Vulnerabilities > CVE-2019-2762

047910
CVSS 5.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
LOW

Summary

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Nessus

  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1110.NASL
    descriptionAccording to the versions of the java-1.7.0-openjdk packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit.Security Fix(es):Vulnerability in the Java SE product of Oracle Java SE (component: Javadoc). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).(CVE-2019-2999)Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1 Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.(CVE-2019-2816)Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 8u212, 11.0.3 and 12.0.1 Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.(CVE-2019-2786)Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1 Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.(CVE-2019-2762)Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1 Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.(CVE-2019-2769)Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13 Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.(CVE-2019-2962)Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13 Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).(CVE-2019-2988)Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13 Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).(CVE-2019-2992)Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13 Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.(CVE-2019-2964)Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JAXP). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13 Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.(CVE-2019-2973)Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JAXP). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13 Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.(CVE-2019-2981)Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13 Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.(CVE-2019-2958)Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13 Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).(CVE-2019-2945)Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13 Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.(CVE-2019-2978)Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13 Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. While the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.(CVE-2019-2989)Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13 Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.(CVE-2019-2983) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2020-02-24
    plugin id133911
    published2020-02-24
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133911
    titleEulerOS 2.0 SP5 : java-1.7.0-openjdk (EulerOS-SA-2020-1110)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(133911);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04");
    
      script_cve_id(
        "CVE-2019-2762",
        "CVE-2019-2769",
        "CVE-2019-2786",
        "CVE-2019-2816",
        "CVE-2019-2945",
        "CVE-2019-2958",
        "CVE-2019-2962",
        "CVE-2019-2964",
        "CVE-2019-2973",
        "CVE-2019-2978",
        "CVE-2019-2981",
        "CVE-2019-2983",
        "CVE-2019-2988",
        "CVE-2019-2989",
        "CVE-2019-2992",
        "CVE-2019-2999"
      );
    
      script_name(english:"EulerOS 2.0 SP5 : java-1.7.0-openjdk (EulerOS-SA-2020-1110)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the java-1.7.0-openjdk packages
    installed, the EulerOS installation on the remote host is affected by
    the following vulnerabilities :
    
      - The java-1.7.0-openjdk packages provide the OpenJDK 7
        Java Runtime Environment and the OpenJDK 7 Java
        Software Development Kit.Security Fix(es):Vulnerability
        in the Java SE product of Oracle Java SE (component:
        Javadoc). Supported versions that are affected are Java
        SE: 7u231, 8u221, 11.0.4 and 13. Difficult to exploit
        vulnerability allows unauthenticated attacker with
        network access via multiple protocols to compromise
        Java SE. Successful attacks require human interaction
        from a person other than the attacker and while the
        vulnerability is in Java SE, attacks may significantly
        impact additional products. Successful attacks of this
        vulnerability can result in unauthorized update, insert
        or delete access to some of Java SE accessible data as
        well as unauthorized read access to a subset of Java SE
        accessible data. Note: This vulnerability applies to
        Java deployments, typically in clients running
        sandboxed Java Web Start applications or sandboxed Java
        applets (in Java SE 8), that load and run untrusted
        code (e.g., code that comes from the internet) and rely
        on the Java sandbox for security. This vulnerability
        does not apply to Java deployments, typically in
        servers, that load and run only trusted code (e.g.,
        code installed by an
        administrator).(CVE-2019-2999)Vulnerability in the Java
        SE, Java SE Embedded component of Oracle Java SE
        (subcomponent: Networking). Supported versions that are
        affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1
        Java SE Embedded: 8u211. Difficult to exploit
        vulnerability allows unauthenticated attacker with
        network access via multiple protocols to compromise
        Java SE, Java SE Embedded. Successful attacks of this
        vulnerability can result in unauthorized update, insert
        or delete access to some of Java SE, Java SE Embedded
        accessible data as well as unauthorized read access to
        a subset of Java SE, Java SE Embedded accessible data.
        Note: This vulnerability applies to Java deployments,
        typically in clients running sandboxed Java Web Start
        applications or sandboxed Java applets (in Java SE 8),
        that load and run untrusted code (e.g., code that comes
        from the internet) and rely on the Java sandbox for
        security. This vulnerability can also be exploited by
        using APIs in the specified Component, e.g., through a
        web service which supplies data to the
        APIs.(CVE-2019-2816)Vulnerability in the Java SE, Java
        SE Embedded component of Oracle Java SE (subcomponent:
        Security). Supported versions that are affected are
        Java SE: 8u212, 11.0.3 and 12.0.1 Java SE Embedded:
        8u211. Difficult to exploit vulnerability allows
        unauthenticated attacker with network access via
        multiple protocols to compromise Java SE, Java SE
        Embedded. Successful attacks require human interaction
        from a person other than the attacker and while the
        vulnerability is in Java SE, Java SE Embedded, attacks
        may significantly impact additional products.
        Successful attacks of this vulnerability can result in
        unauthorized read access to a subset of Java SE, Java
        SE Embedded accessible data. Note: This vulnerability
        applies to Java deployments, typically in clients
        running sandboxed Java Web Start applications or
        sandboxed Java applets (in Java SE 8), that load and
        run untrusted code (e.g., code that comes from the
        internet) and rely on the Java sandbox for security.
        This vulnerability can also be exploited by using APIs
        in the specified Component, e.g., through a web service
        which supplies data to the
        APIs.(CVE-2019-2786)Vulnerability in the Java SE, Java
        SE Embedded component of Oracle Java SE (subcomponent:
        Utilities). Supported versions that are affected are
        Java SE: 7u221, 8u212, 11.0.3 and 12.0.1 Java SE
        Embedded: 8u211. Easily exploitable vulnerability
        allows unauthenticated attacker with network access via
        multiple protocols to compromise Java SE, Java SE
        Embedded. Successful attacks of this vulnerability can
        result in unauthorized ability to cause a partial
        denial of service (partial DOS) of Java SE, Java SE
        Embedded. Note: This vulnerability applies to Java
        deployments, typically in clients running sandboxed
        Java Web Start applications or sandboxed Java applets
        (in Java SE 8), that load and run untrusted code (e.g.,
        code that comes from the internet) and rely on the Java
        sandbox for security. This vulnerability can also be
        exploited by using APIs in the specified Component,
        e.g., through a web service which supplies data to the
        APIs.(CVE-2019-2762)Vulnerability in the Java SE, Java
        SE Embedded component of Oracle Java SE (subcomponent:
        Utilities). Supported versions that are affected are
        Java SE: 7u221, 8u212, 11.0.3 and 12.0.1 Java SE
        Embedded: 8u211. Easily exploitable vulnerability
        allows unauthenticated attacker with network access via
        multiple protocols to compromise Java SE, Java SE
        Embedded. Successful attacks of this vulnerability can
        result in unauthorized ability to cause a partial
        denial of service (partial DOS) of Java SE, Java SE
        Embedded. Note: This vulnerability applies to Java
        deployments, typically in clients running sandboxed
        Java Web Start applications or sandboxed Java applets
        (in Java SE 8), that load and run untrusted code (e.g.,
        code that comes from the internet) and rely on the Java
        sandbox for security. This vulnerability can also be
        exploited by using APIs in the specified Component,
        e.g., through a web service which supplies data to the
        APIs.(CVE-2019-2769)Vulnerability in the Java SE, Java
        SE Embedded product of Oracle Java SE (component: 2D).
        Supported versions that are affected are Java SE:
        7u231, 8u221, 11.0.4 and 13 Java SE Embedded: 8u221.
        Difficult to exploit vulnerability allows
        unauthenticated attacker with network access via
        multiple protocols to compromise Java SE, Java SE
        Embedded. Successful attacks of this vulnerability can
        result in unauthorized ability to cause a partial
        denial of service (partial DOS) of Java SE, Java SE
        Embedded. Note: This vulnerability applies to Java
        deployments, typically in clients running sandboxed
        Java Web Start applications or sandboxed Java applets
        (in Java SE 8), that load and run untrusted code (e.g.,
        code that comes from the internet) and rely on the Java
        sandbox for security. This vulnerability can also be
        exploited by using APIs in the specified Component,
        e.g., through a web service which supplies data to the
        APIs.(CVE-2019-2962)Vulnerability in the Java SE, Java
        SE Embedded product of Oracle Java SE (component: 2D).
        Supported versions that are affected are Java SE:
        7u231, 8u221, 11.0.4 and 13 Java SE Embedded: 8u221.
        Difficult to exploit vulnerability allows
        unauthenticated attacker with network access via
        multiple protocols to compromise Java SE, Java SE
        Embedded. Successful attacks of this vulnerability can
        result in unauthorized ability to cause a partial
        denial of service (partial DOS) of Java SE, Java SE
        Embedded. Note: This vulnerability applies to Java
        deployments, typically in clients running sandboxed
        Java Web Start applications or sandboxed Java applets
        (in Java SE 8), that load and run untrusted code (e.g.,
        code that comes from the internet) and rely on the Java
        sandbox for security. This vulnerability does not apply
        to Java deployments, typically in servers, that load
        and run only trusted code (e.g., code installed by an
        administrator).(CVE-2019-2988)Vulnerability in the Java
        SE, Java SE Embedded product of Oracle Java SE
        (component: 2D). Supported versions that are affected
        are Java SE: 7u231, 8u221, 11.0.4 and 13 Java SE
        Embedded: 8u221. Difficult to exploit vulnerability
        allows unauthenticated attacker with network access via
        multiple protocols to compromise Java SE, Java SE
        Embedded. Successful attacks of this vulnerability can
        result in unauthorized ability to cause a partial
        denial of service (partial DOS) of Java SE, Java SE
        Embedded. Note: This vulnerability applies to Java
        deployments, typically in clients running sandboxed
        Java Web Start applications or sandboxed Java applets
        (in Java SE 8), that load and run untrusted code (e.g.,
        code that comes from the internet) and rely on the Java
        sandbox for security. This vulnerability does not apply
        to Java deployments, typically in servers, that load
        and run only trusted code (e.g., code installed by an
        administrator).(CVE-2019-2992)Vulnerability in the Java
        SE, Java SE Embedded product of Oracle Java SE
        (component: Concurrency). Supported versions that are
        affected are Java SE: 7u231, 8u221, 11.0.4 and 13 Java
        SE Embedded: 8u221. Difficult to exploit vulnerability
        allows unauthenticated attacker with network access via
        multiple protocols to compromise Java SE, Java SE
        Embedded. Successful attacks of this vulnerability can
        result in unauthorized ability to cause a partial
        denial of service (partial DOS) of Java SE, Java SE
        Embedded. Note: This vulnerability can only be
        exploited by supplying data to APIs in the specified
        Component without using Untrusted Java Web Start
        applications or Untrusted Java applets, such as through
        a web service.(CVE-2019-2964)Vulnerability in the Java
        SE, Java SE Embedded product of Oracle Java SE
        (component: JAXP). Supported versions that are affected
        are Java SE: 7u231, 8u221, 11.0.4 and 13 Java SE
        Embedded: 8u221. Difficult to exploit vulnerability
        allows unauthenticated attacker with network access via
        multiple protocols to compromise Java SE, Java SE
        Embedded. Successful attacks of this vulnerability can
        result in unauthorized ability to cause a partial
        denial of service (partial DOS) of Java SE, Java SE
        Embedded. Note: This vulnerability applies to Java
        deployments, typically in clients running sandboxed
        Java Web Start applications or sandboxed Java applets
        (in Java SE 8), that load and run untrusted code (e.g.,
        code that comes from the internet) and rely on the Java
        sandbox for security. This vulnerability can also be
        exploited by using APIs in the specified Component,
        e.g., through a web service which supplies data to the
        APIs.(CVE-2019-2973)Vulnerability in the Java SE, Java
        SE Embedded product of Oracle Java SE (component:
        JAXP). Supported versions that are affected are Java
        SE: 7u231, 8u221, 11.0.4 and 13 Java SE Embedded:
        8u221. Difficult to exploit vulnerability allows
        unauthenticated attacker with network access via
        multiple protocols to compromise Java SE, Java SE
        Embedded. Successful attacks of this vulnerability can
        result in unauthorized ability to cause a partial
        denial of service (partial DOS) of Java SE, Java SE
        Embedded. Note: This vulnerability applies to Java
        deployments, typically in clients running sandboxed
        Java Web Start applications or sandboxed Java applets
        (in Java SE 8), that load and run untrusted code (e.g.,
        code that comes from the internet) and rely on the Java
        sandbox for security. This vulnerability can also be
        exploited by using APIs in the specified Component,
        e.g., through a web service which supplies data to the
        APIs.(CVE-2019-2981)Vulnerability in the Java SE, Java
        SE Embedded product of Oracle Java SE (component:
        Libraries). Supported versions that are affected are
        Java SE: 7u231, 8u221, 11.0.4 and 13 Java SE Embedded:
        8u221. Difficult to exploit vulnerability allows
        unauthenticated attacker with network access via
        multiple protocols to compromise Java SE, Java SE
        Embedded. Successful attacks of this vulnerability can
        result in unauthorized creation, deletion or
        modification access to critical data or all Java SE,
        Java SE Embedded accessible data. Note: This
        vulnerability applies to Java deployments, typically in
        clients running sandboxed Java Web Start applications
        or sandboxed Java applets (in Java SE 8), that load and
        run untrusted code (e.g., code that comes from the
        internet) and rely on the Java sandbox for security.
        This vulnerability can also be exploited by using APIs
        in the specified Component, e.g., through a web service
        which supplies data to the
        APIs.(CVE-2019-2958)Vulnerability in the Java SE, Java
        SE Embedded product of Oracle Java SE (component:
        Networking). Supported versions that are affected are
        Java SE: 7u231, 8u221, 11.0.4 and 13 Java SE Embedded:
        8u221. Difficult to exploit vulnerability allows
        unauthenticated attacker with network access via
        multiple protocols to compromise Java SE, Java SE
        Embedded. Successful attacks require human interaction
        from a person other than the attacker. Successful
        attacks of this vulnerability can result in
        unauthorized ability to cause a partial denial of
        service (partial DOS) of Java SE, Java SE Embedded.
        Note: This vulnerability applies to Java deployments,
        typically in clients running sandboxed Java Web Start
        applications or sandboxed Java applets (in Java SE 8),
        that load and run untrusted code (e.g., code that comes
        from the internet) and rely on the Java sandbox for
        security. This vulnerability does not apply to Java
        deployments, typically in servers, that load and run
        only trusted code (e.g., code installed by an
        administrator).(CVE-2019-2945)Vulnerability in the Java
        SE, Java SE Embedded product of Oracle Java SE
        (component: Networking). Supported versions that are
        affected are Java SE: 7u231, 8u221, 11.0.4 and 13 Java
        SE Embedded: 8u221. Difficult to exploit vulnerability
        allows unauthenticated attacker with network access via
        multiple protocols to compromise Java SE, Java SE
        Embedded. Successful attacks of this vulnerability can
        result in unauthorized ability to cause a partial
        denial of service (partial DOS) of Java SE, Java SE
        Embedded. Note: This vulnerability applies to Java
        deployments, typically in clients running sandboxed
        Java Web Start applications or sandboxed Java applets
        (in Java SE 8), that load and run untrusted code (e.g.,
        code that comes from the internet) and rely on the Java
        sandbox for security. This vulnerability can also be
        exploited by using APIs in the specified Component,
        e.g., through a web service which supplies data to the
        APIs.(CVE-2019-2978)Vulnerability in the Java SE, Java
        SE Embedded product of Oracle Java SE (component:
        Networking). Supported versions that are affected are
        Java SE: 7u231, 8u221, 11.0.4 and 13 Java SE Embedded:
        8u221. Difficult to exploit vulnerability allows
        unauthenticated attacker with network access via
        multiple protocols to compromise Java SE, Java SE
        Embedded. While the vulnerability is in Java SE, Java
        SE Embedded, attacks may significantly impact
        additional products. Successful attacks of this
        vulnerability can result in unauthorized creation,
        deletion or modification access to critical data or all
        Java SE, Java SE Embedded accessible data. Note: This
        vulnerability applies to Java deployments, typically in
        clients running sandboxed Java Web Start applications
        or sandboxed Java applets (in Java SE 8), that load and
        run untrusted code (e.g., code that comes from the
        internet) and rely on the Java sandbox for security.
        This vulnerability can also be exploited by using APIs
        in the specified Component, e.g., through a web service
        which supplies data to the
        APIs.(CVE-2019-2989)Vulnerability in the Java SE, Java
        SE Embedded product of Oracle Java SE (component:
        Serialization). Supported versions that are affected
        are Java SE: 7u231, 8u221, 11.0.4 and 13 Java SE
        Embedded: 8u221. Difficult to exploit vulnerability
        allows unauthenticated attacker with network access via
        multiple protocols to compromise Java SE, Java SE
        Embedded. Successful attacks of this vulnerability can
        result in unauthorized ability to cause a partial
        denial of service (partial DOS) of Java SE, Java SE
        Embedded. Note: This vulnerability applies to Java
        deployments, typically in clients running sandboxed
        Java Web Start applications or sandboxed Java applets
        (in Java SE 8), that load and run untrusted code (e.g.,
        code that comes from the internet) and rely on the Java
        sandbox for security. This vulnerability can also be
        exploited by using APIs in the specified Component,
        e.g., through a web service which supplies data to the
        APIs.(CVE-2019-2983)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1110
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a938e66d");
      script_set_attribute(attribute:"solution", value:
    "Update the affected java-1.7.0-openjdk packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2020/02/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/24");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:java-1.7.0-openjdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:java-1.7.0-openjdk-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:java-1.7.0-openjdk-headless");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["java-1.7.0-openjdk-1.7.0.191-2.6.15.4.h11.eulerosv2r7",
            "java-1.7.0-openjdk-devel-1.7.0.191-2.6.15.4.h11.eulerosv2r7",
            "java-1.7.0-openjdk-headless-1.7.0.191-2.6.15.4.h11.eulerosv2r7"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "java-1.7.0-openjdk");
    }
    
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2019-1_0-0250_OPENJDK.NASL
    descriptionAn update of the openjdk package has been released.
    last seen2020-06-01
    modified2020-06-02
    plugin id128710
    published2019-09-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128710
    titlePhoton OS 1.0: Openjdk PHSA-2019-1.0-0250
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The descriptive text and package checks in this plugin were
    # extracted from VMware Security Advisory PHSA-2019-1.0-0250. The text
    # itself is copyright (C) VMware, Inc.
    
