Vulnerabilities > CVE-2020-2754

047910
CVSS 3.7 - LOW
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
LOW

Summary

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Vulnerable Configurations

Part Description Count
Application
Oracle
106
Application
Netapp
28
Application
Mcafee
11
OS
Fedoraproject
3
OS
Opensuse
2
OS
Canonical
3
OS
Debian
2

Nessus

  • NASL familyWindows
    NASL idORACLE_JAVA_CPU_APR_2020.NASL
    descriptionThe version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 7 Update 261, 8 Update 251, 11 Update 7, or 14 Update 1. It is, therefore, affected by multiple vulnerabilities related to the following components : - Oracle Java SE and Java SE Embedded are prone to a buffer overflow attack, over
    last seen2020-04-23
    modified2020-04-16
    plugin id135592
    published2020-04-16
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135592
    titleOracle Java SE 1.7.0_261 / 1.8.0_251 / 1.11.0_7 / 1.14.0_1 Multiple Vulnerabilities (Apr 2020 CPU)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include('compat.inc');
    
    if (description)
    {
      script_id(135592);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/07/17");
    
      script_cve_id(
        "CVE-2019-18197",
        "CVE-2020-2754",
        "CVE-2020-2755",
        "CVE-2020-2756",
        "CVE-2020-2757",
        "CVE-2020-2764",
        "CVE-2020-2767",
        "CVE-2020-2773",
        "CVE-2020-2778",
        "CVE-2020-2781",
        "CVE-2020-2800",
        "CVE-2020-2803",
        "CVE-2020-2805",
        "CVE-2020-2816",
        "CVE-2020-2830"
      );
      script_xref(name:"IAVA", value:"2020-A-0134-S");
    
      script_name(english:"Oracle Java SE 1.7.0_261 / 1.8.0_251 / 1.11.0_7 / 1.14.0_1 Multiple Vulnerabilities (Apr 2020 CPU)");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host is affected by multiple vulnerabilities");
      script_set_attribute(attribute:"description", value:
    "The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 7 Update
    261, 8 Update 251, 11 Update 7, or 14 Update 1. It is, therefore, affected by multiple vulnerabilities related to the
    following components :
    
      - Oracle Java SE and Java SE Embedded are prone to a buffer overflow attack, over 'Multiple' protocol.
        This issue affects the 'JavaFX (libxslt)' component. Successful attacks of this vulnerability allow 
        unauthenticated attacker with network access to takeover of Java SE. (CVE-2019-18197)
    
      - Oracle Java SE and Java SE Embedded are prone to partial denial of service (partial DOS) vulnerability.
        An unauthenticated remote attacker can exploit this over 'Multiple' protocol. This issue affects the
        'Scripting' component. (CVE-2020-2754, CVE-2020-2755)
    
      - Oracle Java SE and Java SE Embedded are prone to partial denial of service (partial DOS) vulnerability.
        An unauthenticated remote attacker can exploit this over 'Multiple' protocol. This issue affects the
        'Serialization' component. (CVE-2020-2756, CVE-2020-2757)
    
      - Oracle Java SE prone to unauthorized read access vulnerability. An unauthenticated remote attacker can
        exploit this over 'Multiple' protocol can result in unauthorized read access to a subset of Java SE
        accessible data. This issue affects the 'Advanced Management Console' component. (CVE-2020-2764)
    
      - Oracle Java SE and Java SE Embedded are prone to unauthorized write/read access vulnerability. An
        unauthenticated remote attacker over 'HTTPS' can read, update, insert or delete access to some of Java SE
        accessible data. This issue affects the 'JSSE' component. (CVE-2020-2767)
    
      - Oracle Java SE and Java SE Embedded are prone to partial denial of service (partial DOS) vulnerability.
        An unauthenticated remote attacker can exploit this over 'Multiple' protocol. This issue affects the
        'Scripting' component. (CVE-2020-2773)
    
    It is also affected by other vulnerabilities; please see vendor advisories for more information.
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/a/tech/docs/cpuapr2020cvrf.xml");
      script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpuapr2020.html");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Oracle JDK / JRE 14 Update 1 , 11 Update 7, 8 Update 251 , 7 Update 261 or later.
    If necessary, remove any affected versions.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-2800");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/16");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jre");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jdk");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("sun_java_jre_installed.nasl");
      script_require_keys("SMB/Java/JRE/Installed");
    
      exit(0);
    }
    
    include('audit.inc');
    include('global_settings.inc');
    include('misc_func.inc');
    
    # Check each installed JRE.
    installs = get_kb_list_or_exit("SMB/Java/JRE/*");
    
    info = "";
    vuln = 0;
    installed_versions = "";
    
    foreach install (list_uniq(keys(installs)))
    {
      ver = install - "SMB/Java/JRE/";
      if (ver !~ "^[0-9.]+") continue;
    
      installed_versions = installed_versions + " & " + ver;
    
      # Fixes : (JDK|JRE) 13 Update 2 / 11 Update 6 / 8 Update 214 / 7 Update 251 
      if (
        ver_compare(minver:"1.7.0", ver:ver, fix:"1.7.0_261", regexes:{0:"_(\d+)"}, strict:FALSE) < 0 ||
        ver_compare(minver:"1.8.0", ver:ver, fix:"1.8.0_251", regexes:{0:"_(\d+)"}, strict:FALSE) < 0 ||
        ver_compare(minver:"1.11.0", ver:ver, fix:"1.11.0_7", regexes:{0:"_(\d+)"}, strict:FALSE) < 0 ||
        ver_compare(minver:"1.13.0", ver:ver, fix:"1.14.0_1", regexes:{0:"_(\d+)"}, strict:FALSE) < 0 
    
      )
      {
        dirs = make_list(get_kb_list(install));
        vuln += max_index(dirs);
    
        foreach dir (dirs)
          info += '\n  Path              : ' + dir;
    
        info += '\n  Installed version : ' + ver;
        info += '\n  Fixed version     : 1.7.0_261 / 1.8.0_251 / 1.11.0_7 / 1.14.0_1\n';
      }
    }
    
    # Report if any were found to be vulnerable.
    if (info)
    {
      port = get_kb_item("SMB/transport");
      if (!port) port = 445;
    
      if (vuln > 1) s = "s of Java are";
      else s = " of Java is";
    
      report =
        '\n' +
        'The following vulnerable instance'+s+' installed on the\n' +
        'remote host :\n' +
        info;
      security_report_v4(severity:SECURITY_WARNING, port:port, extra:report);
    }
    else
    {
      installed_versions = substr(installed_versions, 3);
      if (" & " >< installed_versions)
        exit(0, "The Java "+installed_versions+" installations on the remote host are not affected.");
      else
        audit(AUDIT_INST_VER_NOT_VULN, "Java", installed_versions);
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-1516.NASL
    descriptionThe remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1516 advisory. - OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754) - OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755) - OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756) - OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757) - OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and DOMXMLSignatureFactory (Security, 8231415) (CVE-2020-2773) - OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781) - OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800) - OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803) - OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805) - OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-04-30
    modified2020-04-22
    plugin id135909
    published2020-04-22
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135909
    titleRHEL 8 : java-1.8.0-openjdk (RHSA-2020:1516)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2020:1516. The text
    # itself is copyright (C) Red Hat, Inc.
    #
    
    
    include('compat.inc');
    
    if (description)
    {
      script_id(135909);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/23");
    
      script_cve_id(
        "CVE-2020-2754",
        "CVE-2020-2755",
        "CVE-2020-2756",
        "CVE-2020-2757",
        "CVE-2020-2773",
        "CVE-2020-2781",
        "CVE-2020-2800",
        "CVE-2020-2803",
        "CVE-2020-2805",
        "CVE-2020-2830"
      );
      script_xref(name:"RHSA", value:"2020:1516");
    
      script_name(english:"RHEL 8 : java-1.8.0-openjdk (RHSA-2020:1516)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Red Hat host is missing one or more security updates.");
      script_set_attribute(attribute:"description", value:
    "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as
    referenced in the RHSA-2020:1516 advisory.
    
