redhat.rhsa:tst:20183521009
          • commentjava-11-openjdk-src-debug is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20183521010
        • AND
          • commentjava-11-openjdk-src is earlier than 1:11.0.1.13-3.el7_6
            ovaloval:com.redhat.rhsa:tst:20183521011
          • commentjava-11-openjdk-src is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20183521012
        • AND
          • commentjava-11-openjdk-jmods-debug is earlier than 1:11.0.1.13-3.el7_6
            ovaloval:com.redhat.rhsa:tst:20183521013
          • commentjava-11-openjdk-jmods-debug is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20183521014
        • AND
          • commentjava-11-openjdk-demo is earlier than 1:11.0.1.13-3.el7_6
            ovaloval:com.redhat.rhsa:tst:20183521015
          • commentjava-11-openjdk-demo is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20183521016
        • AND
          • commentjava-11-openjdk-javadoc is earlier than 1:11.0.1.13-3.el7_6
            ovaloval:com.redhat.rhsa:tst:20183521017
          • commentjava-11-openjdk-javadoc is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20183521018
        • AND
          • commentjava-11-openjdk-devel-debug is earlier than 1:11.0.1.13-3.el7_6
            ovaloval:com.redhat.rhsa:tst:20183521019
          • commentjava-11-openjdk-devel-debug is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20183521020
        • AND
          • commentjava-11-openjdk-jmods is earlier than 1:11.0.1.13-3.el7_6
            ovaloval:com.redhat.rhsa:tst:20183521021
          • commentjava-11-openjdk-jmods is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20183521022
        • AND
          • commentjava-11-openjdk-debug is earlier than 1:11.0.1.13-3.el7_6
            ovaloval:com.redhat.rhsa:tst:20183521023
          • commentjava-11-openjdk-debug is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20183521024
        • AND
          • commentjava-11-openjdk-javadoc-debug is earlier than 1:11.0.1.13-3.el7_6
            ovaloval:com.redhat.rhsa:tst:20183521025
          • commentjava-11-openjdk-javadoc-debug is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20183521026
        • AND
          • commentjava-11-openjdk-javadoc-zip-debug is earlier than 1:11.0.1.13-3.el7_6
            ovaloval:com.redhat.rhsa:tst:20183521027
          • commentjava-11-openjdk-javadoc-zip-debug is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20183521028
        • AND
          • commentjava-11-openjdk-demo-debug is earlier than 1:11.0.1.13-3.el7_6
            ovaloval:com.redhat.rhsa:tst:20183521029
          • commentjava-11-openjdk-demo-debug is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20183521030
        • AND
          • commentjava-11-openjdk-javadoc-zip is earlier than 1:11.0.1.13-3.el7_6
            ovaloval:com.redhat.rhsa:tst:20183521031
          • commentjava-11-openjdk-javadoc-zip is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20183521032
    rhsa
    idRHSA-2018:3521
    released2018-11-07
    severityCritical
    titleRHSA-2018:3521: java-11-openjdk security update (Critical)
  • rhsa
    idRHSA-2018:2942
  • rhsa
    idRHSA-2018:2943
  • rhsa
    idRHSA-2018:3002
  • rhsa
    idRHSA-2018:3003
  • rhsa
    idRHSA-2018:3533
  • rhsa
    idRHSA-2018:3534
  • rhsa
    idRHSA-2018:3852
rpms
  • java-1.8.0-openjdk-1:1.8.0.191.b12-0.el7_5
  • java-1.8.0-openjdk-accessibility-1:1.8.0.191.b12-0.el7_5
  • java-1.8.0-openjdk-accessibility-debug-1:1.8.0.191.b12-0.el7_5
  • java-1.8.0-openjdk-debug-1:1.8.0.191.b12-0.el7_5