    include("compat.inc");
    
    if (description)
    {
      script_id(128710);
      script_version("1.5");
      script_cvs_date("Date: 2019/12/30");
    
      script_cve_id(
        "CVE-2019-2745",
        "CVE-2019-2762",
        "CVE-2019-2769",
        "CVE-2019-2816",
        "CVE-2019-2821"
      );
    
      script_name(english:"Photon OS 1.0: Openjdk PHSA-2019-1.0-0250");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote PhotonOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "An update of the openjdk package has been released.");
      script_set_attribute(attribute:"see_also", value:"https://github.com/vmware/photon/wiki/Security-Updates-1.0-250.md");
      script_set_attribute(attribute:"solution", value:
    "Update the affected Linux packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-2816");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/23");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/09/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/12");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:openjdk");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:1.0");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"PhotonOS Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/PhotonOS/release");
    if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS");
    if (release !~ "^VMware Photon (?:Linux|OS) 1\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 1.0");
    
    if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu);
    
    flag = 0;
    
    if (rpm_check(release:"PhotonOS-1.0", reference:"openjdk-1.8.0.222-1.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", reference:"openjdk-debuginfo-1.8.0.222-1.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", reference:"openjdk-doc-1.8.0.222-1.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", reference:"openjdk-sample-1.8.0.222-1.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", reference:"openjdk-src-1.8.0.222-1.ph1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openjdk");
    }
    
  • NASL familyMisc.
    NASL idORACLE_JAVA_CPU_JUL_2019_UNIX.NASL
    descriptionThe version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 7 Update 231, 8 Update 221, 11 Update 4, or 12 Update 2. It is, therefore, affected by multiple vulnerabilities: - Unspecified vulnerabilities in the utilities and JCE subcomponents of Oracle Java SE, which could allow an unauthenticated remote attacker to cause a partial denial of service. (CVE-2019-2762, CVE-2019-2769, CVE-2019-2842) - An unspecified vulnerability in the security subcomponent of Oracle Java SE, which could allow an unauthenticated local attacker to gain unauthorized access to critical Java SE data. (CVE-2019-2745) - Unspecified vulnerabilities in the networking and security subcomponents of Oracle Java SE, which could allow an unauthenticated remote attacker to gain unauthorized access to Java SE data. Exploitation of this vulnerability requires user interaction. (CVE-2019-2766, CVE-2019-2786, CVE-2019-2818) - An unspecified vulnerability in the networking subcomponent of Oracle Java SE, which could allow an unauthenticated remote attacker unauthorized read, update, insert or delete access to Java SE data. (CVE-2019-2816) - An unspecified vulnerability in the JSSE subcomponent of Oracle Java SE, which could allow an unauthenticated, remote attacker to gain unauthorized access to critical Java SE data. Exploitation of this vulnerability requires user interaction. (CVE-2019-2821) - A use after free vulnerability exists in the libpng subcomponent of Oracle Java SE. An unauthenticated, remote attacker can exploit this to cause a complete denial of service condition in Java SE. Exploitation of this vulnerability requires user interaction. (CVE-2019-7317) Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id126820
    published2019-07-19
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126820
    titleOracle Java SE 1.7.0_231 / 1.8.0_221 / 1.11.0_4 / 1.12.0_2 Multiple Vulnerabilities (Jul 2019 CPU) (Unix)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include('compat.inc');
    
    if (description)
    {
      script_id(126820);
      script_version("1.3");
      script_cvs_date("Date: 2019/10/21 11:55:47");
    
      script_cve_id(
        "CVE-2019-2745",
        "CVE-2019-2762",
        "CVE-2019-2766",
        "CVE-2019-2769",
        "CVE-2019-2786",
        "CVE-2019-2816",
        "CVE-2019-2818",
        "CVE-2019-2821",
        "CVE-2019-2842",
        "CVE-2019-6129",
        "CVE-2019-7317"
      );
      script_bugtraq_id(
        108098,
        109184,
        109185,
        109186,
        109187,
        109188,
        109189,
        109201,
        109206,
        109210,
        109212
      );
      script_xref(name:"IAVA", value:"2019-A-0255");
    
      script_name(english:"Oracle Java SE 1.7.0_231 / 1.8.0_221 / 1.11.0_4 / 1.12.0_2 Multiple Vulnerabilities (Jul 2019 CPU) (Unix)");
      script_summary(english:"Checks the version of the JRE.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Unix host contains a programming platform that is affected
    by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Oracle (formerly Sun) Java SE or Java for Business
    installed on the remote host is prior to 7 Update 231, 8 Update 221,
    11 Update 4, or 12 Update 2. It is, therefore, affected by multiple
    vulnerabilities:
    
      - Unspecified vulnerabilities in the utilities and JCE 
        subcomponents of Oracle Java SE, which could allow an 
        unauthenticated remote attacker to cause a partial denial 
        of service. (CVE-2019-2762, CVE-2019-2769, CVE-2019-2842)
    
      - An unspecified vulnerability in the security subcomponent 
        of Oracle Java SE, which could allow an unauthenticated 
        local attacker to gain unauthorized access to critical Java 
        SE data. (CVE-2019-2745)
    
      - Unspecified vulnerabilities in the networking and security 
        subcomponents of Oracle Java SE, which could allow an 
        unauthenticated remote attacker to gain unauthorized 
        access to Java SE data. Exploitation of this vulnerability 
        requires user interaction. 
        (CVE-2019-2766, CVE-2019-2786, CVE-2019-2818)
    
      - An unspecified vulnerability in the networking subcomponent
        of Oracle Java SE, which could allow an unauthenticated 
        remote attacker unauthorized read, update, insert or
        delete access to Java SE data. (CVE-2019-2816)
    
      - An unspecified vulnerability in the JSSE subcomponent of 
        Oracle Java SE, which could allow an unauthenticated, 
        remote attacker to gain unauthorized access to critical
        Java SE data. Exploitation of this vulnerability requires 
        user interaction. (CVE-2019-2821)
    
      - A use after free vulnerability exists in the libpng 
        subcomponent of Oracle Java SE. An unauthenticated, 
        remote attacker can exploit this to cause a complete
        denial of service condition in Java SE. Exploitation 
        of this vulnerability requires user interaction.
        (CVE-2019-7317)
    
    Nessus has not tested for these issues but has instead
    relied only on the application's self-reported version number.");
      # https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9aa2b901");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Oracle JDK / JRE 12 Update 2 , 11 Update 4, 8 Update 221
    / 7 Update 231 or later. If necessary, remove any affected versions.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-2816");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"agent", value:"unix");
    
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/19");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jre");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jdk");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("sun_java_jre_installed_unix.nasl");
      script_require_keys("Host/Java/JRE/Installed");
    
      exit(0);
    }
    
    include('audit.inc');
    include('global_settings.inc');
    include('misc_func.inc');
    
    # Check each installed JRE.
    installs = get_kb_list_or_exit('Host/Java/JRE/Unmanaged/*');
    
    info = '';
    vuln = 0;
    vuln2 = 0;
    installed_versions = '';
    granular = '';
    
    foreach install (list_uniq(keys(installs)))
    {
      ver = install - 'Host/Java/JRE/Unmanaged/';
      if (ver !~ "^[0-9.]+") continue;
    
      installed_versions = installed_versions + ' & ' + ver;
    
    # Fixes : (JDK|JRE) 12 Update 2 / 11 Update 4 / 8 Update 221 / 7 Update 231 
      if (
        ver_compare(minver:'1.7.0', ver:ver, fix:'1.7.0_231', regexes:{0:"_(\d+)"}, strict:FALSE) < 0 ||
        ver_compare(minver:'1.8.0', ver:ver, fix:'1.8.0_221', regexes:{0:"_(\d+)"}, strict:FALSE) < 0 ||
        ver_compare(minver:'1.11.0', ver:ver, fix:'1.11.0_4', regexes:{0:"_(\d+)"}, strict:FALSE) < 0 ||
        ver_compare(minver:'1.12.0', ver:ver, fix:'1.12.0_2', regexes:{0:"_(\d+)"}, strict:FALSE) < 0
      )
      {
        dirs = make_list(get_kb_list(install));
        vuln += max_index(dirs);
    
        foreach dir (dirs)
          info += '\n  Path              : ' + dir;
    
        info += '\n  Installed version : ' + ver;
        info += '\n  Fixed version     : 1.7.0_231 / 1.8.0_221 / 1.11.0_4 / 1.12.0_2\n';
      }
      else if (ver =~ "^[\d\.]+$")
      {
        dirs = make_list(get_kb_list(install));
        foreach dir (dirs)
          granular += 'The Oracle Java version '+ver+' at '+dir+' is not granular enough to make a determination.'+'\n';
      }
      else
      {
        dirs = make_list(get_kb_list(install));
        vuln2 += max_index(dirs);
      }
    
    }
    
    # Report if any were found to be vulnerable.
    if (info)
    {
      if (vuln > 1) s = 's of Java are';
      else s = ' of Java is';
    
      report =
        '\n' +
        'The following vulnerable instance'+s+' installed on the\n' +
        'remote host :\n' +
        info;
      security_report_v4(severity:SECURITY_WARNING, port:0, extra:report);
      if (granular) exit(0, granular);
    }
    else
    {
      if (granular) exit(0, granular);
    
      installed_versions = substr(installed_versions, 3);
      if (vuln2 > 1)
        exit(0, 'The Java '+installed_versions+' installations on the remote host are not affected.');
      else
        audit(AUDIT_INST_VER_NOT_VULN, 'Java', installed_versions);
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-1815.NASL
    descriptionAn update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es) : * OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745) * OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762) * OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769) * OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816) * OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842) * OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id126941
    published2019-07-23
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126941
    titleRHEL 7 : java-1.8.0-openjdk (RHSA-2019:1815)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2019:1815. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(126941);
      script_version("1.6");
      script_cvs_date("Date: 2020/01/07");
    
      script_cve_id("CVE-2019-2745", "CVE-2019-2762", "CVE-2019-2769", "CVE-2019-2786", "CVE-2019-2816", "CVE-2019-2842");
      script_xref(name:"RHSA", value:"2019:1815");
    
      script_name(english:"RHEL 7 : java-1.8.0-openjdk (RHSA-2019:1815)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for java-1.8.0-openjdk is now available for Red Hat
    Enterprise Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime
    Environment and the OpenJDK 8 Java Software Development Kit.
    
    Security Fix(es) :
    
    * OpenJDK: Side-channel attack risks in Elliptic Curve (EC)
    cryptography (Security, 8208698) (CVE-2019-2745)
    
    * OpenJDK: Insufficient checks of suppressed exceptions in
    deserialization (Utilities, 8212328) (CVE-2019-2762)
    
    * OpenJDK: Unbounded memory allocation during deserialization in
    Collections (Utilities, 8213432) (CVE-2019-2769)
    
    * OpenJDK: Missing URL format validation (Networking, 8221518)
    (CVE-2019-2816)
    
    * OpenJDK: Missing array bounds check in crypto providers (JCE,
    8223511) (CVE-2019-2842)
    
    * OpenJDK: Insufficient restriction of privileges in AccessController
    (Security, 8216381) (CVE-2019-2786)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, acknowledgments, and other related information, refer to
    the CVE page(s) listed in the References section."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2019:1815"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-2745"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-2762"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-2769"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-2786"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-2816"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-2842"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-2816");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-accessibility");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-accessibility-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-demo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-demo-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-devel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-headless");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-headless-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc-zip");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc-zip-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-src");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-src-debug");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/23");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/23");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2019:1815";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL7", cpu:"i686", reference:"java-1.8.0-openjdk-1.8.0.222.b10-0.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"java-1.8.0-openjdk-1.8.0.222.b10-0.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.8.0-openjdk-1.8.0.222.b10-0.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"i686", reference:"java-1.8.0-openjdk-accessibility-1.8.0.222.b10-0.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"java-1.8.0-openjdk-accessibility-1.8.0.222.b10-0.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.8.0-openjdk-accessibility-1.8.0.222.b10-0.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"i686", reference:"java-1.8.0-openjdk-accessibility-debug-1.8.0.222.b10-0.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.8.0-openjdk-accessibility-debug-1.8.0.222.b10-0.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"i686", reference:"java-1.8.0-openjdk-debug-1.8.0.222.b10-0.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.8.0-openjdk-debug-1.8.0.222.b10-0.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"i686", reference:"java-1.8.0-openjdk-debuginfo-1.8.0.222.b10-0.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"java-1.8.0-openjdk-debuginfo-1.8.0.222.b10-0.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.8.0-openjdk-debuginfo-1.8.0.222.b10-0.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"i686", reference:"java-1.8.0-openjdk-demo-1.8.0.222.b10-0.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"java-1.8.0-openjdk-demo-1.8.0.222.b10-0.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.8.0-openjdk-demo-1.8.0.222.b10-0.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"i686", reference:"java-1.8.0-openjdk-demo-debug-1.8.0.222.b10-0.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.8.0-openjdk-demo-debug-1.8.0.222.b10-0.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"i686", reference:"java-1.8.0-openjdk-devel-1.8.0.222.b10-0.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"java-1.8.0-openjdk-devel-1.8.0.222.b10-0.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.8.0-openjdk-devel-1.8.0.222.b10-0.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"i686", reference:"java-1.8.0-openjdk-devel-debug-1.8.0.222.b10-0.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.8.0-openjdk-devel-debug-1.8.0.222.b10-0.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"i686", reference:"java-1.8.0-openjdk-headless-1.8.0.222.b10-0.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"java-1.8.0-openjdk-headless-1.8.0.222.b10-0.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.8.0-openjdk-headless-1.8.0.222.b10-0.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"i686", reference:"java-1.8.0-openjdk-headless-debug-1.8.0.222.b10-0.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.8.0-openjdk-headless-debug-1.8.0.222.b10-0.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"java-1.8.0-openjdk-javadoc-1.8.0.222.b10-0.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"java-1.8.0-openjdk-javadoc-debug-1.8.0.222.b10-0.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"java-1.8.0-openjdk-javadoc-zip-1.8.0.222.b10-0.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"java-1.8.0-openjdk-javadoc-zip-debug-1.8.0.222.b10-0.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"i686", reference:"java-1.8.0-openjdk-src-1.8.0.222.b10-0.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"java-1.8.0-openjdk-src-1.8.0.222.b10-0.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.8.0-openjdk-src-1.8.0.222.b10-0.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"i686", reference:"java-1.8.0-openjdk-src-debug-1.8.0.222.b10-0.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.8.0-openjdk-src-debug-1.8.0.222.b10-0.el7_6")) flag++;
    
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "java-1.8.0-openjdk / java-1.8.0-openjdk-accessibility / etc");
      }
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2028-1.NASL
    descriptionThis update for java-1_7_0-openjdk to version 7u231 fixes the following issues : Security issues fixed : CVE_2019-2426: Improve web server connections (bsc#1134297). CVE-2019-2745: Improved ECC Implementation (bsc#1141784). CVE-2019-2762: Exceptional throw cases (bsc#1141782). CVE-2019-2766: Improve file protocol handling (bsc#1141789). CVE-2019-2769: Better copies of CopiesList (bsc#1141783). CVE-2019-2786: More limited privilege usage (bsc#1141787). CVE-2019-2816: Normalize normalization (bsc#1141785). CVE-2019-2842: Extended AES support (bsc#1141786). CVE-2019-7317: Improve PNG support (bsc#1141780). CVE-2018-3639: fix revision to prefer PR_SPEC_DISABLE_NOEXEC to PR_SPEC_DISABLE (bsc#1087082). Certificate validation improvements Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id127758
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127758
    titleSUSE SLED12 / SLES12 Security Update : java-1_7_0-openjdk (SUSE-SU-2019:2028-1) (Spectre)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2019:2028-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(127758);
      script_version("1.4");
      script_cvs_date("Date: 2020/01/06");
    
      script_cve_id("CVE-2018-3639", "CVE-2019-2426", "CVE-2019-2745", "CVE-2019-2762", "CVE-2019-2766", "CVE-2019-2769", "CVE-2019-2786", "CVE-2019-2816", "CVE-2019-2842", "CVE-2019-7317");
    
      script_name(english:"SUSE SLED12 / SLES12 Security Update : java-1_7_0-openjdk (SUSE-SU-2019:2028-1) (Spectre)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for java-1_7_0-openjdk to version 7u231 fixes the
    following issues :
    
    Security issues fixed :
    
    CVE_2019-2426: Improve web server connections (bsc#1134297).
    
    CVE-2019-2745: Improved ECC Implementation (bsc#1141784).
    
    CVE-2019-2762: Exceptional throw cases (bsc#1141782).
    
    CVE-2019-2766: Improve file protocol handling (bsc#1141789).
    
    CVE-2019-2769: Better copies of CopiesList (bsc#1141783).
    
    CVE-2019-2786: More limited privilege usage (bsc#1141787).
    
    CVE-2019-2816: Normalize normalization (bsc#1141785).
    
    CVE-2019-2842: Extended AES support (bsc#1141786).
    
    CVE-2019-7317: Improve PNG support (bsc#1141780).
    
    CVE-2018-3639: fix revision to prefer PR_SPEC_DISABLE_NOEXEC to
    PR_SPEC_DISABLE (bsc#1087082).
    
    Certificate validation improvements
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1087082"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1134297"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1141780"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1141782"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1141783"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1141784"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1141785"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1141786"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1141787"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1141789"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-3639/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-2426/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-2745/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-2762/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-2766/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-2769/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-2786/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-2816/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-2842/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-7317/"
      );
      # https://www.suse.com/support/update/announcement/2019/suse-su-20192028-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?e276b272"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Server 12-SP4:zypper in -t patch
    SUSE-SLE-SERVER-12-SP4-2019-2028=1
    
    SUSE Linux Enterprise Desktop 12-SP4:zypper in -t patch
    SUSE-SLE-DESKTOP-12-SP4-2019-2028=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-2816");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-demo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-demo-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-devel-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-headless");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-headless-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/22");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/31");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLED12|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP4", os_ver + " SP" + sp);
    if (os_ver == "SLED12" && (! preg(pattern:"^(4)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP4", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"4", reference:"java-1_7_0-openjdk-1.7.0.231-43.27.2")) flag++;
    if (rpm_check(release:"SLES12", sp:"4", reference:"java-1_7_0-openjdk-debuginfo-1.7.0.231-43.27.2")) flag++;
    if (rpm_check(release:"SLES12", sp:"4", reference:"java-1_7_0-openjdk-debugsource-1.7.0.231-43.27.2")) flag++;
    if (rpm_check(release:"SLES12", sp:"4", reference:"java-1_7_0-openjdk-demo-1.7.0.231-43.27.2")) flag++;
    if (rpm_check(release:"SLES12", sp:"4", reference:"java-1_7_0-openjdk-demo-debuginfo-1.7.0.231-43.27.2")) flag++;
    if (rpm_check(release:"SLES12", sp:"4", reference:"java-1_7_0-openjdk-devel-1.7.0.231-43.27.2")) flag++;
    if (rpm_check(release:"SLES12", sp:"4", reference:"java-1_7_0-openjdk-devel-debuginfo-1.7.0.231-43.27.2")) flag++;
    if (rpm_check(release:"SLES12", sp:"4", reference:"java-1_7_0-openjdk-headless-1.7.0.231-43.27.2")) flag++;
    if (rpm_check(release:"SLES12", sp:"4", reference:"java-1_7_0-openjdk-headless-debuginfo-1.7.0.231-43.27.2")) flag++;
    if (rpm_check(release:"SLED12", sp:"4", cpu:"x86_64", reference:"java-1_7_0-openjdk-1.7.0.231-43.27.2")) flag++;
    if (rpm_check(release:"SLED12", sp:"4", cpu:"x86_64", reference:"java-1_7_0-openjdk-debuginfo-1.7.0.231-43.27.2")) flag++;
    if (rpm_check(release:"SLED12", sp:"4", cpu:"x86_64", reference:"java-1_7_0-openjdk-debugsource-1.7.0.231-43.27.2")) flag++;
    if (rpm_check(release:"SLED12", sp:"4", cpu:"x86_64", reference:"java-1_7_0-openjdk-headless-1.7.0.231-43.27.2")) flag++;
    if (rpm_check(release:"SLED12", sp:"4", cpu:"x86_64", reference:"java-1_7_0-openjdk-headless-debuginfo-1.7.0.231-43.27.2")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "java-1_7_0-openjdk");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-1840.NASL
    descriptionFrom Red Hat Security Advisory 2019:1840 : An update for java-1.7.0-openjdk is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix(es) : * OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745) * OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762) * OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769) * OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816) * OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842) * OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id127031
    published2019-07-25
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127031
    titleOracle Linux 6 : java-1.7.0-openjdk (ELSA-2019-1840)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2019:1840 and 
    # Oracle Linux Security Advisory ELSA-2019-1840 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(127031);
      script_version("1.5");
      script_cvs_date("Date: 2020/01/06");
    
      script_cve_id("CVE-2019-2745", "CVE-2019-2762", "CVE-2019-2769", "CVE-2019-2786", "CVE-2019-2816", "CVE-2019-2842");
      script_xref(name:"RHSA", value:"2019:1840");
    
      script_name(english:"Oracle Linux 6 : java-1.7.0-openjdk (ELSA-2019-1840)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2019:1840 :
    
    An update for java-1.7.0-openjdk is now available for Red Hat
    Enterprise Linux 6.
    