      - OpenJDK: Misplaced regular expression syntax error check
        in RegExpScanner (Scripting, 8223898) (CVE-2020-2754)
    
      - OpenJDK: Incorrect handling of empty string nodes in
        regular expression Parser (Scripting, 8223904)
        (CVE-2020-2755)
    
      - OpenJDK: Incorrect handling of references to
        uninitialized class descriptors during deserialization
        (Serialization, 8224541) (CVE-2020-2756)
    
      - OpenJDK: Uncaught InstantiationError exception in
        ObjectStreamClass (Serialization, 8224549)
        (CVE-2020-2757)
    
      - OpenJDK: Unexpected exceptions raised by
        DOMKeyInfoFactory and DOMXMLSignatureFactory (Security,
        8231415) (CVE-2020-2773)
    
      - OpenJDK: Re-use of single TLS session for new
        connections (JSSE, 8234408) (CVE-2020-2781)
    
      - OpenJDK: CRLF injection into HTTP headers in HttpServer
        (Lightweight HTTP Server, 8234825) (CVE-2020-2800)
    
      - OpenJDK: Incorrect bounds checks in NIO Buffers
        (Libraries, 8234841) (CVE-2020-2803)
    
      - OpenJDK: Incorrect type checks in
        MethodType.readObject() (Libraries, 8235274)
        (CVE-2020-2805)
    
      - OpenJDK: Regular expression DoS in Scanner (Concurrency,
        8236201) (CVE-2020-2830)
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/248.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/248.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/248.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/248.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/248.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/113.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/119.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/20.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/185.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/400.html");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2020:1516");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2754");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2755");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2756");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2757");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2773");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2781");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2800");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2803");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2805");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2830");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1823199");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1823200");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1823215");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1823216");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1823224");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1823527");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1823542");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1823694");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1823844");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1823960");
      script_set_attribute(attribute:"solution", value:
    "Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-2800");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_cwe_id(20, 113, 119, 185, 248, 400);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/22");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:rhel_e4s:8.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:rhel_e4s:8.0::appstream");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8.0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-accessibility");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-demo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-headless");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc-zip");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-src");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Red Hat Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include('audit.inc');
    include('global_settings.inc');
    include('misc_func.inc');
    include('rpm.inc');
    
    if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item('Host/RedHat/release');
    if (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
    os_ver = os_ver[1];
    if (! preg(pattern:"^8([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);
    
    if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item('Host/cpu');
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);
    
    pkgs = [
        {'reference':'java-1.8.0-openjdk-1.8.0.252.b09-2.el8_0', 'cpu':'aarch64', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-1.8.0.252.b09-2.el8_0', 'cpu':'s390x', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-1.8.0.252.b09-2.el8_0', 'cpu':'x86_64', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el8_0', 'cpu':'aarch64', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el8_0', 'cpu':'s390x', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el8_0', 'cpu':'x86_64', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-debugsource-1.8.0.252.b09-2.el8_0', 'cpu':'aarch64', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-debugsource-1.8.0.252.b09-2.el8_0', 'cpu':'s390x', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-debugsource-1.8.0.252.b09-2.el8_0', 'cpu':'x86_64', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-demo-1.8.0.252.b09-2.el8_0', 'cpu':'aarch64', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-demo-1.8.0.252.b09-2.el8_0', 'cpu':'s390x', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-demo-1.8.0.252.b09-2.el8_0', 'cpu':'x86_64', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-devel-1.8.0.252.b09-2.el8_0', 'cpu':'aarch64', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-devel-1.8.0.252.b09-2.el8_0', 'cpu':'s390x', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-devel-1.8.0.252.b09-2.el8_0', 'cpu':'x86_64', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-headless-1.8.0.252.b09-2.el8_0', 'cpu':'aarch64', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-headless-1.8.0.252.b09-2.el8_0', 'cpu':'s390x', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-headless-1.8.0.252.b09-2.el8_0', 'cpu':'x86_64', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-javadoc-1.8.0.252.b09-2.el8_0', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-javadoc-zip-1.8.0.252.b09-2.el8_0', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-src-1.8.0.252.b09-2.el8_0', 'cpu':'aarch64', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-src-1.8.0.252.b09-2.el8_0', 'cpu':'s390x', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-src-1.8.0.252.b09-2.el8_0', 'cpu':'x86_64', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'}
    ];
    
    flag = 0;
    foreach package_array ( pkgs ) {
      reference = NULL;
      release = NULL;
      sp = NULL;
      cpu = NULL;
      el_string = NULL;
      rpm_spec_vers_cmp = NULL;
      epoch = NULL;
      if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
      if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];
      if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
      if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];
      if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
      if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
      if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
      if (reference && release) {
        if (rpm_spec_vers_cmp) {
          if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:TRUE)) flag++;
        }
        else
        {
          if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch)) flag++;
        }
      }
    }
    
    if (flag)
    {
      security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-1.8.0-openjdk / java-1.8.0-openjdk-accessibility / java-1.8.0-openjdk-debugsource / etc');
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-1514.NASL
    descriptionThe remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1514 advisory. - OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754) - OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755) - OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756) - OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757) - OpenJDK: Incorrect handling of Certificate messages during TLS handshake (JSSE, 8232581) (CVE-2020-2767) - OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and DOMXMLSignatureFactory (Security, 8231415) (CVE-2020-2773) - OpenJDK: Incomplete enforcement of algorithm restrictions for TLS (JSSE, 8232424) (CVE-2020-2778) - OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781) - OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800) - OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803) - OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805) - OpenJDK: Application data accepted before TLS handshake completion (JSSE, 8235691) (CVE-2020-2816) - OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-04-30
    modified2020-04-21
    plugin id135861
    published2020-04-21
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135861
    titleRHEL 8 : java-11-openjdk (RHSA-2020:1514)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2020:1514. The text
    # itself is copyright (C) Red Hat, Inc.
    #
    
    
    include('compat.inc');
    
    if (description)
    {
      script_id(135861);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/23");
    
      script_cve_id(
        "CVE-2020-2754",
        "CVE-2020-2755",
        "CVE-2020-2756",
        "CVE-2020-2757",
        "CVE-2020-2767",
        "CVE-2020-2773",
        "CVE-2020-2778",
        "CVE-2020-2781",
        "CVE-2020-2800",
        "CVE-2020-2803",
        "CVE-2020-2805",
        "CVE-2020-2816",
        "CVE-2020-2830"
      );
      script_xref(name:"RHSA", value:"2020:1514");
    
      script_name(english:"RHEL 8 : java-11-openjdk (RHSA-2020:1514)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Red Hat host is missing one or more security updates.");
      script_set_attribute(attribute:"description", value:
    "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as
    referenced in the RHSA-2020:1514 advisory.
    
      - OpenJDK: Misplaced regular expression syntax error check
        in RegExpScanner (Scripting, 8223898) (CVE-2020-2754)
    
      - OpenJDK: Incorrect handling of empty string nodes in
        regular expression Parser (Scripting, 8223904)
        (CVE-2020-2755)
    
      - OpenJDK: Incorrect handling of references to
        uninitialized class descriptors during deserialization
        (Serialization, 8224541) (CVE-2020-2756)
    
      - OpenJDK: Uncaught InstantiationError exception in
        ObjectStreamClass (Serialization, 8224549)
        (CVE-2020-2757)
    
      - OpenJDK: Incorrect handling of Certificate messages
        during TLS handshake (JSSE, 8232581) (CVE-2020-2767)
    
      - OpenJDK: Unexpected exceptions raised by
        DOMKeyInfoFactory and DOMXMLSignatureFactory (Security,
        8231415) (CVE-2020-2773)
    
      - OpenJDK: Incomplete enforcement of algorithm
        restrictions for TLS (JSSE, 8232424) (CVE-2020-2778)
    
      - OpenJDK: Re-use of single TLS session for new
        connections (JSSE, 8234408) (CVE-2020-2781)
    
      - OpenJDK: CRLF injection into HTTP headers in HttpServer
        (Lightweight HTTP Server, 8234825) (CVE-2020-2800)
    
      - OpenJDK: Incorrect bounds checks in NIO Buffers
        (Libraries, 8234841) (CVE-2020-2803)
    
      - OpenJDK: Incorrect type checks in
        MethodType.readObject() (Libraries, 8235274)
        (CVE-2020-2805)
    
      - OpenJDK: Application data accepted before TLS handshake
        completion (JSSE, 8235691) (CVE-2020-2816)
    