  • java-1.8.0-openjdk-debuginfo-1:1.8.0.191.b12-0.el7_5
  • java-1.8.0-openjdk-demo-1:1.8.0.191.b12-0.el7_5
  • java-1.8.0-openjdk-demo-debug-1:1.8.0.191.b12-0.el7_5
  • java-1.8.0-openjdk-devel-1:1.8.0.191.b12-0.el7_5
  • java-1.8.0-openjdk-devel-debug-1:1.8.0.191.b12-0.el7_5
  • java-1.8.0-openjdk-headless-1:1.8.0.191.b12-0.el7_5
  • java-1.8.0-openjdk-headless-debug-1:1.8.0.191.b12-0.el7_5
  • java-1.8.0-openjdk-javadoc-1:1.8.0.191.b12-0.el7_5
  • java-1.8.0-openjdk-javadoc-debug-1:1.8.0.191.b12-0.el7_5
  • java-1.8.0-openjdk-javadoc-zip-1:1.8.0.191.b12-0.el7_5
  • java-1.8.0-openjdk-javadoc-zip-debug-1:1.8.0.191.b12-0.el7_5
  • java-1.8.0-openjdk-src-1:1.8.0.191.b12-0.el7_5
  • java-1.8.0-openjdk-src-debug-1:1.8.0.191.b12-0.el7_5
  • java-1.8.0-openjdk-1:1.8.0.191.b12-0.el6_10
  • java-1.8.0-openjdk-debug-1:1.8.0.191.b12-0.el6_10
  • java-1.8.0-openjdk-debuginfo-1:1.8.0.191.b12-0.el6_10
  • java-1.8.0-openjdk-demo-1:1.8.0.191.b12-0.el6_10
  • java-1.8.0-openjdk-demo-debug-1:1.8.0.191.b12-0.el6_10
  • java-1.8.0-openjdk-devel-1:1.8.0.191.b12-0.el6_10
  • java-1.8.0-openjdk-devel-debug-1:1.8.0.191.b12-0.el6_10
  • java-1.8.0-openjdk-headless-1:1.8.0.191.b12-0.el6_10
  • java-1.8.0-openjdk-headless-debug-1:1.8.0.191.b12-0.el6_10
  • java-1.8.0-openjdk-javadoc-1:1.8.0.191.b12-0.el6_10
  • java-1.8.0-openjdk-javadoc-debug-1:1.8.0.191.b12-0.el6_10
  • java-1.8.0-openjdk-src-1:1.8.0.191.b12-0.el6_10
  • java-1.8.0-openjdk-src-debug-1:1.8.0.191.b12-0.el6_10
  • java-1.8.0-oracle-1:1.8.0.191-1jpp.1.el7
  • java-1.8.0-oracle-devel-1:1.8.0.191-1jpp.1.el7
  • java-1.8.0-oracle-javafx-1:1.8.0.191-1jpp.1.el7
  • java-1.8.0-oracle-jdbc-1:1.8.0.191-1jpp.1.el7
  • java-1.8.0-oracle-plugin-1:1.8.0.191-1jpp.1.el7
  • java-1.8.0-oracle-src-1:1.8.0.191-1jpp.1.el7
  • java-1.8.0-oracle-1:1.8.0.191-1jpp.1.el6
  • java-1.8.0-oracle-devel-1:1.8.0.191-1jpp.1.el6
  • java-1.8.0-oracle-javafx-1:1.8.0.191-1jpp.1.el6
  • java-1.8.0-oracle-jdbc-1:1.8.0.191-1jpp.1.el6
  • java-1.8.0-oracle-plugin-1:1.8.0.191-1jpp.1.el6
  • java-1.8.0-oracle-src-1:1.8.0.191-1jpp.1.el6
  • java-11-openjdk-1:11.0.1.13-3.el7_6
  • java-11-openjdk-debug-1:11.0.1.13-3.el7_6
  • java-11-openjdk-debuginfo-1:11.0.1.13-3.el7_6
  • java-11-openjdk-demo-1:11.0.1.13-3.el7_6
  • java-11-openjdk-demo-debug-1:11.0.1.13-3.el7_6
  • java-11-openjdk-devel-1:11.0.1.13-3.el7_6
  • java-11-openjdk-devel-debug-1:11.0.1.13-3.el7_6
  • java-11-openjdk-headless-1:11.0.1.13-3.el7_6
  • java-11-openjdk-headless-debug-1:11.0.1.13-3.el7_6
  • java-11-openjdk-javadoc-1:11.0.1.13-3.el7_6
  • java-11-openjdk-javadoc-debug-1:11.0.1.13-3.el7_6
  • java-11-openjdk-javadoc-zip-1:11.0.1.13-3.el7_6
  • java-11-openjdk-javadoc-zip-debug-1:11.0.1.13-3.el7_6
  • java-11-openjdk-jmods-1:11.0.1.13-3.el7_6
  • java-11-openjdk-jmods-debug-1:11.0.1.13-3.el7_6
  • java-11-openjdk-src-1:11.0.1.13-3.el7_6
  • java-11-openjdk-src-debug-1:11.0.1.13-3.el7_6
  • java-1.8.0-ibm-1:1.8.0.5.25-1jpp.1.el6_10
  • java-1.8.0-ibm-demo-1:1.8.0.5.25-1jpp.1.el6_10
  • java-1.8.0-ibm-devel-1:1.8.0.5.25-1jpp.1.el6_10
  • java-1.8.0-ibm-jdbc-1:1.8.0.5.25-1jpp.1.el6_10
  • java-1.8.0-ibm-plugin-1:1.8.0.5.25-1jpp.1.el6_10
  • java-1.8.0-ibm-src-1:1.8.0.5.25-1jpp.1.el6_10
  • java-1.8.0-ibm-1:1.8.0.5.25-1jpp.1.el7
  • java-1.8.0-ibm-demo-1:1.8.0.5.25-1jpp.1.el7
  • java-1.8.0-ibm-devel-1:1.8.0.5.25-1jpp.1.el7
  • java-1.8.0-ibm-jdbc-1:1.8.0.5.25-1jpp.1.el7
  • java-1.8.0-ibm-plugin-1:1.8.0.5.25-1jpp.1.el7
  • java-1.8.0-ibm-src-1:1.8.0.5.25-1jpp.1.el7
  • java-1.8.0-ibm-1:1.8.0.5.25-1jpp.1.el6_10
  • java-1.8.0-ibm-devel-1:1.8.0.5.25-1jpp.1.el6_10

References