    Red Hat Product Security has rated this update as having a security
    impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime
    Environment and the OpenJDK 7 Java Software Development Kit.
    
    Security Fix(es) :
    
    * OpenJDK: Side-channel attack risks in Elliptic Curve (EC)
    cryptography (Security, 8208698) (CVE-2019-2745)
    
    * OpenJDK: Insufficient checks of suppressed exceptions in
    deserialization (Utilities, 8212328) (CVE-2019-2762)
    
    * OpenJDK: Unbounded memory allocation during deserialization in
    Collections (Utilities, 8213432) (CVE-2019-2769)
    
    * OpenJDK: Missing URL format validation (Networking, 8221518)
    (CVE-2019-2816)
    
    * OpenJDK: Missing array bounds check in crypto providers (JCE,
    8223511) (CVE-2019-2842)
    
    * OpenJDK: Insufficient restriction of privileges in AccessController
    (Security, 8216381) (CVE-2019-2786)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, acknowledgments, and other related information, refer to
    the CVE page(s) listed in the References section."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2019-July/008913.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected java-1.7.0-openjdk packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-2816");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:java-1.7.0-openjdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:java-1.7.0-openjdk-demo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:java-1.7.0-openjdk-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:java-1.7.0-openjdk-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:java-1.7.0-openjdk-src");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/23");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/24");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/25");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL6", reference:"java-1.7.0-openjdk-1.7.0.231-2.6.19.1.0.1.el6_10")) flag++;
    if (rpm_check(release:"EL6", reference:"java-1.7.0-openjdk-demo-1.7.0.231-2.6.19.1.0.1.el6_10")) flag++;
    if (rpm_check(release:"EL6", reference:"java-1.7.0-openjdk-devel-1.7.0.231-2.6.19.1.0.1.el6_10")) flag++;
    if (rpm_check(release:"EL6", reference:"java-1.7.0-openjdk-javadoc-1.7.0.231-2.6.19.1.0.1.el6_10")) flag++;
    if (rpm_check(release:"EL6", reference:"java-1.7.0-openjdk-src-1.7.0.231-2.6.19.1.0.1.el6_10")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "java-1.7.0-openjdk / java-1.7.0-openjdk-demo / etc");
    }
    
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2019-1269.NASL
    descriptionVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N). (CVE-2019-2684) Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2019-2769) Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (CVE-2019-2816) Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Java SE, Java SE Embedded. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (CVE-2019-2602) Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2019-2762) Vulnerability in the Java SE component of Oracle Java SE (subcomponent: JCE). The supported version that is affected is Java SE: 8u212. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2019-2842) Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 7u221, 8u212 and 11.0.3. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE executes to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2019-2745) Vulnerability in the Java SE component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are Java SE: 7u211 and 8u202. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). (CVE-2019-2698) Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N). (CVE-2019-2786)
    last seen2020-06-01
    modified2020-06-02
    plugin id128285
    published2019-08-28
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128285
    titleAmazon Linux 2 : java-1.8.0-openjdk (ALAS-2019-1269)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Amazon Linux 2 Security Advisory ALAS-2019-1269.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(128285);
      script_version("1.3");
      script_cvs_date("Date: 2019/09/24 11:01:32");
    
      script_cve_id("CVE-2019-2602", "CVE-2019-2684", "CVE-2019-2698", "CVE-2019-2745", "CVE-2019-2762", "CVE-2019-2769", "CVE-2019-2786", "CVE-2019-2816", "CVE-2019-2842");
      script_xref(name:"ALAS", value:"2019-1269");
    
      script_name(english:"Amazon Linux 2 : java-1.8.0-openjdk (ALAS-2019-1269)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Amazon Linux 2 host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Vulnerability in the Java SE, Java SE Embedded component of Oracle
    Java SE (subcomponent: RMI). Supported versions that are affected are
    Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201.
    Difficult to exploit vulnerability allows unauthenticated attacker
    with network access via multiple protocols to compromise Java SE, Java
    SE Embedded. Successful attacks of this vulnerability can result in
    unauthorized creation, deletion or modification access to critical
    data or all Java SE, Java SE Embedded accessible data. Note: This
    vulnerability applies to Java deployments, typically in clients
    running sandboxed Java Web Start applications or sandboxed Java
    applets (in Java SE 8), that load and run untrusted code (e.g., code
    that comes from the internet) and rely on the Java sandbox for
    security. This vulnerability can also be exploited by using APIs in
    the specified Component, e.g., through a web service which supplies
    data to the APIs. CVSS 3.0 Base Score 5.9 (Integrity impacts). CVSS
    Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).
    (CVE-2019-2684)
    
    Vulnerability in the Java SE, Java SE Embedded component of Oracle
    Java SE (subcomponent: Utilities). Supported versions that are
    affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE
    Embedded: 8u211. Easily exploitable vulnerability allows
    unauthenticated attacker with network access via multiple protocols to
    compromise Java SE, Java SE Embedded. Successful attacks of this
    vulnerability can result in unauthorized ability to cause a partial
    denial of service (partial DOS) of Java SE, Java SE Embedded. Note:
    This vulnerability applies to Java deployments, typically in clients
    running sandboxed Java Web Start applications or sandboxed Java
    applets (in Java SE 8), that load and run untrusted code (e.g., code
    that comes from the internet) and rely on the Java sandbox for
    security. This vulnerability can also be exploited by using APIs in
    the specified Component, e.g., through a web service which supplies
    data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS
    Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
    (CVE-2019-2769)
    
    Vulnerability in the Java SE, Java SE Embedded component of Oracle
    Java SE (subcomponent: Networking). Supported versions that are
    affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE
    Embedded: 8u211. Difficult to exploit vulnerability allows
    unauthenticated attacker with network access via multiple protocols to
    compromise Java SE, Java SE Embedded. Successful attacks of this
    vulnerability can result in unauthorized update, insert or delete
    access to some of Java SE, Java SE Embedded accessible data as well as
    unauthorized read access to a subset of Java SE, Java SE Embedded
    accessible data. Note: This vulnerability applies to Java deployments,
    typically in clients running sandboxed Java Web Start applications or
    sandboxed Java applets (in Java SE 8), that load and run untrusted
    code (e.g., code that comes from the internet) and rely on the Java
    sandbox for security. This vulnerability can also be exploited by
    using APIs in the specified Component, e.g., through a web service
    which supplies data to the APIs. CVSS 3.0 Base Score 4.8
    (Confidentiality and Integrity impacts). CVSS Vector:
    (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (CVE-2019-2816)
    
    Vulnerability in the Java SE, Java SE Embedded component of Oracle
    Java SE (subcomponent: Libraries). Supported versions that are
    affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded:
    8u201. Easily exploitable vulnerability allows unauthenticated
    attacker with network access via multiple protocols to compromise Java
    SE, Java SE Embedded. Successful attacks of this vulnerability can
    result in unauthorized ability to cause a hang or frequently
    repeatable crash (complete DOS) of Java SE, Java SE Embedded. Note:
    This vulnerability can only be exploited by supplying data to APIs in
    the specified Component without using Untrusted Java Web Start
    applications or Untrusted Java applets, such as through a web service.
    CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector:
    (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (CVE-2019-2602)
    
    Vulnerability in the Java SE, Java SE Embedded component of Oracle
    Java SE (subcomponent: Utilities). Supported versions that are
    affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE
    Embedded: 8u211. Easily exploitable vulnerability allows
    unauthenticated attacker with network access via multiple protocols to
    compromise Java SE, Java SE Embedded. Successful attacks of this
    vulnerability can result in unauthorized ability to cause a partial
    denial of service (partial DOS) of Java SE, Java SE Embedded. Note:
    This vulnerability applies to Java deployments, typically in clients
    running sandboxed Java Web Start applications or sandboxed Java
    applets (in Java SE 8), that load and run untrusted code (e.g., code
    that comes from the internet) and rely on the Java sandbox for
    security. This vulnerability can also be exploited by using APIs in
    the specified Component, e.g., through a web service which supplies
    data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS
    Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
    (CVE-2019-2762)
    
    Vulnerability in the Java SE component of Oracle Java SE
    (subcomponent: JCE). The supported version that is affected is Java
    SE: 8u212. Difficult to exploit vulnerability allows unauthenticated
    attacker with network access via multiple protocols to compromise Java
    SE. Successful attacks of this vulnerability can result in
    unauthorized ability to cause a partial denial of service (partial
    DOS) of Java SE. Note: This vulnerability applies to Java deployments,
    typically in clients running sandboxed Java Web Start applications or
    sandboxed Java applets (in Java SE 8), that load and run untrusted
    code (e.g., code that comes from the internet) and rely on the Java
    sandbox for security. This vulnerability can also be exploited by
    using APIs in the specified Component, e.g., through a web service
    which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability
    impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
    (CVE-2019-2842)
    
    Vulnerability in the Java SE component of Oracle Java SE
    (subcomponent: Security). Supported versions that are affected are
    Java SE: 7u221, 8u212 and 11.0.3. Difficult to exploit vulnerability
    allows unauthenticated attacker with logon to the infrastructure where
    Java SE executes to compromise Java SE. Successful attacks of this
    vulnerability can result in unauthorized access to critical data or
    complete access to all Java SE accessible data. Note: This
    vulnerability applies to Java deployments, typically in clients
    running sandboxed Java Web Start applications or sandboxed Java
    applets (in Java SE 8), that load and run untrusted code (e.g., code
    that comes from the internet) and rely on the Java sandbox for
    security. This vulnerability can also be exploited by using APIs in
    the specified Component, e.g., through a web service which supplies
    data to the APIs. CVSS 3.0 Base Score 5.1 (Confidentiality impacts).
    CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
    (CVE-2019-2745)
    
    Vulnerability in the Java SE component of Oracle Java SE
    (subcomponent: 2D). Supported versions that are affected are Java SE:
    7u211 and 8u202. Difficult to exploit vulnerability allows
    unauthenticated attacker with network access via multiple protocols to
    compromise Java SE. Successful attacks of this vulnerability can
    result in takeover of Java SE. Note: This vulnerability applies to
    Java deployments, typically in clients running sandboxed Java Web
    Start applications or sandboxed Java applets (in Java SE 8), that load
    and run untrusted code (e.g., code that comes from the internet) and
    rely on the Java sandbox for security. This vulnerability does not
    apply to Java deployments, typically in servers, that load and run
    only trusted code (e.g., code installed by an administrator). CVSS 3.0
    Base Score 8.1 (Confidentiality, Integrity and Availability impacts).
    CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
    (CVE-2019-2698)
    
    Vulnerability in the Java SE, Java SE Embedded component of Oracle
    Java SE (subcomponent: Security). Supported versions that are affected
    are Java SE: 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211.
    Difficult to exploit vulnerability allows unauthenticated attacker
    with network access via multiple protocols to compromise Java SE, Java
    SE Embedded. Successful attacks require human interaction from a
    person other than the attacker and while the vulnerability is in Java
    SE, Java SE Embedded, attacks may significantly impact additional
    products. Successful attacks of this vulnerability can result in
    unauthorized read access to a subset of Java SE, Java SE Embedded
    accessible data. Note: This vulnerability applies to Java deployments,
    typically in clients running sandboxed Java Web Start applications or
    sandboxed Java applets (in Java SE 8), that load and run untrusted
    code (e.g., code that comes from the internet) and rely on the Java
    sandbox for security. This vulnerability can also be exploited by
    using APIs in the specified Component, e.g., through a web service
    which supplies data to the APIs. CVSS 3.0 Base Score 3.4
    (Confidentiality impacts). CVSS Vector:
    (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N). (CVE-2019-2786)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://alas.aws.amazon.com/AL2/ALAS-2019-1269.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Run 'yum update java-1.8.0-openjdk' to update your system."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.8.0-openjdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-accessibility");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-accessibility-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-demo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-demo-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-devel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-headless");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-headless-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-javadoc-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-javadoc-zip");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-javadoc-zip-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-src");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-src-debug");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/04/23");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/08/31");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/28");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Amazon Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/AmazonLinux/release");
    if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
    os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
    os_ver = os_ver[1];
    if (os_ver != "2")
    {
      if (os_ver == 'A') os_ver = 'AMI';
      audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
    }
    
    if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (rpm_check(release:"AL2", reference:"java-1.8.0-openjdk-1.8.0.222.b10-0.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", reference:"java-1.8.0-openjdk-accessibility-1.8.0.222.b10-0.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", reference:"java-1.8.0-openjdk-accessibility-debug-1.8.0.222.b10-0.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", reference:"java-1.8.0-openjdk-debug-1.8.0.222.b10-0.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", reference:"java-1.8.0-openjdk-debuginfo-1.8.0.222.b10-0.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", reference:"java-1.8.0-openjdk-demo-1.8.0.222.b10-0.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", reference:"java-1.8.0-openjdk-demo-debug-1.8.0.222.b10-0.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", reference:"java-1.8.0-openjdk-devel-1.8.0.222.b10-0.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", reference:"java-1.8.0-openjdk-devel-debug-1.8.0.222.b10-0.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", reference:"java-1.8.0-openjdk-headless-1.8.0.222.b10-0.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", reference:"java-1.8.0-openjdk-headless-debug-1.8.0.222.b10-0.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", reference:"java-1.8.0-openjdk-javadoc-1.8.0.222.b10-0.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", reference:"java-1.8.0-openjdk-javadoc-debug-1.8.0.222.b10-0.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", reference:"java-1.8.0-openjdk-javadoc-zip-1.8.0.222.b10-0.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", reference:"java-1.8.0-openjdk-javadoc-zip-debug-1.8.0.222.b10-0.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", reference:"java-1.8.0-openjdk-src-1.8.0.222.b10-0.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", reference:"java-1.8.0-openjdk-src-debug-1.8.0.222.b10-0.amzn2.0.1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "java-1.8.0-openjdk / java-1.8.0-openjdk-accessibility / etc");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2585.NASL
    descriptionAn update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 7 Supplementary. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR5-FP40. Security Fix(es) : * IBM JDK: Out-of-bounds access in the String.getBytes method (CVE-2019-11772) * IBM JDK: Failure to privatize a value pulled out of the loop by versioning (CVE-2019-11775) * OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762) * OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769) * OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816) * OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786) * libpng: use-after-free in png_image_free in png.c (CVE-2019-7317) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id128447
    published2019-09-03
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128447
    titleRHEL 7 : java-1.8.0-ibm (RHSA-2019:2585)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2019:2585. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(128447);
      script_version("1.5");
      script_cvs_date("Date: 2019/12/31");
    
      script_cve_id("CVE-2019-11772", "CVE-2019-11775", "CVE-2019-2762", "CVE-2019-2769", "CVE-2019-2786", "CVE-2019-2816", "CVE-2019-7317");
      script_xref(name:"RHSA", value:"2019:2585");
    
      script_name(english:"RHEL 7 : java-1.8.0-ibm (RHSA-2019:2585)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for java-1.8.0-ibm is now available for Red Hat Enterprise
    Linux 7 Supplementary.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    IBM Java SE version 8 includes the IBM Java Runtime Environment and
    the IBM Java Software Development Kit.
    
    This update upgrades IBM Java SE 8 to version 8 SR5-FP40.
    
    Security Fix(es) :
    
    * IBM JDK: Out-of-bounds access in the String.getBytes method
    (CVE-2019-11772)
    
    * IBM JDK: Failure to privatize a value pulled out of the loop by
    versioning (CVE-2019-11775)
    
    * OpenJDK: Insufficient checks of suppressed exceptions in
    deserialization (Utilities, 8212328) (CVE-2019-2762)
    
    * OpenJDK: Unbounded memory allocation during deserialization in
    Collections (Utilities, 8213432) (CVE-2019-2769)
    
    * OpenJDK: Missing URL format validation (Networking, 8221518)
    (CVE-2019-2816)
    
    * OpenJDK: Insufficient restriction of privileges in AccessController
    (Security, 8216381) (CVE-2019-2786)
    
    * libpng: use-after-free in png_image_free in png.c (CVE-2019-7317)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, acknowledgments, and other related information, refer to
    the CVE page(s) listed in the References section."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2019:2585"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-2762"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-2769"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-2786"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-2816"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-7317"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-11772"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-11775"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-demo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-jdbc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-plugin");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-src");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/02/04");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/09/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/03");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2019:2585";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"java-1.8.0-ibm-1.8.0.5.40-1jpp.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.8.0-ibm-1.8.0.5.40-1jpp.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"java-1.8.0-ibm-demo-1.8.0.5.40-1jpp.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.8.0-ibm-demo-1.8.0.5.40-1jpp.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"java-1.8.0-ibm-devel-1.8.0.5.40-1jpp.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.8.0-ibm-devel-1.8.0.5.40-1jpp.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"java-1.8.0-ibm-jdbc-1.8.0.5.40-1jpp.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.8.0-ibm-jdbc-1.8.0.5.40-1jpp.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.8.0-ibm-plugin-1.8.0.5.40-1jpp.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"java-1.8.0-ibm-src-1.8.0.5.40-1jpp.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.8.0-ibm-src-1.8.0.5.40-1jpp.1.el7")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "java-1.8.0-ibm / java-1.8.0-ibm-demo / java-1.8.0-ibm-devel / etc");
      }
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4485.NASL
    descriptionSeveral vulnerabilities have been discovered in the OpenJDK Java runtime, resulting in information disclosure, denial of service or bypass of sandbox restrictions. In addition the implementation of elliptic curve cryptography was modernised.
    last seen2020-06-01
    modified2020-06-02
    plugin id126966
    published2019-07-24
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126966
    titleDebian DSA-4485-1 : openjdk-8 - security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-4485. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(126966);
      script_version("1.4");
      script_cvs_date("Date: 2020/01/06");
    
      script_cve_id("CVE-2019-2745", "CVE-2019-2762", "CVE-2019-2769", "CVE-2019-2786", "CVE-2019-2816", "CVE-2019-2842");
      script_xref(name:"DSA", value:"4485");
    
      script_name(english:"Debian DSA-4485-1 : openjdk-8 - security update");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several vulnerabilities have been discovered in the OpenJDK Java
    runtime, resulting in information disclosure, denial of service or
    bypass of sandbox restrictions. In addition the implementation of
    elliptic curve cryptography was modernised."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/source-package/openjdk-8"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/stretch/openjdk-8"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2019/dsa-4485"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the openjdk-8 packages.
    