      - OpenJDK: Regular expression DoS in Scanner (Concurrency,
        8236201) (CVE-2020-2830)
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/248.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/248.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/248.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/248.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/358.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/248.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/327.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/113.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/119.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/20.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/358.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/185.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/400.html");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2020:1514");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2754");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2755");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2756");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2757");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2767");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2773");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2778");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2781");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2800");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2803");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2805");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2816");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2830");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1823199");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1823200");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1823215");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1823216");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1823224");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1823527");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1823542");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1823694");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1823844");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1823853");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1823879");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1823947");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1823960");
      script_set_attribute(attribute:"solution", value:
    "Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-2800");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_cwe_id(20, 113, 119, 185, 248, 327, 358, 400);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/21");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:enterprise_linux:8");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:enterprise_linux:8::appstream");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-demo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-headless");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-javadoc-zip");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-jmods");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-src");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Red Hat Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include('audit.inc');
    include('global_settings.inc');
    include('misc_func.inc');
    include('rpm.inc');
    
    if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item('Host/RedHat/release');
    if (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
    os_ver = os_ver[1];
    if (! preg(pattern:"^8([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);
    
    if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item('Host/cpu');
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);
    
    pkgs = [
        {'reference':'java-11-openjdk-11.0.7.10-1.el8_1', 'cpu':'aarch64', 'release':'8', 'epoch':'1'},
        {'reference':'java-11-openjdk-11.0.7.10-1.el8_1', 'cpu':'s390x', 'release':'8', 'epoch':'1'},
        {'reference':'java-11-openjdk-11.0.7.10-1.el8_1', 'cpu':'x86_64', 'release':'8', 'epoch':'1'},
        {'reference':'java-11-openjdk-debugsource-11.0.7.10-1.el8_1', 'cpu':'aarch64', 'release':'8', 'epoch':'1'},
        {'reference':'java-11-openjdk-debugsource-11.0.7.10-1.el8_1', 'cpu':'s390x', 'release':'8', 'epoch':'1'},
        {'reference':'java-11-openjdk-debugsource-11.0.7.10-1.el8_1', 'cpu':'x86_64', 'release':'8', 'epoch':'1'},
        {'reference':'java-11-openjdk-demo-11.0.7.10-1.el8_1', 'cpu':'aarch64', 'release':'8', 'epoch':'1'},
        {'reference':'java-11-openjdk-demo-11.0.7.10-1.el8_1', 'cpu':'s390x', 'release':'8', 'epoch':'1'},
        {'reference':'java-11-openjdk-demo-11.0.7.10-1.el8_1', 'cpu':'x86_64', 'release':'8', 'epoch':'1'},
        {'reference':'java-11-openjdk-devel-11.0.7.10-1.el8_1', 'cpu':'aarch64', 'release':'8', 'epoch':'1'},
        {'reference':'java-11-openjdk-devel-11.0.7.10-1.el8_1', 'cpu':'s390x', 'release':'8', 'epoch':'1'},
        {'reference':'java-11-openjdk-devel-11.0.7.10-1.el8_1', 'cpu':'x86_64', 'release':'8', 'epoch':'1'},
        {'reference':'java-11-openjdk-headless-11.0.7.10-1.el8_1', 'cpu':'aarch64', 'release':'8', 'epoch':'1'},
        {'reference':'java-11-openjdk-headless-11.0.7.10-1.el8_1', 'cpu':'s390x', 'release':'8', 'epoch':'1'},
        {'reference':'java-11-openjdk-headless-11.0.7.10-1.el8_1', 'cpu':'x86_64', 'release':'8', 'epoch':'1'},
        {'reference':'java-11-openjdk-javadoc-11.0.7.10-1.el8_1', 'cpu':'aarch64', 'release':'8', 'epoch':'1'},
        {'reference':'java-11-openjdk-javadoc-11.0.7.10-1.el8_1', 'cpu':'s390x', 'release':'8', 'epoch':'1'},
        {'reference':'java-11-openjdk-javadoc-11.0.7.10-1.el8_1', 'cpu':'x86_64', 'release':'8', 'epoch':'1'},
        {'reference':'java-11-openjdk-javadoc-zip-11.0.7.10-1.el8_1', 'cpu':'aarch64', 'release':'8', 'epoch':'1'},
        {'reference':'java-11-openjdk-javadoc-zip-11.0.7.10-1.el8_1', 'cpu':'s390x', 'release':'8', 'epoch':'1'},
        {'reference':'java-11-openjdk-javadoc-zip-11.0.7.10-1.el8_1', 'cpu':'x86_64', 'release':'8', 'epoch':'1'},
        {'reference':'java-11-openjdk-jmods-11.0.7.10-1.el8_1', 'cpu':'aarch64', 'release':'8', 'epoch':'1'},
        {'reference':'java-11-openjdk-jmods-11.0.7.10-1.el8_1', 'cpu':'s390x', 'release':'8', 'epoch':'1'},
        {'reference':'java-11-openjdk-jmods-11.0.7.10-1.el8_1', 'cpu':'x86_64', 'release':'8', 'epoch':'1'},
        {'reference':'java-11-openjdk-src-11.0.7.10-1.el8_1', 'cpu':'aarch64', 'release':'8', 'epoch':'1'},
        {'reference':'java-11-openjdk-src-11.0.7.10-1.el8_1', 'cpu':'s390x', 'release':'8', 'epoch':'1'},
        {'reference':'java-11-openjdk-src-11.0.7.10-1.el8_1', 'cpu':'x86_64', 'release':'8', 'epoch':'1'}
    ];
    
    flag = 0;
    foreach package_array ( pkgs ) {
      reference = NULL;
      release = NULL;
      sp = NULL;
      cpu = NULL;
      el_string = NULL;
      rpm_spec_vers_cmp = NULL;
      epoch = NULL;
      if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
      if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];
      if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
      if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];
      if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
      if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
      if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
      if (reference && release) {
        if (rpm_spec_vers_cmp) {
          if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:TRUE)) flag++;
        }
        else
        {
          if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch)) flag++;
        }
      }
    }
    
    if (flag)
    {
      security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-11-openjdk / java-11-openjdk-debugsource / java-11-openjdk-demo / etc');
    }
    
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2020-1421.NASL
    descriptionVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2756) Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2755) Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2830) Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). (CVE-2020-2803) Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2754) Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2781) Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Lightweight HTTP Server). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2773) Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2773) Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2757) A flaw was found in the way the readObject() method of the MethodType class in the Libraries component of OpenJDK checked argument types. This flaw allows an untrusted Java application or applet to bypass Java sandbox restrictions. (CVE-2020-2805)
    last seen2020-05-12
    modified2020-05-07
    plugin id136364
    published2020-05-07
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136364
    titleAmazon Linux 2 : java-1.8.0-openjdk (ALAS-2020-1421)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Amazon Linux 2 Security Advisory ALAS-2020-1421.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(136364);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/11");
    
      script_cve_id("CVE-2020-2754", "CVE-2020-2755", "CVE-2020-2756", "CVE-2020-2757", "CVE-2020-2773", "CVE-2020-2781", "CVE-2020-2800", "CVE-2020-2803", "CVE-2020-2805", "CVE-2020-2830");
      script_xref(name:"ALAS", value:"2020-1421");
    
      script_name(english:"Amazon Linux 2 : java-1.8.0-openjdk (ALAS-2020-1421)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Amazon Linux 2 host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java
    SE (component: Serialization). Supported versions that are affected
    are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241.
    Difficult to exploit vulnerability allows unauthenticated attacker
    with network access via multiple protocols to compromise Java SE, Java
    SE Embedded. Successful attacks of this vulnerability can result in
    unauthorized ability to cause a partial denial of service (partial
    DOS) of Java SE, Java SE Embedded. Note: Applies to client and server
    deployment of Java. This vulnerability can be exploited through
    sandboxed Java Web Start applications and sandboxed Java applets. It
    can also be exploited by supplying data to APIs in the specified
    Component without using sandboxed Java Web Start applications or
    sandboxed Java applets, such as through a web service. CVSS 3.0 Base
    Score 3.7 (Availability impacts). CVSS Vector:
    (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2756)
    
    Vulnerability in the Java SE, Java SE Embedded product of Oracle Java
    SE (component: Scripting). Supported versions that are affected are
    Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to
    exploit vulnerability allows unauthenticated attacker with network
    access via multiple protocols to compromise Java SE, Java SE Embedded.
    Successful attacks of this vulnerability can result in unauthorized
    ability to cause a partial denial of service (partial DOS) of Java SE,
    Java SE Embedded. Note: Applies to client and server deployment of
    Java. This vulnerability can be exploited through sandboxed Java Web
    Start applications and sandboxed Java applets. It can also be
    exploited by supplying data to APIs in the specified Component without
    using sandboxed Java Web Start applications or sandboxed Java applets,
    such as through a web service. CVSS 3.0 Base Score 3.7 (Availability
    impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
    (CVE-2020-2755)
    