    For the oldstable distribution (stretch), these problems have been
    fixed in version 8u222-b10-1~deb9u1."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-2816");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:openjdk-8");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/23");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/24");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"9.0", prefix:"openjdk-8-dbg", reference:"8u222-b10-1~deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"openjdk-8-demo", reference:"8u222-b10-1~deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"openjdk-8-doc", reference:"8u222-b10-1~deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"openjdk-8-jdk", reference:"8u222-b10-1~deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"openjdk-8-jdk-headless", reference:"8u222-b10-1~deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"openjdk-8-jre", reference:"8u222-b10-1~deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"openjdk-8-jre-headless", reference:"8u222-b10-1~deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"openjdk-8-jre-zero", reference:"8u222-b10-1~deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"openjdk-8-source", reference:"8u222-b10-1~deb9u1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2291-1.NASL
    descriptionThis update for java-1_8_0-ibm fixes the following issues : Update to Java 8.0 Service Refresh 5 Fix Pack 40. Security issues fixed : CVE-2019-11771: IBM Security Update July 2019 (bsc#1147021) CVE-2019-11772: IBM Security Update July 2019 (bsc#1147021) CVE-2019-11775: IBM Security Update July 2019 (bsc#1147021) CVE-2019-4473: IBM Security Update July 2019 (bsc#1147021) CVE-2019-7317: Fixed issue inside Component AWT (libpng)(bsc#1141780). CVE-2019-2769: Fixed issue inside Component Utilities (bsc#1141783). CVE-2019-2762: Fixed issue inside Component Utilities (bsc#1141782). CVE-2019-2816: Fixed issue inside Component Networking (bsc#1141785). CVE-2019-2766: Fixed issue inside Component Networking (bsc#1141789). CVE-2019-2786: Fixed issue inside Component Security (bsc#1141787). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id128520
    published2019-09-05
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128520
    titleSUSE SLED15 / SLES15 Security Update : java-1_8_0-ibm (SUSE-SU-2019:2291-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2019:2291-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(128520);
      script_version("1.3");
      script_cvs_date("Date: 2019/12/31");
    
      script_cve_id("CVE-2018-11212", "CVE-2019-11771", "CVE-2019-11772", "CVE-2019-11775", "CVE-2019-2449", "CVE-2019-2762", "CVE-2019-2766", "CVE-2019-2769", "CVE-2019-2786", "CVE-2019-2816", "CVE-2019-4473", "CVE-2019-7317");
    
      script_name(english:"SUSE SLED15 / SLES15 Security Update : java-1_8_0-ibm (SUSE-SU-2019:2291-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for java-1_8_0-ibm fixes the following issues :
    
    Update to Java 8.0 Service Refresh 5 Fix Pack 40.
    
    Security issues fixed :
    
    CVE-2019-11771: IBM Security Update July 2019 (bsc#1147021)
    
    CVE-2019-11772: IBM Security Update July 2019 (bsc#1147021)
    
    CVE-2019-11775: IBM Security Update July 2019 (bsc#1147021)
    
    CVE-2019-4473: IBM Security Update July 2019 (bsc#1147021)
    
    CVE-2019-7317: Fixed issue inside Component AWT (libpng)(bsc#1141780).
    
    CVE-2019-2769: Fixed issue inside Component Utilities (bsc#1141783).
    
    CVE-2019-2762: Fixed issue inside Component Utilities (bsc#1141782).
    
    CVE-2019-2816: Fixed issue inside Component Networking (bsc#1141785).
    
    CVE-2019-2766: Fixed issue inside Component Networking (bsc#1141789).
    
    CVE-2019-2786: Fixed issue inside Component Security (bsc#1141787).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1122292"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1122299"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1141780"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1141782"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1141783"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1141785"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1141787"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1141789"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1147021"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-11212/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-11771/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-11772/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-11775/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-2449/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-2762/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-2766/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-2769/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-2786/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-2816/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-4473/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-7317/"
      );
      # https://www.suse.com/support/update/announcement/2019/suse-su-20192291-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?e9a81463"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Module for Open Buildservice Development Tools
    15-SP1:zypper in -t patch
    SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-2291=1
    
    SUSE Linux Enterprise Module for Legacy Software 15-SP1:zypper in -t
    patch SUSE-SLE-Module-Legacy-15-SP1-2019-2291=1
    
    SUSE Linux Enterprise Module for Legacy Software 15:zypper in -t patch
    SUSE-SLE-Module-Legacy-15-2019-2291=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-alsa");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-demo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-plugin");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-src");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:15");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/09/04");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/05");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLED15|SLES15)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED15 / SLES15", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES15" && (! preg(pattern:"^(0|1)$", string:sp))) audit(AUDIT_OS_NOT, "SLES15 SP0/1", os_ver + " SP" + sp);
    if (os_ver == "SLED15" && (! preg(pattern:"^(1)$", string:sp))) audit(AUDIT_OS_NOT, "SLED15 SP1", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES15", sp:"1", cpu:"x86_64", reference:"java-1_8_0-ibm-32bit-1.8.0_sr5.40-3.24.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", cpu:"x86_64", reference:"java-1_8_0-ibm-devel-32bit-1.8.0_sr5.40-3.24.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", cpu:"x86_64", reference:"java-1_8_0-ibm-alsa-1.8.0_sr5.40-3.24.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", cpu:"x86_64", reference:"java-1_8_0-ibm-plugin-1.8.0_sr5.40-3.24.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"java-1_8_0-ibm-demo-1.8.0_sr5.40-3.24.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"java-1_8_0-ibm-src-1.8.0_sr5.40-3.24.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"java-1_8_0-ibm-1.8.0_sr5.40-3.24.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"java-1_8_0-ibm-devel-1.8.0_sr5.40-3.24.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", cpu:"x86_64", reference:"java-1_8_0-ibm-alsa-1.8.0_sr5.40-3.24.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", cpu:"x86_64", reference:"java-1_8_0-ibm-plugin-1.8.0_sr5.40-3.24.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"java-1_8_0-ibm-1.8.0_sr5.40-3.24.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"java-1_8_0-ibm-devel-1.8.0_sr5.40-3.24.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"1", cpu:"x86_64", reference:"java-1_8_0-ibm-32bit-1.8.0_sr5.40-3.24.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"1", cpu:"x86_64", reference:"java-1_8_0-ibm-devel-32bit-1.8.0_sr5.40-3.24.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"1", reference:"java-1_8_0-ibm-demo-1.8.0_sr5.40-3.24.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"1", reference:"java-1_8_0-ibm-src-1.8.0_sr5.40-3.24.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "java-1_8_0-ibm");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4083-1.NASL
    descriptionIt was discovered that OpenJDK did not sufficiently validate serial streams before deserializing suppressed exceptions in some situations. An attacker could use this to specially craft an object that, when deserialized, would cause a denial of service. (CVE-2019-2762) It was discovered that in some situations OpenJDK did not properly bound the amount of memory allocated during object deserialization. An attacker could use this to specially craft an object that, when deserialized, would cause a denial of service (excessive memory consumption). (CVE-2019-2769) It was discovered that OpenJDK did not properly restrict privileges in certain situations. An attacker could use this to specially construct an untrusted Java application or applet that could escape sandbox restrictions. (CVE-2019-2786) Jonathan Birch discovered that the Networking component of OpenJDK did not properly validate URLs in some situations. An attacker could use this to bypass restrictions on characters in URLs. (CVE-2019-2816) It was discovered that the ChaCha20Cipher implementation in OpenJDK did not use constant time computations in some situations. An attacker could use this to expose sensitive information. (CVE-2019-2818) It was discovered that the Java Secure Socket Extension (JSSE) component in OpenJDK did not properly handle OCSP stapling messages during TLS handshake in some situations. An attacker could use this to expose sensitive information. (CVE-2019-2821) It was discovered that OpenJDK incorrectly handled certain memory operations. If a user or automated system were tricked into opening a specially crafted PNG file, a remote attacker could use this issue to cause OpenJDK to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2019-7317). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id127800
    published2019-08-12
    reporterUbuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127800
    titleUbuntu 18.04 LTS / 19.04 : openjdk-lts vulnerabilities (USN-4083-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-4083-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(127800);
      script_version("1.3");
      script_cvs_date("Date: 2020/01/02");
    
      script_cve_id("CVE-2019-2762", "CVE-2019-2769", "CVE-2019-2786", "CVE-2019-2816", "CVE-2019-2818", "CVE-2019-2821", "CVE-2019-7317");
      script_xref(name:"USN", value:"4083-1");
    
      script_name(english:"Ubuntu 18.04 LTS / 19.04 : openjdk-lts vulnerabilities (USN-4083-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that OpenJDK did not sufficiently validate serial
    streams before deserializing suppressed exceptions in some situations.
    An attacker could use this to specially craft an object that, when
    deserialized, would cause a denial of service. (CVE-2019-2762)
    
    It was discovered that in some situations OpenJDK did not properly
    bound the amount of memory allocated during object deserialization. An
    attacker could use this to specially craft an object that, when
    deserialized, would cause a denial of service (excessive memory
    consumption). (CVE-2019-2769)
    
    It was discovered that OpenJDK did not properly restrict privileges in
    certain situations. An attacker could use this to specially construct
    an untrusted Java application or applet that could escape sandbox
    restrictions. (CVE-2019-2786)
    
    Jonathan Birch discovered that the Networking component of OpenJDK did
    not properly validate URLs in some situations. An attacker could use
    this to bypass restrictions on characters in URLs. (CVE-2019-2816)
    
    It was discovered that the ChaCha20Cipher implementation in OpenJDK
    did not use constant time computations in some situations. An attacker
    could use this to expose sensitive information. (CVE-2019-2818)
    
    It was discovered that the Java Secure Socket Extension (JSSE)
    component in OpenJDK did not properly handle OCSP stapling messages
    during TLS handshake in some situations. An attacker could use this to
    expose sensitive information. (CVE-2019-2821)
    
    It was discovered that OpenJDK incorrectly handled certain memory
    operations. If a user or automated system were tricked into opening a
    specially crafted PNG file, a remote attacker could use this issue to
    cause OpenJDK to crash, resulting in a denial of service, or possibly
    execute arbitrary code. (CVE-2019-7317).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/4083-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-2816");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openjdk-11-jdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openjdk-11-jdk-headless");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openjdk-11-jre");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openjdk-11-jre-headless");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openjdk-11-jre-zero");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:19.04");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/02/04");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/31");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(18\.04|19\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 18.04 / 19.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"18.04", pkgname:"openjdk-11-jdk", pkgver:"11.0.4+11-1ubuntu2~18.04.3")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"openjdk-11-jdk-headless", pkgver:"11.0.4+11-1ubuntu2~18.04.3")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"openjdk-11-jre", pkgver:"11.0.4+11-1ubuntu2~18.04.3")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"openjdk-11-jre-headless", pkgver:"11.0.4+11-1ubuntu2~18.04.3")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"openjdk-11-jre-zero", pkgver:"11.0.4+11-1ubuntu2~18.04.3")) flag++;
    if (ubuntu_check(osver:"19.04", pkgname:"openjdk-11-jdk", pkgver:"11.0.4+11-1ubuntu2~19.04")) flag++;
    if (ubuntu_check(osver:"19.04", pkgname:"openjdk-11-jdk-headless", pkgver:"11.0.4+11-1ubuntu2~19.04")) flag++;
    if (ubuntu_check(osver:"19.04", pkgname:"openjdk-11-jre", pkgver:"11.0.4+11-1ubuntu2~19.04")) flag++;
    if (ubuntu_check(osver:"19.04", pkgname:"openjdk-11-jre-headless", pkgver:"11.0.4+11-1ubuntu2~19.04")) flag++;
    if (ubuntu_check(osver:"19.04", pkgname:"openjdk-11-jre-zero", pkgver:"11.0.4+11-1ubuntu2~19.04")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openjdk-11-jdk / openjdk-11-jdk-headless / openjdk-11-jre / etc");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2371-1.NASL
    descriptionThis update for java-1_8_0-ibm fixes the following issues : Update to Java 8.0 Service Refresh 5 Fix Pack 40. Security issues fixed : CVE-2019-11771: IBM Security Update July 2019 (bsc#1147021) CVE-2019-11772: IBM Security Update July 2019 (bsc#1147021) CVE-2019-11775: IBM Security Update July 2019 (bsc#1147021) CVE-2019-4473: IBM Security Update July 2019 (bsc#1147021) CVE-2019-7317: Fixed issue inside Component AWT (libpng)(bsc#1141780). CVE-2019-2769: Fixed issue inside Component Utilities (bsc#1141783). CVE-2019-2762: Fixed issue inside Component Utilities (bsc#1141782). CVE-2019-2816: Fixed issue inside Component Networking (bsc#1141785). CVE-2019-2766: Fixed issue inside Component Networking (bsc#1141789). CVE-2019-2786: Fixed issue inside Component Security (bsc#1141787). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id128872
    published2019-09-16
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128872
    titleSUSE SLES12 Security Update : java-1_8_0-ibm (SUSE-SU-2019:2371-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2019:2371-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(128872);
      script_version("1.2");
      script_cvs_date("Date: 2019/12/27");
    
      script_cve_id("CVE-2018-11212", "CVE-2019-11771", "CVE-2019-11772", "CVE-2019-11775", "CVE-2019-2449", "CVE-2019-2762", "CVE-2019-2766", "CVE-2019-2769", "CVE-2019-2786", "CVE-2019-2816", "CVE-2019-4473", "CVE-2019-7317");
    
      script_name(english:"SUSE SLES12 Security Update : java-1_8_0-ibm (SUSE-SU-2019:2371-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for java-1_8_0-ibm fixes the following issues :
    
    Update to Java 8.0 Service Refresh 5 Fix Pack 40.
    
    Security issues fixed :
    
    CVE-2019-11771: IBM Security Update July 2019 (bsc#1147021)
    
    CVE-2019-11772: IBM Security Update July 2019 (bsc#1147021)
    
    CVE-2019-11775: IBM Security Update July 2019 (bsc#1147021)
    
    CVE-2019-4473: IBM Security Update July 2019 (bsc#1147021)
    
    CVE-2019-7317: Fixed issue inside Component AWT (libpng)(bsc#1141780).
    
    CVE-2019-2769: Fixed issue inside Component Utilities (bsc#1141783).
    
    CVE-2019-2762: Fixed issue inside Component Utilities (bsc#1141782).
    
    CVE-2019-2816: Fixed issue inside Component Networking (bsc#1141785).
    
    CVE-2019-2766: Fixed issue inside Component Networking (bsc#1141789).
    
    CVE-2019-2786: Fixed issue inside Component Security (bsc#1141787).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1122292"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1122299"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1141780"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1141782"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1141783"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1141785"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1141787"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1141789"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1147021"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-11212/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-11771/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-11772/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-11775/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-2449/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-2762/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-2766/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-2769/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-2786/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-2816/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-4473/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-7317/"
      );
      # https://www.suse.com/support/update/announcement/2019/suse-su-20192371-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?5233b74f"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE OpenStack Cloud Crowbar 8:zypper in -t patch
    SUSE-OpenStack-Cloud-Crowbar-8-2019-2371=1
    
    SUSE OpenStack Cloud 8:zypper in -t patch
    SUSE-OpenStack-Cloud-8-2019-2371=1
    
    SUSE OpenStack Cloud 7:zypper in -t patch
    SUSE-OpenStack-Cloud-7-2019-2371=1
    
    SUSE Linux Enterprise Software Development Kit 12-SP5:zypper in -t
    patch SUSE-SLE-SDK-12-SP5-2019-2371=1
    
    SUSE Linux Enterprise Software Development Kit 12-SP4:zypper in -t
    patch SUSE-SLE-SDK-12-SP4-2019-2371=1
    
    SUSE Linux Enterprise Server for SAP 12-SP3:zypper in -t patch
    SUSE-SLE-SAP-12-SP3-2019-2371=1
    
    SUSE Linux Enterprise Server for SAP 12-SP2:zypper in -t patch
    SUSE-SLE-SAP-12-SP2-2019-2371=1
    
    SUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch
    SUSE-SLE-SAP-12-SP1-2019-2371=1
    
    SUSE Linux Enterprise Server 12-SP5:zypper in -t patch
    SUSE-SLE-SERVER-12-SP5-2019-2371=1
    
    SUSE Linux Enterprise Server 12-SP4:zypper in -t patch
    SUSE-SLE-SERVER-12-SP4-2019-2371=1
    
    SUSE Linux Enterprise Server 12-SP3-LTSS:zypper in -t patch
    SUSE-SLE-SERVER-12-SP3-2019-2371=1
    
    SUSE Linux Enterprise Server 12-SP3-BCL:zypper in -t patch
    SUSE-SLE-SERVER-12-SP3-BCL-2019-2371=1
    
    SUSE Linux Enterprise Server 12-SP2-LTSS:zypper in -t patch
    SUSE-SLE-SERVER-12-SP2-2019-2371=1
    
    SUSE Linux Enterprise Server 12-SP2-BCL:zypper in -t patch
    SUSE-SLE-SERVER-12-SP2-BCL-2019-2371=1
    
    SUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch
    SUSE-SLE-SERVER-12-SP1-2019-2371=1
    
    SUSE Enterprise Storage 5:zypper in -t patch
    SUSE-Storage-5-2019-2371=1
    
    SUSE Enterprise Storage 4:zypper in -t patch
    SUSE-Storage-4-2019-2371=1
    
    HPE Helion Openstack 8:zypper in -t patch
    HPE-Helion-OpenStack-8-2019-2371=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-alsa");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-plugin");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/09/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/16");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(1|2|3|4|5)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP1/2/3/4/5", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"java-1_8_0-ibm-alsa-1.8.0_sr5.40-30.54.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"java-1_8_0-ibm-plugin-1.8.0_sr5.40-30.54.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"java-1_8_0-ibm-1.8.0_sr5.40-30.54.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"java-1_8_0-ibm-devel-1.8.0_sr5.40-30.54.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"4", cpu:"x86_64", reference:"java-1_8_0-ibm-alsa-1.8.0_sr5.40-30.54.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"4", cpu:"x86_64", reference:"java-1_8_0-ibm-plugin-1.8.0_sr5.40-30.54.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"4", reference:"java-1_8_0-ibm-1.8.0_sr5.40-30.54.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", cpu:"x86_64", reference:"java-1_8_0-ibm-alsa-1.8.0_sr5.40-30.54.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", cpu:"x86_64", reference:"java-1_8_0-ibm-plugin-1.8.0_sr5.40-30.54.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", cpu:"x86_64", reference:"java-1_8_0-ibm-1.8.0_sr5.40-30.54.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", cpu:"x86_64", reference:"java-1_8_0-ibm-alsa-1.8.0_sr5.40-30.54.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", cpu:"x86_64", reference:"java-1_8_0-ibm-plugin-1.8.0_sr5.40-30.54.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"java-1_8_0-ibm-1.8.0_sr5.40-30.54.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"java-1_8_0-ibm-alsa-1.8.0_sr5.40-30.54.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"java-1_8_0-ibm-plugin-1.8.0_sr5.40-30.54.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"java-1_8_0-ibm-1.8.0_sr5.40-30.54.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"java-1_8_0-ibm-alsa-1.8.0_sr5.40-30.54.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"java-1_8_0-ibm-devel-1.8.0_sr5.40-30.54.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"java-1_8_0-ibm-plugin-1.8.0_sr5.40-30.54.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"java-1_8_0-ibm-1.8.0_sr5.40-30.54.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"java-1_8_0-ibm-devel-1.8.0_sr5.40-30.54.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", cpu:"x86_64", reference:"java-1_8_0-ibm-alsa-1.8.0_sr5.40-30.54.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", cpu:"x86_64", reference:"java-1_8_0-ibm-plugin-1.8.0_sr5.40-30.54.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"java-1_8_0-ibm-1.8.0_sr5.40-30.54.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "java-1_8_0-ibm");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-1811.NASL
    descriptionAn update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es) : * OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745) * OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762) * OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769) * OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816) * OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842) * OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id126940
    published2019-07-23
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126940
    titleRHEL 6 : java-1.8.0-openjdk (RHSA-2019:1811)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2019:1811. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(126940);
      script_version("1.6");
      script_cvs_date("Date: 2020/01/07");
    
      script_cve_id("CVE-2019-2745", "CVE-2019-2762", "CVE-2019-2769", "CVE-2019-2786", "CVE-2019-2816", "CVE-2019-2842");
      script_xref(name:"RHSA", value:"2019:1811");
    
      script_name(english:"RHEL 6 : java-1.8.0-openjdk (RHSA-2019:1811)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for java-1.8.0-openjdk is now available for Red Hat
    Enterprise Linux 6.
    