    Vulnerability in the Java SE, Java SE Embedded product of Oracle Java
    SE (component: Concurrency). Supported versions that are affected are
    Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily
    exploitable vulnerability allows unauthenticated attacker with network
    access via multiple protocols to compromise Java SE, Java SE Embedded.
    Successful attacks of this vulnerability can result in unauthorized
    ability to cause a partial denial of service (partial DOS) of Java SE,
    Java SE Embedded. Note: Applies to client and server deployment of
    Java. This vulnerability can be exploited through sandboxed Java Web
    Start applications and sandboxed Java applets. It can also be
    exploited by supplying data to APIs in the specified Component without
    using sandboxed Java Web Start applications or sandboxed Java applets,
    such as through a web service. CVSS 3.0 Base Score 5.3 (Availability
    impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
    (CVE-2020-2830)
    
    Vulnerability in the Java SE, Java SE Embedded product of Oracle Java
    SE (component: Libraries). Supported versions that are affected are
    Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241.
    Difficult to exploit vulnerability allows unauthenticated attacker
    with network access via multiple protocols to compromise Java SE, Java
    SE Embedded. Successful attacks require human interaction from a
    person other than the attacker and while the vulnerability is in Java
    SE, Java SE Embedded, attacks may significantly impact additional
    products. Successful attacks of this vulnerability can result in
    takeover of Java SE, Java SE Embedded. Note: This vulnerability
    applies to Java deployments, typically in clients running sandboxed
    Java Web Start applications or sandboxed Java applets, that load and
    run untrusted code (e.g., code that comes from the internet) and rely
    on the Java sandbox for security. This vulnerability does not apply to
    Java deployments, typically in servers, that load and run only trusted
    code (e.g., code installed by an administrator). CVSS 3.0 Base Score
    8.3 (Confidentiality, Integrity and Availability impacts). CVSS
    Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
    (CVE-2020-2803)
    
    Vulnerability in the Java SE, Java SE Embedded product of Oracle Java
    SE (component: Scripting). Supported versions that are affected are
    Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to
    exploit vulnerability allows unauthenticated attacker with network
    access via multiple protocols to compromise Java SE, Java SE Embedded.
    Successful attacks of this vulnerability can result in unauthorized
    ability to cause a partial denial of service (partial DOS) of Java SE,
    Java SE Embedded. Note: Applies to client and server deployment of
    Java. This vulnerability can be exploited through sandboxed Java Web
    Start applications and sandboxed Java applets. It can also be
    exploited by supplying data to APIs in the specified Component without
    using sandboxed Java Web Start applications or sandboxed Java applets,
    such as through a web service. CVSS 3.0 Base Score 3.7 (Availability
    impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
    (CVE-2020-2754)
    
    Vulnerability in the Java SE, Java SE Embedded product of Oracle Java
    SE (component: JSSE). Supported versions that are affected are Java
    SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily
    exploitable vulnerability allows unauthenticated attacker with network
    access via HTTPS to compromise Java SE, Java SE Embedded. Successful
    attacks of this vulnerability can result in unauthorized ability to
    cause a partial denial of service (partial DOS) of Java SE, Java SE
    Embedded. Note: Applies to client and server deployment of Java. This
    vulnerability can be exploited through sandboxed Java Web Start
    applications and sandboxed Java applets. It can also be exploited by
    supplying data to APIs in the specified Component without using
    sandboxed Java Web Start applications or sandboxed Java applets, such
    as through a web service. CVSS 3.0 Base Score 5.3 (Availability
    impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
    (CVE-2020-2781)
    
    Vulnerability in the Java SE, Java SE Embedded product of Oracle Java
    SE (component: Lightweight HTTP Server). Supported versions that are
    affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded:
    8u241. Difficult to exploit vulnerability allows unauthenticated
    attacker with network access via multiple protocols to compromise Java
    SE, Java SE Embedded. Successful attacks of this vulnerability can
    result in unauthorized update, insert or delete access to some of Java
    SE, Java SE Embedded accessible data as well as unauthorized read
    access to a subset of Java SE, Java SE Embedded accessible data. Note:
    This vulnerability can only be exploited by supplying data to APIs in
    the specified Component without using Untrusted Java Web Start
    applications or Untrusted Java applets, such as through a web service.
    CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS
    Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
    
    Vulnerability in the Java SE, Java SE Embedded product of Oracle Java
    SE (component: Security). Supported versions that are affected are
    Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241.
    Difficult to exploit vulnerability allows unauthenticated attacker
    with network access via multiple protocols to compromise Java SE, Java
    SE Embedded. Successful attacks of this vulnerability can result in
    unauthorized ability to cause a partial denial of service (partial
    DOS) of Java SE, Java SE Embedded. Note: Applies to client and server
    deployment of Java. This vulnerability can be exploited through
    sandboxed Java Web Start applications and sandboxed Java applets. It
    can also be exploited by supplying data to APIs in the specified
    Component without using sandboxed Java Web Start applications or
    sandboxed Java applets, such as through a web service. CVSS 3.0 Base
    Score 3.7 (Availability impacts). CVSS Vector:
    (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2773)
    
    Vulnerability in the Java SE, Java SE Embedded product of Oracle Java
    SE (component: Serialization). Supported versions that are affected
    are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241.
    Difficult to exploit vulnerability allows unauthenticated attacker
    with network access via multiple protocols to compromise Java SE, Java
    SE Embedded. Successful attacks of this vulnerability can result in
    unauthorized ability to cause a partial denial of service (partial
    DOS) of Java SE, Java SE Embedded. Note: Applies to client and server
    deployment of Java. This vulnerability can be exploited through
    sandboxed Java Web Start applications and sandboxed Java applets. It
    can also be exploited by supplying data to APIs in the specified
    Component without using sandboxed Java Web Start applications or
    sandboxed Java applets, such as through a web service. CVSS 3.0 Base
    Score 3.7 (Availability impacts). CVSS Vector:
    (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2773)
    
    Vulnerability in the Java SE, Java SE Embedded product of Oracle Java
    SE (component: Serialization). Supported versions that are affected
    are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241.
    Difficult to exploit vulnerability allows unauthenticated attacker
    with network access via multiple protocols to compromise Java SE, Java
    SE Embedded. Successful attacks of this vulnerability can result in
    unauthorized ability to cause a partial denial of service (partial
    DOS) of Java SE, Java SE Embedded. Note: Applies to client and server
    deployment of Java. This vulnerability can be exploited through
    sandboxed Java Web Start applications and sandboxed Java applets. It
    can also be exploited by supplying data to APIs in the specified
    Component without using sandboxed Java Web Start applications or
    sandboxed Java applets, such as through a web service. CVSS 3.0 Base
    Score 3.7 (Availability impacts). CVSS Vector:
    (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2757)
    
    A flaw was found in the way the readObject() method of the MethodType
    class in the Libraries component of OpenJDK checked argument types.
    This flaw allows an untrusted Java application or applet to bypass
    Java sandbox restrictions. (CVE-2020-2805)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://alas.aws.amazon.com/AL2/ALAS-2020-1421.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Run 'yum update java-1.8.0-openjdk' to update your system."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-2800");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.8.0-openjdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-accessibility");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-accessibility-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-demo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-demo-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-devel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-headless");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-headless-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-javadoc-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-javadoc-zip");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-javadoc-zip-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-src");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-src-debug");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/05/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/07");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Amazon Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/AmazonLinux/release");
    if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
    os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
    os_ver = os_ver[1];
    if (os_ver != "2")
    {
      if (os_ver == 'A') os_ver = 'AMI';
      audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
    }
    
    if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (rpm_check(release:"AL2", reference:"java-1.8.0-openjdk-1.8.0.252.b09-2.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", reference:"java-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", reference:"java-1.8.0-openjdk-accessibility-debug-1.8.0.252.b09-2.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", reference:"java-1.8.0-openjdk-debug-1.8.0.252.b09-2.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", reference:"java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", reference:"java-1.8.0-openjdk-demo-1.8.0.252.b09-2.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", reference:"java-1.8.0-openjdk-demo-debug-1.8.0.252.b09-2.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", reference:"java-1.8.0-openjdk-devel-1.8.0.252.b09-2.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", reference:"java-1.8.0-openjdk-devel-debug-1.8.0.252.b09-2.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", reference:"java-1.8.0-openjdk-headless-1.8.0.252.b09-2.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", reference:"java-1.8.0-openjdk-headless-debug-1.8.0.252.b09-2.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", reference:"java-1.8.0-openjdk-javadoc-1.8.0.252.b09-2.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", reference:"java-1.8.0-openjdk-javadoc-debug-1.8.0.252.b09-2.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", reference:"java-1.8.0-openjdk-javadoc-zip-1.8.0.252.b09-2.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", reference:"java-1.8.0-openjdk-javadoc-zip-debug-1.8.0.252.b09-2.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", reference:"java-1.8.0-openjdk-src-1.8.0.252.b09-2.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", reference:"java-1.8.0-openjdk-src-debug-1.8.0.252.b09-2.amzn2.0.1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "java-1.8.0-openjdk / java-1.8.0-openjdk-accessibility / etc");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1581.NASL
    descriptionAccording to the versions of the java-1.8.0-openjdk packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1 Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. While the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Java SE Embedded accessible data.(CVE-2020-2601) - Vulnerability in the Java SE product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE.(CVE-2020-2654) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u241 and 8u231 Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.(CVE-2020-2659) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1 Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data.(CVE-2020-2593) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1 Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data.(CVE-2020-2590) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1 Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. (CVE-2020-2583) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14 Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.(CVE-2020-2781) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Lightweight HTTP Server). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14 Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data.(CVE-2020-2800) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14 Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.(CVE-2020-2830) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14 Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.(CVE-2020-2754) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14 Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.(CVE-2020-2755) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14 Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. (CVE-2020-2756) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14 Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. .(CVE-2020-2757) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14 Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.(CVE-2020-2773) - A flaw was found in the boundary checks in the java.nio buffer classes in the Libraries component of OpenJDK, where it is bypassed in certain cases. This flaw allows an untrusted Java application or applet o bypass Java sandbox restrictions.(CVE-2020-2803) - A flaw was found in the way the readObject() method of the MethodType class in the Libraries component of OpenJDK checked argument types. This flaw allows an untrusted Java application or applet to bypass Java sandbox restrictions.(CVE-2020-2805) - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1 Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded.(CVE-2020-2604) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-31
    modified2020-05-26
    plugin id136859
    published2020-05-26
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136859
    titleEulerOS 2.0 SP8 : java-1.8.0-openjdk (EulerOS-SA-2020-1581)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(136859);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/28");
    
      script_cve_id(
        "CVE-2020-2583",
        "CVE-2020-2590",
        "CVE-2020-2593",
        "CVE-2020-2601",
        "CVE-2020-2604",
        "CVE-2020-2654",
        "CVE-2020-2659",
        "CVE-2020-2754",
        "CVE-2020-2755",
        "CVE-2020-2756",
        "CVE-2020-2757",
        "CVE-2020-2773",
        "CVE-2020-2781",
        "CVE-2020-2800",
        "CVE-2020-2803",
        "CVE-2020-2805",
        "CVE-2020-2830"
      );
    
      script_name(english:"EulerOS 2.0 SP8 : java-1.8.0-openjdk (EulerOS-SA-2020-1581)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the java-1.8.0-openjdk packages
    installed, the EulerOS installation on the remote host is affected by
    the following vulnerabilities :
    
      - Vulnerability in the Java SE, Java SE Embedded product
        of Oracle Java SE (component: Security). Supported
        versions that are affected are Java SE: 7u241, 8u231,
        11.0.5 and 13.0.1 Java SE Embedded: 8u231. Difficult to
        exploit vulnerability allows unauthenticated attacker
        with network access via Kerberos to compromise Java SE,
        Java SE Embedded. While the vulnerability is in Java
        SE, Java SE Embedded, attacks may significantly impact
        additional products. Successful attacks of this
        vulnerability can result in unauthorized access to
        critical data or complete access to all Java SE, Java
        SE Embedded accessible data.(CVE-2020-2601)
    
      - Vulnerability in the Java SE product of Oracle Java SE
        (component: Libraries). Supported versions that are
        affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1.
        Difficult to exploit vulnerability allows
        unauthenticated attacker with network access via
        multiple protocols to compromise Java SE. Successful
        attacks of this vulnerability can result in
        unauthorized ability to cause a partial denial of
        service (partial DOS) of Java SE.(CVE-2020-2654)
    
      - Vulnerability in the Java SE, Java SE Embedded product
        of Oracle Java SE (component: Networking). Supported
        versions that are affected are Java SE: 7u241 and 8u231
        Java SE Embedded: 8u231. Difficult to exploit
        vulnerability allows unauthenticated attacker with
        network access via multiple protocols to compromise
        Java SE, Java SE Embedded. Successful attacks of this
        vulnerability can result in unauthorized ability to
        cause a partial denial of service (partial DOS) of Java
        SE, Java SE Embedded.(CVE-2020-2659)
    
      - Vulnerability in the Java SE, Java SE Embedded product
        of Oracle Java SE (component: Networking). Supported
        versions that are affected are Java SE: 7u241, 8u231,
        11.0.5 and 13.0.1 Java SE Embedded: 8u231. Difficult to
        exploit vulnerability allows unauthenticated attacker
        with network access via multiple protocols to
        compromise Java SE, Java SE Embedded. Successful
        attacks of this vulnerability can result in
        unauthorized update, insert or delete access to some of
        Java SE, Java SE Embedded accessible data as well as
        unauthorized read access to a subset of Java SE, Java
        SE Embedded accessible data.(CVE-2020-2593)
    
      - Vulnerability in the Java SE, Java SE Embedded product
        of Oracle Java SE (component: Security). Supported
        versions that are affected are Java SE: 7u241, 8u231,
        11.0.5 and 13.0.1 Java SE Embedded: 8u231. Difficult to
        exploit vulnerability allows unauthenticated attacker
        with network access via Kerberos to compromise Java SE,
        Java SE Embedded. Successful attacks of this
        vulnerability can result in unauthorized update, insert
        or delete access to some of Java SE, Java SE Embedded
        accessible data.(CVE-2020-2590)
    
      - Vulnerability in the Java SE, Java SE Embedded product
        of Oracle Java SE (component: Serialization). Supported
        versions that are affected are Java SE: 7u241, 8u231,
        11.0.5 and 13.0.1 Java SE Embedded: 8u231. Difficult to
        exploit vulnerability allows unauthenticated attacker
        with network access via multiple protocols to
        compromise Java SE, Java SE Embedded. Successful
        attacks of this vulnerability can result in
        unauthorized ability to cause a partial denial of
        service (partial DOS) of Java SE, Java SE Embedded.
        (CVE-2020-2583)
    
      - Vulnerability in the Java SE, Java SE Embedded product
        of Oracle Java SE (component: JSSE). Supported versions
        that are affected are Java SE: 7u251, 8u241, 11.0.6 and
        14 Java SE Embedded: 8u241. Easily exploitable
        vulnerability allows unauthenticated attacker with
        network access via HTTPS to compromise Java SE, Java SE
        Embedded. Successful attacks of this vulnerability can
        result in unauthorized ability to cause a partial
        denial of service (partial DOS) of Java SE, Java SE
        Embedded.(CVE-2020-2781)
    
      - Vulnerability in the Java SE, Java SE Embedded product
        of Oracle Java SE (component: Lightweight HTTP Server).
        Supported versions that are affected are Java SE:
        7u251, 8u241, 11.0.6 and 14 Java SE Embedded: 8u241.
        Difficult to exploit vulnerability allows
        unauthenticated attacker with network access via
        multiple protocols to compromise Java SE, Java SE
        Embedded. Successful attacks of this vulnerability can
        result in unauthorized update, insert or delete access
        to some of Java SE, Java SE Embedded accessible data as
        well as unauthorized read access to a subset of Java
        SE, Java SE Embedded accessible data.(CVE-2020-2800)
    
      - Vulnerability in the Java SE, Java SE Embedded product
        of Oracle Java SE (component: Concurrency). Supported
        versions that are affected are Java SE: 7u251, 8u241,
        11.0.6 and 14 Java SE Embedded: 8u241. Easily
        exploitable vulnerability allows unauthenticated
        attacker with network access via multiple protocols to
        compromise Java SE, Java SE Embedded. Successful
        attacks of this vulnerability can result in
        unauthorized ability to cause a partial denial of
        service (partial DOS) of Java SE, Java SE
        Embedded.(CVE-2020-2830)
    
      - Vulnerability in the Java SE, Java SE Embedded product
        of Oracle Java SE (component: Scripting). Supported
        versions that are affected are Java SE: 8u241, 11.0.6
        and 14 Java SE Embedded: 8u241. Difficult to exploit
        vulnerability allows unauthenticated attacker with
        network access via multiple protocols to compromise
        Java SE, Java SE Embedded. Successful attacks of this
        vulnerability can result in unauthorized ability to
        cause a partial denial of service (partial DOS) of Java
        SE, Java SE Embedded.(CVE-2020-2754)
    