    Red Hat Product Security has rated this update as having a security
    impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime
    Environment and the OpenJDK 8 Java Software Development Kit.
    
    Security Fix(es) :
    
    * OpenJDK: Side-channel attack risks in Elliptic Curve (EC)
    cryptography (Security, 8208698) (CVE-2019-2745)
    
    * OpenJDK: Insufficient checks of suppressed exceptions in
    deserialization (Utilities, 8212328) (CVE-2019-2762)
    
    * OpenJDK: Unbounded memory allocation during deserialization in
    Collections (Utilities, 8213432) (CVE-2019-2769)
    
    * OpenJDK: Missing URL format validation (Networking, 8221518)
    (CVE-2019-2816)
    
    * OpenJDK: Missing array bounds check in crypto providers (JCE,
    8223511) (CVE-2019-2842)
    
    * OpenJDK: Insufficient restriction of privileges in AccessController
    (Security, 8216381) (CVE-2019-2786)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, acknowledgments, and other related information, refer to
    the CVE page(s) listed in the References section."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2019:1811"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-2745"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-2762"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-2769"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-2786"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-2816"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-2842"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-2816");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-demo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-demo-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-devel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-headless");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-headless-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-src");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-src-debug");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/23");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/23");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2019:1811";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.8.0-openjdk-1.8.0.222.b10-0.el6_10")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.8.0-openjdk-1.8.0.222.b10-0.el6_10")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.8.0-openjdk-debug-1.8.0.222.b10-0.el6_10")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.8.0-openjdk-debug-1.8.0.222.b10-0.el6_10")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.8.0-openjdk-debuginfo-1.8.0.222.b10-0.el6_10")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.8.0-openjdk-debuginfo-1.8.0.222.b10-0.el6_10")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.8.0-openjdk-demo-1.8.0.222.b10-0.el6_10")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.8.0-openjdk-demo-1.8.0.222.b10-0.el6_10")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.8.0-openjdk-demo-debug-1.8.0.222.b10-0.el6_10")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.8.0-openjdk-demo-debug-1.8.0.222.b10-0.el6_10")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.8.0-openjdk-devel-1.8.0.222.b10-0.el6_10")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.8.0-openjdk-devel-1.8.0.222.b10-0.el6_10")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.8.0-openjdk-devel-debug-1.8.0.222.b10-0.el6_10")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.8.0-openjdk-devel-debug-1.8.0.222.b10-0.el6_10")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.8.0-openjdk-headless-1.8.0.222.b10-0.el6_10")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.8.0-openjdk-headless-1.8.0.222.b10-0.el6_10")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.8.0-openjdk-headless-debug-1.8.0.222.b10-0.el6_10")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.8.0-openjdk-headless-debug-1.8.0.222.b10-0.el6_10")) flag++;
      if (rpm_check(release:"RHEL6", reference:"java-1.8.0-openjdk-javadoc-1.8.0.222.b10-0.el6_10")) flag++;
      if (rpm_check(release:"RHEL6", reference:"java-1.8.0-openjdk-javadoc-debug-1.8.0.222.b10-0.el6_10")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.8.0-openjdk-src-1.8.0.222.b10-0.el6_10")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.8.0-openjdk-src-1.8.0.222.b10-0.el6_10")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.8.0-openjdk-src-debug-1.8.0.222.b10-0.el6_10")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.8.0-openjdk-src-debug-1.8.0.222.b10-0.el6_10")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "java-1.8.0-openjdk / java-1.8.0-openjdk-debug / etc");
      }
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-1811.NASL
    descriptionFrom Red Hat Security Advisory 2019:1811 : An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es) : * OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745) * OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762) * OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769) * OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816) * OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842) * OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id126937
    published2019-07-23
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126937
    titleOracle Linux 6 : java-1.8.0-openjdk (ELSA-2019-1811)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2019:1811 and 
    # Oracle Linux Security Advisory ELSA-2019-1811 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(126937);
      script_version("1.5");
      script_cvs_date("Date: 2020/01/07");
    
      script_cve_id("CVE-2019-2745", "CVE-2019-2762", "CVE-2019-2769", "CVE-2019-2786", "CVE-2019-2816", "CVE-2019-2842");
      script_xref(name:"RHSA", value:"2019:1811");
    
      script_name(english:"Oracle Linux 6 : java-1.8.0-openjdk (ELSA-2019-1811)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2019:1811 :
    
    An update for java-1.8.0-openjdk is now available for Red Hat
    Enterprise Linux 6.
    
    Red Hat Product Security has rated this update as having a security
    impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime
    Environment and the OpenJDK 8 Java Software Development Kit.
    
    Security Fix(es) :
    
    * OpenJDK: Side-channel attack risks in Elliptic Curve (EC)
    cryptography (Security, 8208698) (CVE-2019-2745)
    
    * OpenJDK: Insufficient checks of suppressed exceptions in
    deserialization (Utilities, 8212328) (CVE-2019-2762)
    
    * OpenJDK: Unbounded memory allocation during deserialization in
    Collections (Utilities, 8213432) (CVE-2019-2769)
    
    * OpenJDK: Missing URL format validation (Networking, 8221518)
    (CVE-2019-2816)
    
    * OpenJDK: Missing array bounds check in crypto providers (JCE,
    8223511) (CVE-2019-2842)
    
    * OpenJDK: Insufficient restriction of privileges in AccessController
    (Security, 8216381) (CVE-2019-2786)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, acknowledgments, and other related information, refer to
    the CVE page(s) listed in the References section."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2019-July/008906.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected java-1.8.0-openjdk packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-2816");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:java-1.8.0-openjdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-demo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-demo-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-devel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-headless");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-headless-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-javadoc-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-src");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-src-debug");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/23");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/23");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL6", reference:"java-1.8.0-openjdk-1.8.0.222.b10-0.el6_10")) flag++;
    if (rpm_check(release:"EL6", reference:"java-1.8.0-openjdk-debug-1.8.0.222.b10-0.el6_10")) flag++;
    if (rpm_check(release:"EL6", reference:"java-1.8.0-openjdk-demo-1.8.0.222.b10-0.el6_10")) flag++;
    if (rpm_check(release:"EL6", reference:"java-1.8.0-openjdk-demo-debug-1.8.0.222.b10-0.el6_10")) flag++;
    if (rpm_check(release:"EL6", reference:"java-1.8.0-openjdk-devel-1.8.0.222.b10-0.el6_10")) flag++;
    if (rpm_check(release:"EL6", reference:"java-1.8.0-openjdk-devel-debug-1.8.0.222.b10-0.el6_10")) flag++;
    if (rpm_check(release:"EL6", reference:"java-1.8.0-openjdk-headless-1.8.0.222.b10-0.el6_10")) flag++;
    if (rpm_check(release:"EL6", reference:"java-1.8.0-openjdk-headless-debug-1.8.0.222.b10-0.el6_10")) flag++;
    if (rpm_check(release:"EL6", reference:"java-1.8.0-openjdk-javadoc-1.8.0.222.b10-0.el6_10")) flag++;
    if (rpm_check(release:"EL6", reference:"java-1.8.0-openjdk-javadoc-debug-1.8.0.222.b10-0.el6_10")) flag++;
    if (rpm_check(release:"EL6", reference:"java-1.8.0-openjdk-src-1.8.0.222.b10-0.el6_10")) flag++;
    if (rpm_check(release:"EL6", reference:"java-1.8.0-openjdk-src-debug-1.8.0.222.b10-0.el6_10")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "java-1.8.0-openjdk / java-1.8.0-openjdk-debug / etc");
    }
    
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2020-1_0-0290_OPENJDK11.NASL
    descriptionAn update of the openjdk11 package has been released.
    last seen2020-05-03
    modified2020-04-29
    plugin id136109
    published2020-04-29
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136109
    titlePhoton OS 1.0: Openjdk11 PHSA-2020-1.0-0290
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    # The descriptive text and package checks in this plugin were
    # extracted from VMware Security Advisory PHSA-2020-1.0-0290. The text
    # itself is copyright (C) VMware, Inc.
    
    
    include('compat.inc');
    
    if (description)
    {
      script_id(136109);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/01");
    
      script_cve_id(
        "CVE-2018-3136",
        "CVE-2018-3139",
        "CVE-2018-3149",
        "CVE-2018-3150",
        "CVE-2018-3157",
        "CVE-2018-3169",
        "CVE-2018-3180",
        "CVE-2018-3183",
        "CVE-2018-3211",
        "CVE-2018-11212",
        "CVE-2018-13785",
        "CVE-2018-14048",
        "CVE-2019-2422",
        "CVE-2019-2426",
        "CVE-2019-2602",
        "CVE-2019-2684",
        "CVE-2019-2745",
        "CVE-2019-2762",
        "CVE-2019-2766",
        "CVE-2019-2769",
        "CVE-2019-2786",
        "CVE-2019-2816",
        "CVE-2019-2818",
        "CVE-2019-2821",
        "CVE-2019-2894",
        "CVE-2019-2933",
        "CVE-2019-2945",
        "CVE-2019-2949",
        "CVE-2019-2958",
        "CVE-2019-2962",
        "CVE-2019-2964",
        "CVE-2019-2973",
        "CVE-2019-2975",
        "CVE-2019-2977",
        "CVE-2019-2978",
        "CVE-2019-2981",
        "CVE-2019-2983",
        "CVE-2019-2987",
        "CVE-2019-2988",
        "CVE-2019-2989",
        "CVE-2019-2992",
        "CVE-2019-2999",
        "CVE-2020-2583",
        "CVE-2020-2590",
        "CVE-2020-2593",
        "CVE-2020-2601",
        "CVE-2020-2654",
        "CVE-2020-2655",
        "CVE-2020-2754",
        "CVE-2020-2755",
        "CVE-2020-2756",
        "CVE-2020-2757",
        "CVE-2020-2767",
        "CVE-2020-2773",
        "CVE-2020-2778",
        "CVE-2020-2781",
        "CVE-2020-2800",
        "CVE-2020-2803",
        "CVE-2020-2805",
        "CVE-2020-2816",
        "CVE-2020-2830"
      );
      script_bugtraq_id(
        105587,
        105591,
        105595,
        105597,
        105599,
        105601,
        105602,
        105608,
        105617,
        105622,
        106583,
        106590,
        106596,
        107918,
        107922,
        109184,
        109185,
        109186,
        109187,
        109188,
        109189,
        109201,
        109210
      );
    
      script_name(english:"Photon OS 1.0: Openjdk11 PHSA-2020-1.0-0290");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote PhotonOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "An update of the openjdk11 package has been released.");
      script_set_attribute(attribute:"see_also", value:"https://github.com/vmware/photon/wiki/Security-Updates-1.0-290.md");
      script_set_attribute(attribute:"solution", value:
    "Update the affected Linux packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-3183");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/29");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:openjdk11");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:1.0");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"PhotonOS Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/PhotonOS/release");
    if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS");
    if (release !~ "^VMware Photon (?:Linux|OS) 1\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 1.0");
    
    if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu);
    
    flag = 0;
    
    if (rpm_check(release:"PhotonOS-1.0", cpu:"x86_64", reference:"openjdk11-11.0.7-1.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", cpu:"x86_64", reference:"openjdk11-debuginfo-11.0.7-1.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", cpu:"x86_64", reference:"openjdk11-doc-11.0.7-1.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", cpu:"x86_64", reference:"openjdk11-src-11.0.7-1.ph1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openjdk11");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1111.NASL
    descriptionAccording to the versions of the java-1.8.0-openjdk packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.Security Fix(es):Vulnerability in the Java SE product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 11.0.4 and 13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.(CVE-2019-2987)Vulnerability in the Java SE product of Oracle Java SE (component: Javadoc). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).(CVE-2019-2999)Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1 Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.(CVE-2019-2816)Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 8u212, 11.0.3 and 12.0.1 Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.(CVE-2019-2786)Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1 Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.(CVE-2019-2762)Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1 Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.(CVE-2019-2769)Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13 Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.(CVE-2019-2962)Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13 Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).(CVE-2019-2988)Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13 Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).(CVE-2019-2992)Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13 Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.(CVE-2019-2964)Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JAXP). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13 Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.(CVE-2019-2973)Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JAXP). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13 Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.(CVE-2019-2981)Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13 Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.(CVE-2019-2933)Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13 Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.(CVE-2019-2958)Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13 Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).(CVE-2019-2945)Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13 Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.(CVE-2019-2978)Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13 Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. While the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.(CVE-2019-2989)Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u221, 11.0.4 and 13 Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.(CVE-2019-2975)Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13 Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.(CVE-2019-2983)Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1 Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.(CVE-2020-2604) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2020-02-24
    plugin id133912
    published2020-02-24
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133912
    titleEulerOS 2.0 SP5 : java-1.8.0-openjdk (EulerOS-SA-2020-1111)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(133912);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04");
    
      script_cve_id(
        "CVE-2019-2762",
        "CVE-2019-2769",
        "CVE-2019-2786",
        "CVE-2019-2816",
        "CVE-2019-2933",
        "CVE-2019-2945",
        "CVE-2019-2958",
        "CVE-2019-2962",
        "CVE-2019-2964",
        "CVE-2019-2973",
        "CVE-2019-2975",
        "CVE-2019-2978",
        "CVE-2019-2981",
        "CVE-2019-2983",
        "CVE-2019-2987",
        "CVE-2019-2988",
        "CVE-2019-2989",
        "CVE-2019-2992",
        "CVE-2019-2999",
        "CVE-2020-2604"
      );
    
      script_name(english:"EulerOS 2.0 SP5 : java-1.8.0-openjdk (EulerOS-SA-2020-1111)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the java-1.8.0-openjdk packages
    installed, the EulerOS installation on the remote host is affected by
    the following vulnerabilities :
    