      - Vulnerability in the Java SE, Java SE Embedded product
        of Oracle Java SE (component: Scripting). Supported
        versions that are affected are Java SE: 8u241, 11.0.6
        and 14 Java SE Embedded: 8u241. Difficult to exploit
        vulnerability allows unauthenticated attacker with
        network access via multiple protocols to compromise
        Java SE, Java SE Embedded. Successful attacks of this
        vulnerability can result in unauthorized ability to
        cause a partial denial of service (partial DOS) of Java
        SE, Java SE Embedded.(CVE-2020-2755)
    
      - Vulnerability in the Java SE, Java SE Embedded product
        of Oracle Java SE (component: Serialization). Supported
        versions that are affected are Java SE: 7u251, 8u241,
        11.0.6 and 14 Java SE Embedded: 8u241. Difficult to
        exploit vulnerability allows unauthenticated attacker
        with network access via multiple protocols to
        compromise Java SE, Java SE Embedded. Successful
        attacks of this vulnerability can result in
        unauthorized ability to cause a partial denial of
        service (partial DOS) of Java SE, Java SE Embedded.
        (CVE-2020-2756)
    
      - Vulnerability in the Java SE, Java SE Embedded product
        of Oracle Java SE (component: Serialization). Supported
        versions that are affected are Java SE: 7u251, 8u241,
        11.0.6 and 14 Java SE Embedded: 8u241. Difficult to
        exploit vulnerability allows unauthenticated attacker
        with network access via multiple protocols to
        compromise Java SE, Java SE Embedded. Successful
        attacks of this vulnerability can result in
        unauthorized ability to cause a partial denial of
        service (partial DOS) of Java SE, Java SE Embedded.
        .(CVE-2020-2757)
    
      - Vulnerability in the Java SE, Java SE Embedded product
        of Oracle Java SE (component: Security). Supported
        versions that are affected are Java SE: 7u251, 8u241,
        11.0.6 and 14 Java SE Embedded: 8u241. Difficult to
        exploit vulnerability allows unauthenticated attacker
        with network access via multiple protocols to
        compromise Java SE, Java SE Embedded. Successful
        attacks of this vulnerability can result in
        unauthorized ability to cause a partial denial of
        service (partial DOS) of Java SE, Java SE
        Embedded.(CVE-2020-2773)
    
      - A flaw was found in the boundary checks in the java.nio
        buffer classes in the Libraries component of OpenJDK,
        where it is bypassed in certain cases. This flaw allows
        an untrusted Java application or applet o bypass Java
        sandbox restrictions.(CVE-2020-2803)
    
      - A flaw was found in the way the readObject() method of
        the MethodType class in the Libraries component of
        OpenJDK checked argument types. This flaw allows an
        untrusted Java application or applet to bypass Java
        sandbox restrictions.(CVE-2020-2805)
    
      - Vulnerability in the Java SE, Java SE Embedded product
        of Oracle Java SE (component: Serialization). Supported
        versions that are affected are Java SE: 7u241, 8u231,
        11.0.5 and 13.0.1 Java SE Embedded: 8u231. Difficult to
        exploit vulnerability allows unauthenticated attacker
        with network access via multiple protocols to
        compromise Java SE, Java SE Embedded. Successful
        attacks of this vulnerability can result in takeover of
        Java SE, Java SE Embedded.(CVE-2020-2604)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1581
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?711cf805");
      script_set_attribute(attribute:"solution", value:
    "Update the affected java-1.8.0-openjdk packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2020/05/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/26");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:java-1.8.0-openjdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:java-1.8.0-openjdk-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:java-1.8.0-openjdk-headless");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(8)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["java-1.8.0-openjdk-1.8.0.181.b15-5.h12.eulerosv2r8",
            "java-1.8.0-openjdk-devel-1.8.0.181.b15-5.h12.eulerosv2r8",
            "java-1.8.0-openjdk-headless-1.8.0.181.b15-5.h12.eulerosv2r8"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"8", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "java-1.8.0-openjdk");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-1512.NASL
    descriptionThe remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1512 advisory. - OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754) - OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755) - OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756) - OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757) - OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and DOMXMLSignatureFactory (Security, 8231415) (CVE-2020-2773) - OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781) - OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800) - OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803) - OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805) - OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-04-30
    modified2020-04-21
    plugin id135775
    published2020-04-21
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135775
    titleRHEL 7 : java-1.8.0-openjdk (RHSA-2020:1512)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2020:1512. The text
    # itself is copyright (C) Red Hat, Inc.
    #
    
    
    include('compat.inc');
    
    if (description)
    {
      script_id(135775);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/23");
    
      script_cve_id(
        "CVE-2020-2754",
        "CVE-2020-2755",
        "CVE-2020-2756",
        "CVE-2020-2757",
        "CVE-2020-2773",
        "CVE-2020-2781",
        "CVE-2020-2800",
        "CVE-2020-2803",
        "CVE-2020-2805",
        "CVE-2020-2830"
      );
      script_xref(name:"RHSA", value:"2020:1512");
    
      script_name(english:"RHEL 7 : java-1.8.0-openjdk (RHSA-2020:1512)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Red Hat host is missing one or more security updates.");
      script_set_attribute(attribute:"description", value:
    "The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as
    referenced in the RHSA-2020:1512 advisory.
    
      - OpenJDK: Misplaced regular expression syntax error check
        in RegExpScanner (Scripting, 8223898) (CVE-2020-2754)
    
      - OpenJDK: Incorrect handling of empty string nodes in
        regular expression Parser (Scripting, 8223904)
        (CVE-2020-2755)
    
      - OpenJDK: Incorrect handling of references to
        uninitialized class descriptors during deserialization
        (Serialization, 8224541) (CVE-2020-2756)
    
      - OpenJDK: Uncaught InstantiationError exception in
        ObjectStreamClass (Serialization, 8224549)
        (CVE-2020-2757)
    
      - OpenJDK: Unexpected exceptions raised by
        DOMKeyInfoFactory and DOMXMLSignatureFactory (Security,
        8231415) (CVE-2020-2773)
    
      - OpenJDK: Re-use of single TLS session for new
        connections (JSSE, 8234408) (CVE-2020-2781)
    
      - OpenJDK: CRLF injection into HTTP headers in HttpServer
        (Lightweight HTTP Server, 8234825) (CVE-2020-2800)
    
      - OpenJDK: Incorrect bounds checks in NIO Buffers
        (Libraries, 8234841) (CVE-2020-2803)
    
      - OpenJDK: Incorrect type checks in
        MethodType.readObject() (Libraries, 8235274)
        (CVE-2020-2805)
    
      - OpenJDK: Regular expression DoS in Scanner (Concurrency,
        8236201) (CVE-2020-2830)
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/248.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/248.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/248.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/248.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/248.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/113.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/119.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/20.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/185.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/400.html");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2020:1512");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2754");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2755");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2756");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2757");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2773");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2781");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2800");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2803");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2805");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2830");
      script_set_attribute(attribute:"solution", value:
    "Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-2800");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_cwe_id(20, 113, 119, 185, 248, 400);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/21");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7::client");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7::computenode");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7::server");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7::workstation");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-accessibility");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-demo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-headless");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc-zip");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-src");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Red Hat Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include('audit.inc');
    include('global_settings.inc');
    include('misc_func.inc');
    include('rpm.inc');
    
    if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item('Host/RedHat/release');
    if (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);
    
    if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item('Host/cpu');
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);
    
    pkgs = [
        {'reference':'java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8', 'cpu':'i686', 'release':'7', 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8', 'cpu':'s390x', 'release':'7', 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8', 'cpu':'x86_64', 'release':'7', 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8', 'cpu':'i686', 'release':'7', 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8', 'cpu':'s390x', 'release':'7', 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8', 'cpu':'x86_64', 'release':'7', 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8', 'cpu':'i686', 'release':'7', 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8', 'cpu':'s390x', 'release':'7', 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8', 'cpu':'x86_64', 'release':'7', 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8', 'cpu':'i686', 'release':'7', 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8', 'cpu':'s390x', 'release':'7', 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8', 'cpu':'x86_64', 'release':'7', 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8', 'cpu':'i686', 'release':'7', 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8', 'cpu':'s390x', 'release':'7', 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8', 'cpu':'x86_64', 'release':'7', 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-javadoc-1.8.0.252.b09-2.el7_8', 'release':'7', 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-javadoc-zip-1.8.0.252.b09-2.el7_8', 'release':'7', 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8', 'cpu':'i686', 'release':'7', 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8', 'cpu':'s390x', 'release':'7', 'epoch':'1'},
        {'reference':'java-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8', 'cpu':'x86_64', 'release':'7', 'epoch':'1'}
    ];
    
    flag = 0;
    foreach package_array ( pkgs ) {
      reference = NULL;
      release = NULL;
      sp = NULL;
      cpu = NULL;
      el_string = NULL;
      rpm_spec_vers_cmp = NULL;
      epoch = NULL;
      if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
      if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];
      if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
      if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];
      if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
      if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
      if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
      if (reference && release) {
        if (rpm_spec_vers_cmp) {
          if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:TRUE)) flag++;
        }
        else
        {
          if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch)) flag++;
        }
      }
    }
    
    if (flag)
    {
      security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-1.8.0-openjdk / java-1.8.0-openjdk-accessibility / java-1.8.0-openjdk-demo / etc');
    }
    
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2020-3_0-0083_OPENJDK8.NASL
    descriptionAn update of the openjdk8 package has been released.
    last seen2020-05-03
    modified2020-04-29
    plugin id136095
    published2020-04-29
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136095
    titlePhoton OS 3.0: Openjdk8 PHSA-2020-3.0-0083
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    # The descriptive text and package checks in this plugin were
    # extracted from VMware Security Advisory PHSA-2020-3.0-0083. The text
    # itself is copyright (C) VMware, Inc.
    
    
    include('compat.inc');
    
    if (description)
    {
      script_id(136095);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/01");
    
      script_cve_id(
        "CVE-2020-2754",
        "CVE-2020-2755",
        "CVE-2020-2756",
        "CVE-2020-2757",
        "CVE-2020-2767",
        "CVE-2020-2773",
        "CVE-2020-2778",
        "CVE-2020-2781",
        "CVE-2020-2800",
        "CVE-2020-2803",
        "CVE-2020-2805",
        "CVE-2020-2816",
        "CVE-2020-2830"
      );
    
      script_name(english:"Photon OS 3.0: Openjdk8 PHSA-2020-3.0-0083");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote PhotonOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "An update of the openjdk8 package has been released.");
      script_set_attribute(attribute:"see_also", value:"https://github.com/vmware/photon/wiki/Security-Updates-3.0-83.md");
      script_set_attribute(attribute:"solution", value:
    "Update the affected Linux packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-2800");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/29");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:openjdk8");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:3.0");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"PhotonOS Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/PhotonOS/release");
    if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS");
    if (release !~ "^VMware Photon (?:Linux|OS) 3\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 3.0");
    
    if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu);
    
    flag = 0;
    
    if (rpm_check(release:"PhotonOS-3.0", cpu:"x86_64", reference:"openjdk8-1.8.0.252-1.ph3")) flag++;
    if (rpm_check(release:"PhotonOS-3.0", cpu:"x86_64", reference:"openjdk8-debuginfo-1.8.0.252-1.ph3")) flag++;
    if (rpm_check(release:"PhotonOS-3.0", cpu:"x86_64", reference:"openjdk8-doc-1.8.0.252-1.ph3")) flag++;
    if (rpm_check(release:"PhotonOS-3.0", cpu:"x86_64", reference:"openjdk8-sample-1.8.0.252-1.ph3")) flag++;
    if (rpm_check(release:"PhotonOS-3.0", cpu:"x86_64", reference:"openjdk8-src-1.8.0.252-1.ph3")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openjdk8");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-1517.NASL
    descriptionThe remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1517 advisory. - OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754) - OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755) - OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756) - OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757) - OpenJDK: Incorrect handling of Certificate messages during TLS handshake (JSSE, 8232581) (CVE-2020-2767) - OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and DOMXMLSignatureFactory (Security, 8231415) (CVE-2020-2773) - OpenJDK: Incomplete enforcement of algorithm restrictions for TLS (JSSE, 8232424) (CVE-2020-2778) - OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781) - OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800) - OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803) - OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805) - OpenJDK: Application data accepted before TLS handshake completion (JSSE, 8235691) (CVE-2020-2816) - OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-04-30
    modified2020-04-22
    plugin id135908
    published2020-04-22
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135908
    titleRHEL 8 : java-11-openjdk (RHSA-2020:1517)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2020:1517. The text
    # itself is copyright (C) Red Hat, Inc.
    #
    
    
    include('compat.inc');
    
    if (description)
    {
      script_id(135908);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/23");
    
      script_cve_id(
        "CVE-2020-2754",
        "CVE-2020-2755",
        "CVE-2020-2756",
        "CVE-2020-2757",
        "CVE-2020-2767",
        "CVE-2020-2773",
        "CVE-2020-2778",
        "CVE-2020-2781",
        "CVE-2020-2800",
        "CVE-2020-2803",
        "CVE-2020-2805",
        "CVE-2020-2816",
        "CVE-2020-2830"
      );
      script_xref(name:"RHSA", value:"2020:1517");
    
      script_name(english:"RHEL 8 : java-11-openjdk (RHSA-2020:1517)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Red Hat host is missing one or more security updates.");
      script_set_attribute(attribute:"description", value:
    "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as
    referenced in the RHSA-2020:1517 advisory.
    
      - OpenJDK: Misplaced regular expression syntax error check
        in RegExpScanner (Scripting, 8223898) (CVE-2020-2754)
    
      - OpenJDK: Incorrect handling of empty string nodes in
        regular expression Parser (Scripting, 8223904)
        (CVE-2020-2755)
    
      - OpenJDK: Incorrect handling of references to
        uninitialized class descriptors during deserialization
        (Serialization, 8224541) (CVE-2020-2756)
    
      - OpenJDK: Uncaught InstantiationError exception in
        ObjectStreamClass (Serialization, 8224549)
        (CVE-2020-2757)
    
      - OpenJDK: Incorrect handling of Certificate messages
        during TLS handshake (JSSE, 8232581) (CVE-2020-2767)
    
      - OpenJDK: Unexpected exceptions raised by
        DOMKeyInfoFactory and DOMXMLSignatureFactory (Security,
        8231415) (CVE-2020-2773)
    
      - OpenJDK: Incomplete enforcement of algorithm
        restrictions for TLS (JSSE, 8232424) (CVE-2020-2778)
    
      - OpenJDK: Re-use of single TLS session for new
        connections (JSSE, 8234408) (CVE-2020-2781)
    
      - OpenJDK: CRLF injection into HTTP headers in HttpServer
        (Lightweight HTTP Server, 8234825) (CVE-2020-2800)
    
      - OpenJDK: Incorrect bounds checks in NIO Buffers
        (Libraries, 8234841) (CVE-2020-2803)
    
      - OpenJDK: Incorrect type checks in
        MethodType.readObject() (Libraries, 8235274)
        (CVE-2020-2805)
    
      - OpenJDK: Application data accepted before TLS handshake
        completion (JSSE, 8235691) (CVE-2020-2816)
    
      - OpenJDK: Regular expression DoS in Scanner (Concurrency,
        8236201) (CVE-2020-2830)
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/248.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/248.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/248.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/248.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/358.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/248.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/327.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/113.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/119.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/20.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/358.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/185.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/400.html");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2020:1517");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2754");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2755");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2756");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2757");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2767");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2773");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2778");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2781");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2800");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2803");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2805");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2816");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-2830");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1823199");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1823200");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1823215");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1823216");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1823224");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1823527");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1823542");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1823694");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1823844");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1823853");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1823879");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1823947");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1823960");
      script_set_attribute(attribute:"solution", value:
    "Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-2800");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_cwe_id(20, 113, 119, 185, 248, 327, 358, 400);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/22");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:rhel_e4s:8.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:rhel_e4s:8.0::appstream");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8.0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-demo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-headless");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-javadoc-zip");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-jmods");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-src");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Red Hat Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include('audit.inc');
    include('global_settings.inc');
    include('misc_func.inc');
    include('rpm.inc');
    
    if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item('Host/RedHat/release');
    if (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
    os_ver = os_ver[1];
    if (! preg(pattern:"^8([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);
    
    if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item('Host/cpu');
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);
    