      - The java-1.8.0-openjdk packages provide the OpenJDK 8
        Java Runtime Environment and the OpenJDK 8 Java
        Software Development Kit.Security Fix(es):Vulnerability
        in the Java SE product of Oracle Java SE (component:
        2D). Supported versions that are affected are Java SE:
        11.0.4 and 13. Difficult to exploit vulnerability
        allows unauthenticated attacker with network access via
        multiple protocols to compromise Java SE. Successful
        attacks of this vulnerability can result in
        unauthorized ability to cause a partial denial of
        service (partial DOS) of Java SE. Note: This
        vulnerability applies to Java deployments, typically in
        clients running sandboxed Java Web Start applications
        or sandboxed Java applets (in Java SE 8), that load and
        run untrusted code (e.g., code that comes from the
        internet) and rely on the Java sandbox for security.
        This vulnerability can also be exploited by using APIs
        in the specified Component, e.g., through a web service
        which supplies data to the
        APIs.(CVE-2019-2987)Vulnerability in the Java SE
        product of Oracle Java SE (component: Javadoc).
        Supported versions that are affected are Java SE:
        7u231, 8u221, 11.0.4 and 13. Difficult to exploit
        vulnerability allows unauthenticated attacker with
        network access via multiple protocols to compromise
        Java SE. Successful attacks require human interaction
        from a person other than the attacker and while the
        vulnerability is in Java SE, attacks may significantly
        impact additional products. Successful attacks of this
        vulnerability can result in unauthorized update, insert
        or delete access to some of Java SE accessible data as
        well as unauthorized read access to a subset of Java SE
        accessible data. Note: This vulnerability applies to
        Java deployments, typically in clients running
        sandboxed Java Web Start applications or sandboxed Java
        applets (in Java SE 8), that load and run untrusted
        code (e.g., code that comes from the internet) and rely
        on the Java sandbox for security. This vulnerability
        does not apply to Java deployments, typically in
        servers, that load and run only trusted code (e.g.,
        code installed by an
        administrator).(CVE-2019-2999)Vulnerability in the Java
        SE, Java SE Embedded component of Oracle Java SE
        (subcomponent: Networking). Supported versions that are
        affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1
        Java SE Embedded: 8u211. Difficult to exploit
        vulnerability allows unauthenticated attacker with
        network access via multiple protocols to compromise
        Java SE, Java SE Embedded. Successful attacks of this
        vulnerability can result in unauthorized update, insert
        or delete access to some of Java SE, Java SE Embedded
        accessible data as well as unauthorized read access to
        a subset of Java SE, Java SE Embedded accessible data.
        Note: This vulnerability applies to Java deployments,
        typically in clients running sandboxed Java Web Start
        applications or sandboxed Java applets (in Java SE 8),
        that load and run untrusted code (e.g., code that comes
        from the internet) and rely on the Java sandbox for
        security. This vulnerability can also be exploited by
        using APIs in the specified Component, e.g., through a
        web service which supplies data to the
        APIs.(CVE-2019-2816)Vulnerability in the Java SE, Java
        SE Embedded component of Oracle Java SE (subcomponent:
        Security). Supported versions that are affected are
        Java SE: 8u212, 11.0.3 and 12.0.1 Java SE Embedded:
        8u211. Difficult to exploit vulnerability allows
        unauthenticated attacker with network access via
        multiple protocols to compromise Java SE, Java SE
        Embedded. Successful attacks require human interaction
        from a person other than the attacker and while the
        vulnerability is in Java SE, Java SE Embedded, attacks
        may significantly impact additional products.
        Successful attacks of this vulnerability can result in
        unauthorized read access to a subset of Java SE, Java
        SE Embedded accessible data. Note: This vulnerability
        applies to Java deployments, typically in clients
        running sandboxed Java Web Start applications or
        sandboxed Java applets (in Java SE 8), that load and
        run untrusted code (e.g., code that comes from the
        internet) and rely on the Java sandbox for security.
        This vulnerability can also be exploited by using APIs
        in the specified Component, e.g., through a web service
        which supplies data to the
        APIs.(CVE-2019-2786)Vulnerability in the Java SE, Java
        SE Embedded component of Oracle Java SE (subcomponent:
        Utilities). Supported versions that are affected are
        Java SE: 7u221, 8u212, 11.0.3 and 12.0.1 Java SE
        Embedded: 8u211. Easily exploitable vulnerability
        allows unauthenticated attacker with network access via
        multiple protocols to compromise Java SE, Java SE
        Embedded. Successful attacks of this vulnerability can
        result in unauthorized ability to cause a partial
        denial of service (partial DOS) of Java SE, Java SE
        Embedded. Note: This vulnerability applies to Java
        deployments, typically in clients running sandboxed
        Java Web Start applications or sandboxed Java applets
        (in Java SE 8), that load and run untrusted code (e.g.,
        code that comes from the internet) and rely on the Java
        sandbox for security. This vulnerability can also be
        exploited by using APIs in the specified Component,
        e.g., through a web service which supplies data to the
        APIs.(CVE-2019-2762)Vulnerability in the Java SE, Java
        SE Embedded component of Oracle Java SE (subcomponent:
        Utilities). Supported versions that are affected are
        Java SE: 7u221, 8u212, 11.0.3 and 12.0.1 Java SE
        Embedded: 8u211. Easily exploitable vulnerability
        allows unauthenticated attacker with network access via
        multiple protocols to compromise Java SE, Java SE
        Embedded. Successful attacks of this vulnerability can
        result in unauthorized ability to cause a partial
        denial of service (partial DOS) of Java SE, Java SE
        Embedded. Note: This vulnerability applies to Java
        deployments, typically in clients running sandboxed
        Java Web Start applications or sandboxed Java applets
        (in Java SE 8), that load and run untrusted code (e.g.,
        code that comes from the internet) and rely on the Java
        sandbox for security. This vulnerability can also be
        exploited by using APIs in the specified Component,
        e.g., through a web service which supplies data to the
        APIs.(CVE-2019-2769)Vulnerability in the Java SE, Java
        SE Embedded product of Oracle Java SE (component: 2D).
        Supported versions that are affected are Java SE:
        7u231, 8u221, 11.0.4 and 13 Java SE Embedded: 8u221.
        Difficult to exploit vulnerability allows
        unauthenticated attacker with network access via
        multiple protocols to compromise Java SE, Java SE
        Embedded. Successful attacks of this vulnerability can
        result in unauthorized ability to cause a partial
        denial of service (partial DOS) of Java SE, Java SE
        Embedded. Note: This vulnerability applies to Java
        deployments, typically in clients running sandboxed
        Java Web Start applications or sandboxed Java applets
        (in Java SE 8), that load and run untrusted code (e.g.,
        code that comes from the internet) and rely on the Java
        sandbox for security. This vulnerability can also be
        exploited by using APIs in the specified Component,
        e.g., through a web service which supplies data to the
        APIs.(CVE-2019-2962)Vulnerability in the Java SE, Java
        SE Embedded product of Oracle Java SE (component: 2D).
        Supported versions that are affected are Java SE:
        7u231, 8u221, 11.0.4 and 13 Java SE Embedded: 8u221.
        Difficult to exploit vulnerability allows
        unauthenticated attacker with network access via
        multiple protocols to compromise Java SE, Java SE
        Embedded. Successful attacks of this vulnerability can
        result in unauthorized ability to cause a partial
        denial of service (partial DOS) of Java SE, Java SE
        Embedded. Note: This vulnerability applies to Java
        deployments, typically in clients running sandboxed
        Java Web Start applications or sandboxed Java applets
        (in Java SE 8), that load and run untrusted code (e.g.,
        code that comes from the internet) and rely on the Java
        sandbox for security. This vulnerability does not apply
        to Java deployments, typically in servers, that load
        and run only trusted code (e.g., code installed by an
        administrator).(CVE-2019-2988)Vulnerability in the Java
        SE, Java SE Embedded product of Oracle Java SE
        (component: 2D). Supported versions that are affected
        are Java SE: 7u231, 8u221, 11.0.4 and 13 Java SE
        Embedded: 8u221. Difficult to exploit vulnerability
        allows unauthenticated attacker with network access via
        multiple protocols to compromise Java SE, Java SE
        Embedded. Successful attacks of this vulnerability can
        result in unauthorized ability to cause a partial
        denial of service (partial DOS) of Java SE, Java SE
        Embedded. Note: This vulnerability applies to Java
        deployments, typically in clients running sandboxed
        Java Web Start applications or sandboxed Java applets
        (in Java SE 8), that load and run untrusted code (e.g.,
        code that comes from the internet) and rely on the Java
        sandbox for security. This vulnerability does not apply
        to Java deployments, typically in servers, that load
        and run only trusted code (e.g., code installed by an
        administrator).(CVE-2019-2992)Vulnerability in the Java
        SE, Java SE Embedded product of Oracle Java SE
        (component: Concurrency). Supported versions that are
        affected are Java SE: 7u231, 8u221, 11.0.4 and 13 Java
        SE Embedded: 8u221. Difficult to exploit vulnerability
        allows unauthenticated attacker with network access via
        multiple protocols to compromise Java SE, Java SE
        Embedded. Successful attacks of this vulnerability can
        result in unauthorized ability to cause a partial
        denial of service (partial DOS) of Java SE, Java SE
        Embedded. Note: This vulnerability can only be
        exploited by supplying data to APIs in the specified
        Component without using Untrusted Java Web Start
        applications or Untrusted Java applets, such as through
        a web service.(CVE-2019-2964)Vulnerability in the Java
        SE, Java SE Embedded product of Oracle Java SE
        (component: JAXP). Supported versions that are affected
        are Java SE: 7u231, 8u221, 11.0.4 and 13 Java SE
        Embedded: 8u221. Difficult to exploit vulnerability
        allows unauthenticated attacker with network access via
        multiple protocols to compromise Java SE, Java SE
        Embedded. Successful attacks of this vulnerability can
        result in unauthorized ability to cause a partial
        denial of service (partial DOS) of Java SE, Java SE
        Embedded. Note: This vulnerability applies to Java
        deployments, typically in clients running sandboxed
        Java Web Start applications or sandboxed Java applets
        (in Java SE 8), that load and run untrusted code (e.g.,
        code that comes from the internet) and rely on the Java
        sandbox for security. This vulnerability can also be
        exploited by using APIs in the specified Component,
        e.g., through a web service which supplies data to the
        APIs.(CVE-2019-2973)Vulnerability in the Java SE, Java
        SE Embedded product of Oracle Java SE (component:
        JAXP). Supported versions that are affected are Java
        SE: 7u231, 8u221, 11.0.4 and 13 Java SE Embedded:
        8u221. Difficult to exploit vulnerability allows
        unauthenticated attacker with network access via
        multiple protocols to compromise Java SE, Java SE
        Embedded. Successful attacks of this vulnerability can
        result in unauthorized ability to cause a partial
        denial of service (partial DOS) of Java SE, Java SE
        Embedded. Note: This vulnerability applies to Java
        deployments, typically in clients running sandboxed
        Java Web Start applications or sandboxed Java applets
        (in Java SE 8), that load and run untrusted code (e.g.,
        code that comes from the internet) and rely on the Java
        sandbox for security. This vulnerability can also be
        exploited by using APIs in the specified Component,
        e.g., through a web service which supplies data to the
        APIs.(CVE-2019-2981)Vulnerability in the Java SE, Java
        SE Embedded product of Oracle Java SE (component:
        Libraries). Supported versions that are affected are
        Java SE: 7u231, 8u221, 11.0.4 and 13 Java SE Embedded:
        8u221. Difficult to exploit vulnerability allows
        unauthenticated attacker with network access via
        multiple protocols to compromise Java SE, Java SE
        Embedded. Successful attacks require human interaction
        from a person other than the attacker. Successful
        attacks of this vulnerability can result in
        unauthorized read access to a subset of Java SE, Java
        SE Embedded accessible data. Note: This vulnerability
        applies to Java deployments, typically in clients
        running sandboxed Java Web Start applications or
        sandboxed Java applets (in Java SE 8), that load and
        run untrusted code (e.g., code that comes from the
        internet) and rely on the Java sandbox for security.
        This vulnerability can also be exploited by using APIs
        in the specified Component, e.g., through a web service
        which supplies data to the
        APIs.(CVE-2019-2933)Vulnerability in the Java SE, Java
        SE Embedded product of Oracle Java SE (component:
        Libraries). Supported versions that are affected are
        Java SE: 7u231, 8u221, 11.0.4 and 13 Java SE Embedded:
        8u221. Difficult to exploit vulnerability allows
        unauthenticated attacker with network access via
        multiple protocols to compromise Java SE, Java SE
        Embedded. Successful attacks of this vulnerability can
        result in unauthorized creation, deletion or
        modification access to critical data or all Java SE,
        Java SE Embedded accessible data. Note: This
        vulnerability applies to Java deployments, typically in
        clients running sandboxed Java Web Start applications
        or sandboxed Java applets (in Java SE 8), that load and
        run untrusted code (e.g., code that comes from the
        internet) and rely on the Java sandbox for security.
        This vulnerability can also be exploited by using APIs
        in the specified Component, e.g., through a web service
        which supplies data to the
        APIs.(CVE-2019-2958)Vulnerability in the Java SE, Java
        SE Embedded product of Oracle Java SE (component:
        Networking). Supported versions that are affected are
        Java SE: 7u231, 8u221, 11.0.4 and 13 Java SE Embedded:
        8u221. Difficult to exploit vulnerability allows
        unauthenticated attacker with network access via
        multiple protocols to compromise Java SE, Java SE
        Embedded. Successful attacks require human interaction
        from a person other than the attacker. Successful
        attacks of this vulnerability can result in
        unauthorized ability to cause a partial denial of
        service (partial DOS) of Java SE, Java SE Embedded.
        Note: This vulnerability applies to Java deployments,
        typically in clients running sandboxed Java Web Start
        applications or sandboxed Java applets (in Java SE 8),
        that load and run untrusted code (e.g., code that comes
        from the internet) and rely on the Java sandbox for
        security. This vulnerability does not apply to Java
        deployments, typically in servers, that load and run
        only trusted code (e.g., code installed by an
        administrator).(CVE-2019-2945)Vulnerability in the Java
        SE, Java SE Embedded product of Oracle Java SE
        (component: Networking). Supported versions that are
        affected are Java SE: 7u231, 8u221, 11.0.4 and 13 Java
        SE Embedded: 8u221. Difficult to exploit vulnerability
        allows unauthenticated attacker with network access via
        multiple protocols to compromise Java SE, Java SE
        Embedded. Successful attacks of this vulnerability can
        result in unauthorized ability to cause a partial
        denial of service (partial DOS) of Java SE, Java SE
        Embedded. Note: This vulnerability applies to Java
        deployments, typically in clients running sandboxed
        Java Web Start applications or sandboxed Java applets
        (in Java SE 8), that load and run untrusted code (e.g.,
        code that comes from the internet) and rely on the Java
        sandbox for security. This vulnerability can also be
        exploited by using APIs in the specified Component,
        e.g., through a web service which supplies data to the
        APIs.(CVE-2019-2978)Vulnerability in the Java SE, Java
        SE Embedded product of Oracle Java SE (component:
        Networking). Supported versions that are affected are
        Java SE: 7u231, 8u221, 11.0.4 and 13 Java SE Embedded:
        8u221. Difficult to exploit vulnerability allows
        unauthenticated attacker with network access via
        multiple protocols to compromise Java SE, Java SE
        Embedded. While the vulnerability is in Java SE, Java
        SE Embedded, attacks may significantly impact
        additional products. Successful attacks of this
        vulnerability can result in unauthorized creation,
        deletion or modification access to critical data or all
        Java SE, Java SE Embedded accessible data. Note: This
        vulnerability applies to Java deployments, typically in
        clients running sandboxed Java Web Start applications
        or sandboxed Java applets (in Java SE 8), that load and
        run untrusted code (e.g., code that comes from the
        internet) and rely on the Java sandbox for security.
        This vulnerability can also be exploited by using APIs
        in the specified Component, e.g., through a web service
        which supplies data to the
        APIs.(CVE-2019-2989)Vulnerability in the Java SE, Java
        SE Embedded product of Oracle Java SE (component:
        Scripting). Supported versions that are affected are
        Java SE: 8u221, 11.0.4 and 13 Java SE Embedded: 8u221.
        Difficult to exploit vulnerability allows
        unauthenticated attacker with network access via
        multiple protocols to compromise Java SE, Java SE
        Embedded. Successful attacks of this vulnerability can
        result in unauthorized update, insert or delete access
        to some of Java SE, Java SE Embedded accessible data
        and unauthorized ability to cause a partial denial of
        service (partial DOS) of Java SE, Java SE Embedded.
        Note: This vulnerability applies to Java deployments,
        typically in clients running sandboxed Java Web Start
        applications or sandboxed Java applets (in Java SE 8),
        that load and run untrusted code (e.g., code that comes
        from the internet) and rely on the Java sandbox for
        security. This vulnerability can also be exploited by
        using APIs in the specified Component, e.g., through a
        web service which supplies data to the
        APIs.(CVE-2019-2975)Vulnerability in the Java SE, Java
        SE Embedded product of Oracle Java SE (component:
        Serialization). Supported versions that are affected
        are Java SE: 7u231, 8u221, 11.0.4 and 13 Java SE
        Embedded: 8u221. Difficult to exploit vulnerability
        allows unauthenticated attacker with network access via
        multiple protocols to compromise Java SE, Java SE
        Embedded. Successful attacks of this vulnerability can
        result in unauthorized ability to cause a partial
        denial of service (partial DOS) of Java SE, Java SE
        Embedded. Note: This vulnerability applies to Java
        deployments, typically in clients running sandboxed
        Java Web Start applications or sandboxed Java applets
        (in Java SE 8), that load and run untrusted code (e.g.,
        code that comes from the internet) and rely on the Java
        sandbox for security. This vulnerability can also be
        exploited by using APIs in the specified Component,
        e.g., through a web service which supplies data to the
        APIs.(CVE-2019-2983)Vulnerability in the Java SE, Java
        SE Embedded product of Oracle Java SE (component:
        Serialization). Supported versions that are affected
        are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1 Java SE
        Embedded: 8u231. Difficult to exploit vulnerability
        allows unauthenticated attacker with network access via
        multiple protocols to compromise Java SE, Java SE
        Embedded. Successful attacks of this vulnerability can
        result in takeover of Java SE, Java SE Embedded. Note:
        This vulnerability applies to Java deployments,
        typically in clients running sandboxed Java Web Start
        applications or sandboxed Java applets (in Java SE 8),
        that load and run untrusted code (e.g., code that comes
        from the internet) and rely on the Java sandbox for
        security. This vulnerability can also be exploited by
        using APIs in the specified Component, e.g., through a
        web service which supplies data to the
        APIs.(CVE-2020-2604)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1111
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5060c3b0");
      script_set_attribute(attribute:"solution", value:
    "Update the affected java-1.8.0-openjdk packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2020/02/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/24");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:java-1.8.0-openjdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:java-1.8.0-openjdk-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:java-1.8.0-openjdk-headless");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["java-1.8.0-openjdk-1.8.0.191.b12-0.h6.eulerosv2r7",
            "java-1.8.0-openjdk-devel-1.8.0.191.b12-0.h6.eulerosv2r7",
            "java-1.8.0-openjdk-headless-1.8.0.191.b12-0.h6.eulerosv2r7"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "java-1.8.0-openjdk");
    }
    
  • NASL familyWindows
    NASL idORACLE_JAVA_CPU_JUL_2019.NASL
    descriptionThe version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 7 Update 231, 8 Update 221, 11 Update 4, or 12 Update 2. It is, therefore, affected by multiple vulnerabilities: - Unspecified vulnerabilities in the utilities and JCE subcomponents of Oracle Java SE, which could allow an unauthenticated remote attacker to cause a partial denial of service. (CVE-2019-2762, CVE-2019-2769, CVE-2019-2842) - An unspecified vulnerability in the security subcomponent of Oracle Java SE, which could allow an unauthenticated local attacker to gain unauthorized access to critical Java SE data. (CVE-2019-2745) - Unspecified vulnerabilities in the networking and security subcomponents of Oracle Java SE, which could allow an unauthenticated remote attacker to gain unauthorized access to Java SE data. Exploitation of this vulnerability requires user interaction. (CVE-2019-2766, CVE-2019-2786, CVE-2019-2818) - An unspecified vulnerability in the networking subcomponent of Oracle Java SE, which could allow an unauthenticated remote attacker unauthorized read, update, insert or delete access to Java SE data. (CVE-2019-2816) - An unspecified vulnerability in the JSSE subcomponent of Oracle Java SE, which could allow an unauthenticated, remote attacker to gain unauthorized access to critical Java SE data. Exploitation of this vulnerability requires user interaction. (CVE-2019-2821) - A use after free vulnerability exists in the libpng subcomponent of Oracle Java SE. An unauthenticated, remote attacker can exploit this to cause a complete denial of service condition in Java SE. Exploitation of this vulnerability requires user interaction. (CVE-2019-7317) Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id126821
    published2019-07-19
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126821
    titleOracle Java SE 1.7.0_231 / 1.8.0_221 / 1.11.0_4 / 1.12.0_2 Multiple Vulnerabilities (Jul 2019 CPU)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2019-1839.NASL
    descriptionAn update for java-1.7.0-openjdk is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix(es) : * OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745) * OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762) * OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769) * OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816) * OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842) * OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id126992
    published2019-07-25
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126992
    titleCentOS 7 : java-1.7.0-openjdk (CESA-2019:1839)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-1816.NASL
    descriptionAn update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es) : * OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745) * OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762) * OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769) * OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816) * OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842) * OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id126942
    published2019-07-23
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126942
    titleRHEL 8 : java-1.8.0-openjdk (RHSA-2019:1816)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2494.NASL
    descriptionAn update for java-1.7.1-ibm is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 7 to version 7R1 SR4-FP50. Security Fix(es) : * IBM JDK: Failure to privatize a value pulled out of the loop by versioning (CVE-2019-11775) * OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762) * OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769) * OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816) * libpng: use-after-free in png_image_free in png.c (CVE-2019-7317) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id127987
    published2019-08-20
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127987
    titleRHEL 6 : java-1.7.1-ibm (RHSA-2019:2494)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-1810.NASL
    descriptionFrom Red Hat Security Advisory 2019:1810 : An update for java-11-openjdk is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fix(es) : * OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745) * OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762) * OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769) * OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816) * OpenJDK: Incorrect handling of certificate status messages during TLS handshake (JSSE, 8222678) (CVE-2019-2821) * OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786) * OpenJDK: Non-constant time comparison in ChaCha20Cipher (Security, 8221344) (CVE-2019-2818) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id126936
    published2019-07-23
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126936
    titleOracle Linux 7 : java-11-openjdk (ELSA-2019-1810)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2019-3_0-0035_OPENJDK8.NASL
    descriptionAn update of the openjdk8 package has been released.
    last seen2020-06-01
    modified2020-06-02
    plugin id130102
    published2019-10-22
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130102
    titlePhoton OS 3.0: Openjdk8 PHSA-2019-3.0-0035
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2019-1811.NASL
    descriptionAn update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es) : * OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745) * OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762) * OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769) * OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816) * OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842) * OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id126990
    published2019-07-25
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126990
    titleCentOS 6 : java-1.8.0-openjdk (CESA-2019:1811)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2019-1810.NASL
    descriptionAn update for java-11-openjdk is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fix(es) : * OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745) * OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762) * OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769) * OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816) * OpenJDK: Incorrect handling of certificate status messages during TLS handshake (JSSE, 8222678) (CVE-2019-2821) * OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786) * OpenJDK: Non-constant time comparison in ChaCha20Cipher (Security, 8221344) (CVE-2019-2818) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id126989
    published2019-07-25
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126989
    titleCentOS 7 : java-11-openjdk (CESA-2019:1810)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2020-0022_JAVA-1_8_0-OPENJDK.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 4.05, has java-1.8.0-openjdk packages installed that are affected by multiple vulnerabilities: - Vulnerability in the Java SE component of Oracle Java SE (subcomponent: JCE). The supported version that is affected is Java SE: 8u212. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2019-2842) - Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 7u221, 8u212 and 11.0.3. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE executes to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2019-2745) - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2019-2762, CVE-2019-2769) - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (CVE-2019-2816) - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N). (CVE-2019-2786) - Vulnerability in the Java SE product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 11.0.4 and 13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2019-2987) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Kerberos). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. While the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 6.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N). (CVE-2019-2949) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JAXP). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2019-2973, CVE-2019-2981) - Vulnerability in the Java SE product of Oracle Java SE (component: Javadoc). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N). (CVE-2019-2999) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2019-2988, CVE-2019-2992) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2019-2978) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2019-2983) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2019-2962) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L). (CVE-2019-2945) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2019-2964) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. While the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS v3.0 Base Score 6.8 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N). (CVE-2019-2989) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L). (CVE-2019-2975) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. While the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 6.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N). (CVE-2020-2601) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2583) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2020-2590) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (CVE-2020-2593) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS v3.0 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). (CVE-2020-2604) - Vulnerability in the Java SE product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2654) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u241 and 8u231; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2659) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-03-18
    modified2020-03-11
    plugin id134409
    published2020-03-11
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134409
    titleNewStart CGSL MAIN 4.05 : java-1.8.0-openjdk Multiple Vulnerabilities (NS-SA-2020-0022)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0178_JAVA-1.8.0-OPENJDK.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 4.06, has java-1.8.0-openjdk packages installed that are affected by multiple vulnerabilities: - Vulnerability in the Java SE component of Oracle Java SE (subcomponent: JCE). The supported version that is affected is Java SE: 8u212. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2019-2842) - Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 7u221, 8u212 and 11.0.3. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE executes to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2019-2745) - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2019-2762, CVE-2019-2769) - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (CVE-2019-2816) - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N). (CVE-2019-2786) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id128697
    published2019-09-11
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128697
    titleNewStart CGSL MAIN 4.06 : java-1.8.0-openjdk Multiple Vulnerabilities (NS-SA-2019-0178)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0175_JAVA-1.7.0-OPENJDK.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 4.06, has java-1.7.0-openjdk packages installed that are affected by multiple vulnerabilities: - Vulnerability in the Java SE component of Oracle Java SE (subcomponent: JCE). The supported version that is affected is Java SE: 8u212. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2019-2842) - Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 7u221, 8u212 and 11.0.3. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE executes to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2019-2745) - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2019-2762, CVE-2019-2769) - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (CVE-2019-2816) - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N). (CVE-2019-2786) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id128692
    published2019-09-11
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128692
    titleNewStart CGSL MAIN 4.06 : java-1.7.0-openjdk Multiple Vulnerabilities (NS-SA-2019-0175)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-1817.NASL
    descriptionFrom Red Hat Security Advisory 2019:1817 : An update for java-11-openjdk is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fix(es) : * OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745) * OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762) * OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769) * OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816) * OpenJDK: Incorrect handling of certificate status messages during TLS handshake (JSSE, 8222678) (CVE-2019-2821) * OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786) * OpenJDK: Non-constant time comparison in ChaCha20Cipher (Security, 8221344) (CVE-2019-2818) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id127602
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127602
    titleOracle Linux 8 : java-11-openjdk (ELSA-2019-1817)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4486.NASL
    descriptionSeveral vulnerabilities have been discovered in the OpenJDK Java runtime, resulting in information disclosure, denial of service or bypass of sandbox restrictions. In addition the implementation of elliptic curve cryptography was modernised.
    last seen2020-06-01
    modified2020-06-02
    plugin id126967
    published2019-07-24
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126967
    titleDebian DSA-4486-1 : openjdk-11 - security update
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2019-1268.NASL
    descriptionVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2019-2762) Vulnerability in the Java SE component of Oracle Java SE (subcomponent: JCE). The supported version that is affected is Java SE: 8u212. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2019-2842) Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 7u221, 8u212 and 11.0.3. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE executes to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2019-2745) Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2019-27690) Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (CVE-2019-2816) Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N). (CVE-2019-2786)
    last seen2020-06-01
    modified2020-06-02
    plugin id128284
    published2019-08-28
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128284
    titleAmazon Linux 2 : java-1.7.0-openjdk (ALAS-2019-1268)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2020-0017_JAVA-1_7_0-OPENJDK.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 4.05, has java-1.7.0-openjdk packages installed that are affected by multiple vulnerabilities: - Vulnerability in the Java SE component of Oracle Java SE (subcomponent: JCE). The supported version that is affected is Java SE: 8u212. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2019-2842) - Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 7u221, 8u212 and 11.0.3. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE executes to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2019-2745) - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2019-2762, CVE-2019-2769) - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (CVE-2019-2816) - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N). (CVE-2019-2786) - Vulnerability in the Java SE product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 11.0.4 and 13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2019-2987) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JAXP). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2019-2973, CVE-2019-2981) - Vulnerability in the Java SE product of Oracle Java SE (component: Javadoc). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N). (CVE-2019-2999) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2019-2988, CVE-2019-2992) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2019-2978) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2019-2983) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2019-2962) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L). (CVE-2019-2945) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2019-2964) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. While the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS v3.0 Base Score 6.8 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N). (CVE-2019-2989) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-03-18
    modified2020-03-11
    plugin id134412
    published2020-03-11
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134412
    titleNewStart CGSL MAIN 4.05 : java-1.7.0-openjdk Multiple Vulnerabilities (NS-SA-2020-0017)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-1810.NASL
    descriptionAn update for java-11-openjdk is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fix(es) : * OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745) * OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762) * OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769) * OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816) * OpenJDK: Incorrect handling of certificate status messages during TLS handshake (JSSE, 8222678) (CVE-2019-2821) * OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786) * OpenJDK: Non-constant time comparison in ChaCha20Cipher (Security, 8221344) (CVE-2019-2818) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id126939
    published2019-07-23
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126939
    titleRHEL 7 : java-11-openjdk (RHSA-2019:1810)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2019-1815.NASL
    descriptionAn update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es) : * OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745) * OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762) * OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769) * OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816) * OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842) * OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id126991
    published2019-07-25
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126991
    titleCentOS 7 : java-1.8.0-openjdk (CESA-2019:1815)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20190722_JAVA_1_8_0_OPENJDK_ON_SL6_X.NASL
    descriptionSecurity Fix(es) : - OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745) - OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762) - OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769) - OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816) - OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842) - OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786)
    last seen2020-03-18
    modified2019-07-23
    plugin id126945
    published2019-07-23
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126945
    titleScientific Linux Security Update : java-1.8.0-openjdk on SL6.x i386/x86_64 (20190722)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2737.NASL
    descriptionAn update for java-1.8.0-ibm is now available for Red Hat Satellite 5.8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR5-FP40. Security Fix(es) : * IBM JDK: Out-of-bounds access in the String.getBytes method (CVE-2019-11772) * IBM JDK: Failure to privatize a value pulled out of the loop by versioning (CVE-2019-11775) * OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762) * OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769) * OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816) * OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786) * libpng: use-after-free in png_image_free in png.c (CVE-2019-7317) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id128858
    published2019-09-16
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128858
    titleRHEL 6 : java-1.8.0-ibm (RHSA-2019:2737)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2590.NASL
    descriptionAn update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR5-FP40. Security Fix(es) : * IBM JDK: Out-of-bounds access in the String.getBytes method (CVE-2019-11772) * IBM JDK: Failure to privatize a value pulled out of the loop by versioning (CVE-2019-11775) * OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762) * OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769) * OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816) * OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786) * libpng: use-after-free in png_image_free in png.c (CVE-2019-7317) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id128449
    published2019-09-03
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128449
    titleRHEL 8 : java-1.8.0-ibm (RHSA-2019:2590)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20190722_JAVA_1_8_0_OPENJDK_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745) - OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762) - OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769) - OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816) - OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842) - OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786)
    last seen2020-03-18
    modified2019-07-23
    plugin id126946
    published2019-07-23
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126946
    titleScientific Linux Security Update : java-1.8.0-openjdk on SL7.x x86_64 (20190722)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-1815.NASL
    descriptionFrom Red Hat Security Advisory 2019:1815 : An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es) : * OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745) * OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762) * OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769) * OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816) * OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842) * OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id126938
    published2019-07-23
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126938
    titleOracle Linux 7 : java-1.8.0-openjdk (ELSA-2019-1815)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2019-2_0-0173_OPENJDK8.NASL
    descriptionAn update of the openjdk8 package has been released.
    last seen2020-06-01
    modified2020-06-02
    plugin id128736
    published2019-09-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128736
    titlePhoton OS 2.0: Openjdk8 PHSA-2019-2.0-0173
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2592.NASL
    descriptionAn update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR5-FP40. Security Fix(es) : * IBM JDK: Out-of-bounds access in the String.getBytes method (CVE-2019-11772) * IBM JDK: Failure to privatize a value pulled out of the loop by versioning (CVE-2019-11775) * OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762) * OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769) * OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816) * OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786) * libpng: use-after-free in png_image_free in png.c (CVE-2019-7317) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id128451
    published2019-09-03
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128451
    titleRHEL 6 : java-1.8.0-ibm (RHSA-2019:2592)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2002-1.NASL
    descriptionThis update for java-11-openjdk to version jdk-11.0.4+11 fixes the following issues : Security issues fixed : CVE-2019-2745: Improved ECC Implementation (bsc#1141784). CVE-2019-2762: Exceptional throw cases (bsc#1141782). CVE-2019-2766: Improve file protocol handling (bsc#1141789). CVE-2019-2769: Better copies of CopiesList (bsc#1141783). CVE-2019-2786: More limited privilege usage (bsc#1141787). CVE-2019-7317: Improve PNG support options (bsc#1141780). CVE-2019-2818: Better Poly1305 support (bsc#1141788). CVE-2019-2816: Normalize normalization (bsc#1141785). CVE-2019-2821: Improve TLS negotiation (bsc#1141781). Certificate validation improvements Non-security issues fixed: Do not fail installation when the manpages are not present (bsc#1115375) Backport upstream fix for JDK-8208602: Cannot read PEM X.509 cert if there is whitespace after the header or footer (bsc#1140461) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id127745
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127745
    titleSUSE SLED15 / SLES15 Security Update : java-11-openjdk (SUSE-SU-2019:2002-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-1916.NASL
    descriptionThis update for java-11-openjdk to version jdk-11.0.4+11 fixes the following issues : Security issues fixed : - CVE-2019-2745: Improved ECC Implementation (bsc#1141784). - CVE-2019-2762: Exceptional throw cases (bsc#1141782). - CVE-2019-2766: Improve file protocol handling (bsc#1141789). - CVE-2019-2769: Better copies of CopiesList (bsc#1141783). - CVE-2019-2786: More limited privilege usage (bsc#1141787). - CVE-2019-7317: Improve PNG support options (bsc#1141780). - CVE-2019-2818: Better Poly1305 support (bsc#1141788). - CVE-2019-2816: Normalize normalization (bsc#1141785). - CVE-2019-2821: Improve TLS negotiation (bsc#1141781). - Certificate validation improvements Non-security issues fixed : - Do not fail installation when the manpages are not present (bsc#1115375) - Backport upstream fix for JDK-8208602: Cannot read PEM X.509 cert if there is whitespace after the header or footer (bsc#1140461) This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id128008
    published2019-08-20
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128008
    titleopenSUSE Security Update : java-11-openjdk (openSUSE-2019-1916)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-1840.NASL
    descriptionAn update for java-1.7.0-openjdk is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix(es) : * OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745) * OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762) * OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769) * OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816) * OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842) * OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id126973
    published2019-07-24
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126973
    titleRHEL 6 : java-1.7.0-openjdk (RHSA-2019:1840)
  • NASL familyVirtuozzo Local Security Checks
    NASL idVIRTUOZZO_VZLSA-2019-1811.NASL
    descriptionAn update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es) : * OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745) * OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762) * OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769) * OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816) * OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842) * OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id127809
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127809
    titleVirtuozzo 6 : java-1.8.0-openjdk / java-1.8.0-openjdk-debug / etc (VZLSA-2019-1811)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20190722_JAVA_11_OPENJDK_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745) - OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762) - OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769) - OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816) - OpenJDK: Incorrect handling of certificate status messages during TLS handshake (JSSE, 8222678) (CVE-2019-2821) - OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786) - OpenJDK: Non-constant time comparison in ChaCha20Cipher (Security, 8221344) (CVE-2019-2818)
    last seen2020-03-18
    modified2019-07-23
    plugin id126944
    published2019-07-23
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126944
    titleScientific Linux Security Update : java-11-openjdk on SL7.x x86_64 (20190722)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2021-1.NASL
    descriptionThis update for java-1_8_0-openjdk to version 8u222 fixes the following issues : Security issues fixed : CVE-2019-2745: Improved ECC Implementation (bsc#1141784). CVE-2019-2762: Exceptional throw cases (bsc#1141782). CVE-2019-2766: Improve file protocol handling (bsc#1141789). CVE-2019-2769: Better copies of CopiesList (bsc#1141783). CVE-2019-2786: More limited privilege usage (bsc#1141787). CVE-2019-2816: Normalize normalization (bsc#1141785). CVE-2019-2842: Extended AES support (bsc#1141786). CVE-2019-7317: Improve PNG support (bsc#1141780). Certificate validation improvements Non-security issue fixed: Fixed an issue where the installation failed when the manpages are not present (bsc#1115375) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id127757
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127757
    titleSUSE SLED15 / SLES15 Security Update : java-1_8_0-openjdk (SUSE-SU-2019:2021-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2495.NASL
    descriptionAn update for java-1.7.1-ibm is now available for Red Hat Enterprise Linux 7 Supplementary. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 7 to version 7R1 SR4-FP50. Security Fix(es) : * IBM JDK: Failure to privatize a value pulled out of the loop by versioning (CVE-2019-11775) * OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762) * OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769) * OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816) * libpng: use-after-free in png_image_free in png.c (CVE-2019-7317) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id127988
    published2019-08-20
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127988
    titleRHEL 7 : java-1.7.1-ibm (RHSA-2019:2495)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-1817.NASL
    descriptionAn update for java-11-openjdk is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fix(es) : * OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745) * OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762) * OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769) * OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816) * OpenJDK: Incorrect handling of certificate status messages during TLS handshake (JSSE, 8222678) (CVE-2019-2821) * OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786) * OpenJDK: Non-constant time comparison in ChaCha20Cipher (Security, 8221344) (CVE-2019-2818) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id126943
    published2019-07-23
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126943
    titleRHEL 8 : java-11-openjdk (RHSA-2019:1817)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4080-1.NASL
    descriptionKeegan Ryan discovered that the ECC implementation in OpenJDK was not sufficiently resilient to side-channel attacks. An attacker could possibly use this to expose sensitive information. (CVE-2019-2745) It was discovered that OpenJDK did not sufficiently validate serial streams before deserializing suppressed exceptions in some situations. An attacker could use this to specially craft an object that, when deserialized, would cause a denial of service. (CVE-2019-2762) It was discovered that in some situations OpenJDK did not properly bound the amount of memory allocated during object deserialization. An attacker could use this to specially craft an object that, when deserialized, would cause a denial of service (excessive memory consumption). (CVE-2019-2769) It was discovered that OpenJDK did not properly restrict privileges in certain situations. An attacker could use this to specially construct an untrusted Java application or applet that could escape sandbox restrictions. (CVE-2019-2786) Jonathan Birch discovered that the Networking component of OpenJDK did not properly validate URLs in some situations. An attacker could use this to bypass restrictions on characters in URLs. (CVE-2019-2816) Nati Nimni discovered that the Java Cryptography Extension component in OpenJDK did not properly perform array bounds checking in some situations. An attacker could use this to cause a denial of service. (CVE-2019-2842) It was discovered that OpenJDK incorrectly handled certain memory operations. If a user or automated system were tricked into opening a specially crafted PNG file, a remote attacker could use this issue to cause OpenJDK to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2019-7317). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id127797
    published2019-08-12
    reporterUbuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127797
    titleUbuntu 16.04 LTS : openjdk-8 vulnerabilities (USN-4080-1)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-1816.NASL
    descriptionFrom Red Hat Security Advisory 2019:1816 : An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es) : * OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745) * OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762) * OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769) * OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816) * OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842) * OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id127601
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127601
    titleOracle Linux 8 : java-1.8.0-openjdk (ELSA-2019-1816)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20190723_JAVA_1_7_0_OPENJDK_ON_SL6_X.NASL
    descriptionSecurity Fix(es) : - OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745) - OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762) - OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769) - OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816) - OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842) - OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786)
    last seen2020-03-18
    modified2019-07-24
    plugin id126974
    published2019-07-24
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126974
    titleScientific Linux Security Update : java-1.7.0-openjdk on SL6.x i386/x86_64 (20190723)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20190724_JAVA_1_7_0_OPENJDK_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745) - OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762) - OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769) - OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816) - OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842) - OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786)
    last seen2020-03-18
    modified2019-07-25
    plugin id127034
    published2019-07-25
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127034
    titleScientific Linux Security Update : java-1.7.0-openjdk on SL7.x x86_64 (20190724)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-1912.NASL
    descriptionThis update for java-1_8_0-openjdk to version 8u222 fixes the following issues : Security issues fixed : - CVE-2019-2745: Improved ECC Implementation (bsc#1141784). - CVE-2019-2762: Exceptional throw cases (bsc#1141782). - CVE-2019-2766: Improve file protocol handling (bsc#1141789). - CVE-2019-2769: Better copies of CopiesList (bsc#1141783). - CVE-2019-2786: More limited privilege usage (bsc#1141787). - CVE-2019-2816: Normalize normalization (bsc#1141785). - CVE-2019-2842: Extended AES support (bsc#1141786). - CVE-2019-7317: Improve PNG support (bsc#1141780). - Certificate validation improvements Non-security issue fixed : - Fixed an issue where the installation failed when the manpages are not present (bsc#1115375) This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id128004
    published2019-08-20
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128004
    titleopenSUSE Security Update : java-1_8_0-openjdk (openSUSE-2019-1912)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2020-2_0-0235_OPENJDK11.NASL
    descriptionAn update of the openjdk11 package has been released.
    last seen2020-05-08
    modified2020-05-05
    plugin id136333
    published2020-05-05
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136333
    titlePhoton OS 2.0: Openjdk11 PHSA-2020-2.0-0235
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2019-1246.NASL
    descriptionOpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786) OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769) libpng: png_image_free in png.c in libpng has a use-after-free because png_image_free_function is called under png_safe_execute. (CVE-2019-7317) OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762) OpenJDK: Insufficient permission checks for file:// URLs on Windows (Networking, 8213431) (CVE-2019-2766) OpenJDK: Non-constant time comparison in ChaCha20Cipher (Security, 8221344) ( CVE-2019-2818) OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816) OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745) OpenJDK: Incorrect handling of certificate status messages during TLS handshake (JSSE, 8222678) (CVE-2019-2821)
    last seen2020-06-01
    modified2020-06-02
    plugin id126958
    published2019-07-24
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126958
    titleAmazon Linux 2 : java-11-amazon-corretto (ALAS-2019-1246)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2019-1840.NASL
    descriptionAn update for java-1.7.0-openjdk is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix(es) : * OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745) * OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762) * OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769) * OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816) * OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842) * OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id126993
    published2019-07-25
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126993
    titleCentOS 6 : java-1.7.0-openjdk (CESA-2019:1840)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2019-1268.NASL
    descriptionVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2019-2769) Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).(CVE-2019-2816) Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 7u221, 8u212 and 11.0.3. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE executes to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2019-2745) Vulnerability in the Java SE component of Oracle Java SE (subcomponent: JCE). The supported version that is affected is Java SE: 8u212. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2019-2842) Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N).(CVE-2019-2786) Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2019-2762)
    last seen2020-06-01
    modified2020-06-02
    plugin id128291
    published2019-08-28
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128291
    titleAmazon Linux AMI : java-1.7.0-openjdk (ALAS-2019-1268)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2036-1.NASL
    descriptionThis update for java-1_8_0-openjdk to version 8u222 fixes the following issues : Security issues fixed : CVE-2019-2745: Improved ECC Implementation (bsc#1141784). CVE-2019-2762: Exceptional throw cases (bsc#1141782). CVE-2019-2766: Improve file protocol handling (bsc#1141789). CVE-2019-2769: Better copies of CopiesList (bsc#1141783). CVE-2019-2786: More limited privilege usage (bsc#1141787). CVE-2019-2816: Normalize normalization (bsc#1141785). CVE-2019-2842: Extended AES support (bsc#1141786). CVE-2019-7317: Improve PNG support (bsc#1141780). Certificate validation improvements Non-security issue fixed: Fixed an issue where the installation failed when the manpages are not present (bsc#1115375) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id127762
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127762
    titleSUSE SLED12 / SLES12 Security Update : java-1_8_0-openjdk (SUSE-SU-2019:2036-1)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-1839.NASL
    descriptionFrom Red Hat Security Advisory 2019:1839 : An update for java-1.7.0-openjdk is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix(es) : * OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745) * OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762) * OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769) * OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816) * OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842) * OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id126971
    published2019-07-24
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126971
    titleOracle Linux 7 : java-1.7.0-openjdk (ELSA-2019-1839)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2020-3_0-0084_OPENJDK11.NASL
    descriptionAn update of the openjdk11 package has been released.
    last seen2020-05-03
    modified2020-04-29
    plugin id136100
    published2020-04-29
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136100
    titlePhoton OS 3.0: Openjdk11 PHSA-2020-3.0-0084
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2019-1269.NASL
    descriptionVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2019-2769) Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).(CVE-2019-2816) Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 7u221, 8u212 and 11.0.3. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE executes to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2019-2745) Vulnerability in the Java SE component of Oracle Java SE (subcomponent: JCE). The supported version that is affected is Java SE: 8u212. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2019-2842) Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N).(CVE-2019-2786) Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2019-2762)
    last seen2020-06-01
    modified2020-06-02
    plugin id128292
    published2019-08-28
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128292
    titleAmazon Linux AMI : java-1.8.0-openjdk (ALAS-2019-1269)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-1839.NASL
    descriptionAn update for java-1.7.0-openjdk is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix(es) : * OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745) * OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762) * OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769) * OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816) * OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842) * OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id126972
    published2019-07-24
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126972
    titleRHEL 7 : java-1.7.0-openjdk (RHSA-2019:1839)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2336-1.NASL
    descriptionThis update for java-1_7_1-ibm fixes the following issues : Update to Java 7.1 Service Refresh 4 Fix Pack 50. Security issues fixed : CVE-2019-11771: IBM Security Update July 2019 (bsc#1147021) CVE-2019-11775: IBM Security Update July 2019 (bsc#1147021) CVE-2019-4473: IBM Security Update July 2019 (bsc#1147021) CVE-2019-7317: Fixed issue inside Component AWT (libpng)(bsc#1141780). CVE-2019-2769: Fixed issue inside Component Utilities (bsc#1141783). CVE-2019-2762: Fixed issue inside Component Utilities (bsc#1141782). CVE-2019-2816: Fixed issue inside Component Networking (bsc#1141785). CVE-2019-2766: Fixed issue inside Component Networking (bsc#1141789). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id128628
    published2019-09-10
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128628
    titleSUSE SLES12 Security Update : java-1_7_1-ibm (SUSE-SU-2019:2336-1)

Redhat

advisories
  • rhsa
    idRHSA-2019:2494
  • rhsa
    idRHSA-2019:2495
  • rhsa
    idRHSA-2019:2585
  • rhsa
    idRHSA-2019:2590
  • rhsa
    idRHSA-2019:2592
  • rhsa
    idRHSA-2019:2737
rpms
  • java-11-openjdk-1:11.0.4.11-0.el7_6
  • java-11-openjdk-debug-1:11.0.4.11-0.el7_6
  • java-11-openjdk-debuginfo-1:11.0.4.11-0.el7_6
  • java-11-openjdk-demo-1:11.0.4.11-0.el7_6
  • java-11-openjdk-demo-debug-1:11.0.4.11-0.el7_6
  • java-11-openjdk-devel-1:11.0.4.11-0.el7_6
  • java-11-openjdk-devel-debug-1:11.0.4.11-0.el7_6
  • java-11-openjdk-headless-1:11.0.4.11-0.el7_6
  • java-11-openjdk-headless-debug-1:11.0.4.11-0.el7_6
  • java-11-openjdk-javadoc-1:11.0.4.11-0.el7_6
  • java-11-openjdk-javadoc-debug-1:11.0.4.11-0.el7_6
  • java-11-openjdk-javadoc-zip-1:11.0.4.11-0.el7_6
  • java-11-openjdk-javadoc-zip-debug-1:11.0.4.11-0.el7_6
  • java-11-openjdk-jmods-1:11.0.4.11-0.el7_6
  • java-11-openjdk-jmods-debug-1:11.0.4.11-0.el7_6
  • java-11-openjdk-src-1:11.0.4.11-0.el7_6
  • java-11-openjdk-src-debug-1:11.0.4.11-0.el7_6
  • java-1.8.0-openjdk-1:1.8.0.222.b10-0.el6_10
  • java-1.8.0-openjdk-debug-1:1.8.0.222.b10-0.el6_10
  • java-1.8.0-openjdk-debuginfo-1:1.8.0.222.b10-0.el6_10
  • java-1.8.0-openjdk-demo-1:1.8.0.222.b10-0.el6_10
  • java-1.8.0-openjdk-demo-debug-1:1.8.0.222.b10-0.el6_10
  • java-1.8.0-openjdk-devel-1:1.8.0.222.b10-0.el6_10
  • java-1.8.0-openjdk-devel-debug-1:1.8.0.222.b10-0.el6_10
  • java-1.8.0-openjdk-headless-1:1.8.0.222.b10-0.el6_10
  • java-1.8.0-openjdk-headless-debug-1:1.8.0.222.b10-0.el6_10
  • java-1.8.0-openjdk-javadoc-1:1.8.0.222.b10-0.el6_10
  • java-1.8.0-openjdk-javadoc-debug-1:1.8.0.222.b10-0.el6_10
  • java-1.8.0-openjdk-src-1:1.8.0.222.b10-0.el6_10
  • java-1.8.0-openjdk-src-debug-1:1.8.0.222.b10-0.el6_10
  • java-1.8.0-openjdk-1:1.8.0.222.b10-0.el7_6
  • java-1.8.0-openjdk-accessibility-1:1.8.0.222.b10-0.el7_6
  • java-1.8.0-openjdk-accessibility-debug-1:1.8.0.222.b10-0.el7_6
  • java-1.8.0-openjdk-debug-1:1.8.0.222.b10-0.el7_6
  • java-1.8.0-openjdk-debuginfo-1:1.8.0.222.b10-0.el7_6
  • java-1.8.0-openjdk-demo-1:1.8.0.222.b10-0.el7_6
  • java-1.8.0-openjdk-demo-debug-1:1.8.0.222.b10-0.el7_6
  • java-1.8.0-openjdk-devel-1:1.8.0.222.b10-0.el7_6
  • java-1.8.0-openjdk-devel-debug-1:1.8.0.222.b10-0.el7_6
  • java-1.8.0-openjdk-headless-1:1.8.0.222.b10-0.el7_6
  • java-1.8.0-openjdk-headless-debug-1:1.8.0.222.b10-0.el7_6
  • java-1.8.0-openjdk-javadoc-1:1.8.0.222.b10-0.el7_6
  • java-1.8.0-openjdk-javadoc-debug-1:1.8.0.222.b10-0.el7_6
  • java-1.8.0-openjdk-javadoc-zip-1:1.8.0.222.b10-0.el7_6
  • java-1.8.0-openjdk-javadoc-zip-debug-1:1.8.0.222.b10-0.el7_6
  • java-1.8.0-openjdk-src-1:1.8.0.222.b10-0.el7_6
  • java-1.8.0-openjdk-src-debug-1:1.8.0.222.b10-0.el7_6
  • java-1.8.0-openjdk-1:1.8.0.222.b10-0.el8_0
  • java-1.8.0-openjdk-accessibility-1:1.8.0.222.b10-0.el8_0
  • java-1.8.0-openjdk-debuginfo-1:1.8.0.222.b10-0.el8_0
  • java-1.8.0-openjdk-debugsource-1:1.8.0.222.b10-0.el8_0
  • java-1.8.0-openjdk-demo-1:1.8.0.222.b10-0.el8_0
  • java-1.8.0-openjdk-demo-debuginfo-1:1.8.0.222.b10-0.el8_0
  • java-1.8.0-openjdk-demo-slowdebug-debuginfo-1:1.8.0.222.b10-0.el8_0
  • java-1.8.0-openjdk-devel-1:1.8.0.222.b10-0.el8_0
  • java-1.8.0-openjdk-devel-debuginfo-1:1.8.0.222.b10-0.el8_0
  • java-1.8.0-openjdk-devel-slowdebug-debuginfo-1:1.8.0.222.b10-0.el8_0
  • java-1.8.0-openjdk-headless-1:1.8.0.222.b10-0.el8_0
  • java-1.8.0-openjdk-headless-debuginfo-1:1.8.0.222.b10-0.el8_0
  • java-1.8.0-openjdk-headless-slowdebug-debuginfo-1:1.8.0.222.b10-0.el8_0
  • java-1.8.0-openjdk-javadoc-1:1.8.0.222.b10-0.el8_0
  • java-1.8.0-openjdk-javadoc-zip-1:1.8.0.222.b10-0.el8_0
  • java-1.8.0-openjdk-slowdebug-debuginfo-1:1.8.0.222.b10-0.el8_0
  • java-1.8.0-openjdk-src-1:1.8.0.222.b10-0.el8_0
  • java-11-openjdk-1:11.0.4.11-0.el8_0
  • java-11-openjdk-debuginfo-1:11.0.4.11-0.el8_0
  • java-11-openjdk-debugsource-1:11.0.4.11-0.el8_0
  • java-11-openjdk-demo-1:11.0.4.11-0.el8_0
  • java-11-openjdk-devel-1:11.0.4.11-0.el8_0
  • java-11-openjdk-devel-debuginfo-1:11.0.4.11-0.el8_0
  • java-11-openjdk-devel-slowdebug-debuginfo-1:11.0.4.11-0.el8_0
  • java-11-openjdk-headless-1:11.0.4.11-0.el8_0
  • java-11-openjdk-headless-debuginfo-1:11.0.4.11-0.el8_0
  • java-11-openjdk-headless-slowdebug-debuginfo-1:11.0.4.11-0.el8_0
  • java-11-openjdk-javadoc-1:11.0.4.11-0.el8_0
  • java-11-openjdk-javadoc-zip-1:11.0.4.11-0.el8_0
  • java-11-openjdk-jmods-1:11.0.4.11-0.el8_0
  • java-11-openjdk-slowdebug-debuginfo-1:11.0.4.11-0.el8_0
  • java-11-openjdk-src-1:11.0.4.11-0.el8_0
  • java-1.7.0-openjdk-1:1.7.0.231-2.6.19.1.el7_6
  • java-1.7.0-openjdk-accessibility-1:1.7.0.231-2.6.19.1.el7_6
  • java-1.7.0-openjdk-debuginfo-1:1.7.0.231-2.6.19.1.el7_6
  • java-1.7.0-openjdk-demo-1:1.7.0.231-2.6.19.1.el7_6
  • java-1.7.0-openjdk-devel-1:1.7.0.231-2.6.19.1.el7_6
  • java-1.7.0-openjdk-headless-1:1.7.0.231-2.6.19.1.el7_6
  • java-1.7.0-openjdk-javadoc-1:1.7.0.231-2.6.19.1.el7_6
  • java-1.7.0-openjdk-src-1:1.7.0.231-2.6.19.1.el7_6
  • java-1.7.0-openjdk-1:1.7.0.231-2.6.19.1.el6_10
  • java-1.7.0-openjdk-debuginfo-1:1.7.0.231-2.6.19.1.el6_10
  • java-1.7.0-openjdk-demo-1:1.7.0.231-2.6.19.1.el6_10
  • java-1.7.0-openjdk-devel-1:1.7.0.231-2.6.19.1.el6_10
  • java-1.7.0-openjdk-javadoc-1:1.7.0.231-2.6.19.1.el6_10
  • java-1.7.0-openjdk-src-1:1.7.0.231-2.6.19.1.el6_10
  • java-1.7.1-ibm-1:1.7.1.4.50-1jpp.1.el6_10
  • java-1.7.1-ibm-demo-1:1.7.1.4.50-1jpp.1.el6_10
  • java-1.7.1-ibm-devel-1:1.7.1.4.50-1jpp.1.el6_10
  • java-1.7.1-ibm-jdbc-1:1.7.1.4.50-1jpp.1.el6_10
  • java-1.7.1-ibm-plugin-1:1.7.1.4.50-1jpp.1.el6_10
  • java-1.7.1-ibm-src-1:1.7.1.4.50-1jpp.1.el6_10
  • java-1.7.1-ibm-1:1.7.1.4.50-1jpp.1.el7
  • java-1.7.1-ibm-demo-1:1.7.1.4.50-1jpp.1.el7
  • java-1.7.1-ibm-devel-1:1.7.1.4.50-1jpp.1.el7
  • java-1.7.1-ibm-jdbc-1:1.7.1.4.50-1jpp.1.el7
  • java-1.7.1-ibm-plugin-1:1.7.1.4.50-1jpp.1.el7
  • java-1.7.1-ibm-src-1:1.7.1.4.50-1jpp.1.el7
  • java-1.8.0-ibm-1:1.8.0.5.40-1jpp.1.el7
  • java-1.8.0-ibm-demo-1:1.8.0.5.40-1jpp.1.el7
  • java-1.8.0-ibm-devel-1:1.8.0.5.40-1jpp.1.el7
  • java-1.8.0-ibm-jdbc-1:1.8.0.5.40-1jpp.1.el7
  • java-1.8.0-ibm-plugin-1:1.8.0.5.40-1jpp.1.el7
  • java-1.8.0-ibm-src-1:1.8.0.5.40-1jpp.1.el7
  • java-1.8.0-ibm-1:1.8.0.5.40-3.el8_0
  • java-1.8.0-ibm-demo-1:1.8.0.5.40-3.el8_0
  • java-1.8.0-ibm-devel-1:1.8.0.5.40-3.el8_0
  • java-1.8.0-ibm-headless-1:1.8.0.5.40-3.el8_0
  • java-1.8.0-ibm-jdbc-1:1.8.0.5.40-3.el8_0
  • java-1.8.0-ibm-plugin-1:1.8.0.5.40-3.el8_0
  • java-1.8.0-ibm-src-1:1.8.0.5.40-3.el8_0
  • java-1.8.0-ibm-webstart-1:1.8.0.5.40-3.el8_0
  • java-1.8.0-ibm-1:1.8.0.5.40-1jpp.1.el6_10
  • java-1.8.0-ibm-demo-1:1.8.0.5.40-1jpp.1.el6_10
  • java-1.8.0-ibm-devel-1:1.8.0.5.40-1jpp.1.el6_10
  • java-1.8.0-ibm-jdbc-1:1.8.0.5.40-1jpp.1.el6_10
  • java-1.8.0-ibm-plugin-1:1.8.0.5.40-1jpp.1.el6_10
  • java-1.8.0-ibm-src-1:1.8.0.5.40-1jpp.1.el6_10
  • java-1.8.0-ibm-1:1.8.0.5.40-1jpp.1.el6_10
  • java-1.8.0-ibm-devel-1:1.8.0.5.40-1jpp.1.el6_10

References