    pkgs = [
        {'reference':'java-11-openjdk-11.0.7.10-1.el8_0', 'cpu':'aarch64', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-11-openjdk-11.0.7.10-1.el8_0', 'cpu':'s390x', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-11-openjdk-11.0.7.10-1.el8_0', 'cpu':'x86_64', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-11-openjdk-debugsource-11.0.7.10-1.el8_0', 'cpu':'aarch64', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-11-openjdk-debugsource-11.0.7.10-1.el8_0', 'cpu':'s390x', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-11-openjdk-debugsource-11.0.7.10-1.el8_0', 'cpu':'x86_64', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-11-openjdk-demo-11.0.7.10-1.el8_0', 'cpu':'aarch64', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-11-openjdk-demo-11.0.7.10-1.el8_0', 'cpu':'s390x', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-11-openjdk-demo-11.0.7.10-1.el8_0', 'cpu':'x86_64', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-11-openjdk-devel-11.0.7.10-1.el8_0', 'cpu':'aarch64', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-11-openjdk-devel-11.0.7.10-1.el8_0', 'cpu':'s390x', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-11-openjdk-devel-11.0.7.10-1.el8_0', 'cpu':'x86_64', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-11-openjdk-headless-11.0.7.10-1.el8_0', 'cpu':'aarch64', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-11-openjdk-headless-11.0.7.10-1.el8_0', 'cpu':'s390x', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-11-openjdk-headless-11.0.7.10-1.el8_0', 'cpu':'x86_64', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-11-openjdk-javadoc-11.0.7.10-1.el8_0', 'cpu':'aarch64', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-11-openjdk-javadoc-11.0.7.10-1.el8_0', 'cpu':'s390x', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-11-openjdk-javadoc-11.0.7.10-1.el8_0', 'cpu':'x86_64', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-11-openjdk-javadoc-zip-11.0.7.10-1.el8_0', 'cpu':'aarch64', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-11-openjdk-javadoc-zip-11.0.7.10-1.el8_0', 'cpu':'s390x', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-11-openjdk-javadoc-zip-11.0.7.10-1.el8_0', 'cpu':'x86_64', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-11-openjdk-jmods-11.0.7.10-1.el8_0', 'cpu':'aarch64', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-11-openjdk-jmods-11.0.7.10-1.el8_0', 'cpu':'s390x', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-11-openjdk-jmods-11.0.7.10-1.el8_0', 'cpu':'x86_64', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-11-openjdk-src-11.0.7.10-1.el8_0', 'cpu':'aarch64', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-11-openjdk-src-11.0.7.10-1.el8_0', 'cpu':'s390x', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
        {'reference':'java-11-openjdk-src-11.0.7.10-1.el8_0', 'cpu':'x86_64', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'}
    ];
    
    flag = 0;
    foreach package_array ( pkgs ) {
      reference = NULL;
      release = NULL;
      sp = NULL;
      cpu = NULL;
      el_string = NULL;
      rpm_spec_vers_cmp = NULL;
      epoch = NULL;
      if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
      if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];
      if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
      if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];
      if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
      if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
      if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
      if (reference && release) {
        if (rpm_spec_vers_cmp) {
          if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:TRUE)) flag++;
        }
        else
        {
          if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch)) flag++;
        }
      }
    }
    
    if (flag)
    {
      security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-11-openjdk / java-11-openjdk-debugsource / java-11-openjdk-demo / etc');
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2020-757.NASL
    descriptionThis update for java-11-openjdk fixes the following issues : Java was updated to jdk-11.0.7+10 (April 2020 CPU, bsc#1169511). Security issues fixed : - CVE-2020-2754: Fixed an incorrect handling of regular expressions that could have resulted in denial of service (bsc#1169511). - CVE-2020-2755: Fixed an incorrect handling of regular expressions that could have resulted in denial of service (bsc#1169511). - CVE-2020-2756: Fixed an incorrect handling of regular expressions that could have resulted in denial of service (bsc#1169511). - CVE-2020-2757: Fixed an object deserialization issue that could have resulted in denial of service via crafted serialized input (bsc#1169511). - CVE-2020-2767: Fixed an incorrect handling of certificate messages during TLS handshakes (bsc#1169511). - CVE-2020-2773: Fixed the incorrect handling of exceptions thrown by unmarshalKeyInfo() and unmarshalXMLSignature() (bsc#1169511). - CVE-2020-2778: Fixed the incorrect handling of SSLParameters in setAlgorithmConstraints(), which could have been abused to override the defined systems security policy and lead to the use of weak crypto algorithms (bsc#1169511). - CVE-2020-2781: Fixed the incorrect re-use of single null TLS sessions (bsc#1169511). - CVE-2020-2800: Fixed an HTTP header injection issue caused by mishandling of CR/LF in header values (bsc#1169511). - CVE-2020-2803: Fixed a boundary check and type check issue that could have led to a sandbox bypass (bsc#1169511). - CVE-2020-2805: Fixed a boundary check and type check issue that could have led to a sandbox bypass (bsc#1169511). - CVE-2020-2816: Fixed an incorrect handling of application data packets during TLS handshakes (bsc#1169511). - CVE-2020-2830: Fixed an incorrect handling of regular expressions that could have resulted in denial of service (bsc#1169511). This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-10
    modified2020-06-04
    plugin id137132
    published2020-06-04
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/137132
    titleopenSUSE Security Update : java-11-openjdk (openSUSE-2020-757)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2020-757.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(137132);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/09");
    
      script_cve_id("CVE-2020-2754", "CVE-2020-2755", "CVE-2020-2756", "CVE-2020-2757", "CVE-2020-2767", "CVE-2020-2773", "CVE-2020-2778", "CVE-2020-2781", "CVE-2020-2800", "CVE-2020-2803", "CVE-2020-2805", "CVE-2020-2816", "CVE-2020-2830");
    
      script_name(english:"openSUSE Security Update : java-11-openjdk (openSUSE-2020-757)");
      script_summary(english:"Check for the openSUSE-2020-757 patch");
    
      script_set_attribute(
        attribute:"synopsis",
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "This update for java-11-openjdk fixes the following issues :
    
    Java was updated to jdk-11.0.7+10 (April 2020 CPU, bsc#1169511).
    
    Security issues fixed :
    
      - CVE-2020-2754: Fixed an incorrect handling of regular
        expressions that could have resulted in denial of
        service (bsc#1169511).
    
      - CVE-2020-2755: Fixed an incorrect handling of regular
        expressions that could have resulted in denial of
        service (bsc#1169511).
    
      - CVE-2020-2756: Fixed an incorrect handling of regular
        expressions that could have resulted in denial of
        service (bsc#1169511).
    
      - CVE-2020-2757: Fixed an object deserialization issue
        that could have resulted in denial of service via
        crafted serialized input (bsc#1169511).
    
      - CVE-2020-2767: Fixed an incorrect handling of
        certificate messages during TLS handshakes
        (bsc#1169511).
    
      - CVE-2020-2773: Fixed the incorrect handling of
        exceptions thrown by unmarshalKeyInfo() and
        unmarshalXMLSignature() (bsc#1169511).
    
      - CVE-2020-2778: Fixed the incorrect handling of
        SSLParameters in setAlgorithmConstraints(), which could
        have been abused to override the defined systems
        security policy and lead to the use of weak crypto
        algorithms (bsc#1169511).
    
      - CVE-2020-2781: Fixed the incorrect re-use of single null
        TLS sessions (bsc#1169511).
    
      - CVE-2020-2800: Fixed an HTTP header injection issue
        caused by mishandling of CR/LF in header values
        (bsc#1169511).
    
      - CVE-2020-2803: Fixed a boundary check and type check
        issue that could have led to a sandbox bypass
        (bsc#1169511).
    
      - CVE-2020-2805: Fixed a boundary check and type check
        issue that could have led to a sandbox bypass
        (bsc#1169511).
    
      - CVE-2020-2816: Fixed an incorrect handling of
        application data packets during TLS handshakes
        (bsc#1169511).
    
      - CVE-2020-2830: Fixed an incorrect handling of regular
        expressions that could have resulted in denial of
        service (bsc#1169511).
    
    This update was imported from the SUSE:SLE-15:Update update project."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1167462"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1169511"
      );
      script_set_attribute(
        attribute:"solution",
        value:"Update the affected java-11-openjdk packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-2800");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-11-openjdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-11-openjdk-accessibility");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-11-openjdk-accessibility-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-11-openjdk-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-11-openjdk-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-11-openjdk-demo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-11-openjdk-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-11-openjdk-headless");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-11-openjdk-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-11-openjdk-jmods");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-11-openjdk-src");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.1");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/06/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/06/04");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE15\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.1", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE15.1", reference:"java-11-openjdk-11.0.7.0-lp151.3.16.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"java-11-openjdk-accessibility-11.0.7.0-lp151.3.16.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"java-11-openjdk-accessibility-debuginfo-11.0.7.0-lp151.3.16.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"java-11-openjdk-debuginfo-11.0.7.0-lp151.3.16.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"java-11-openjdk-debugsource-11.0.7.0-lp151.3.16.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"java-11-openjdk-demo-11.0.7.0-lp151.3.16.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"java-11-openjdk-devel-11.0.7.0-lp151.3.16.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"java-11-openjdk-headless-11.0.7.0-lp151.3.16.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"java-11-openjdk-javadoc-11.0.7.0-lp151.3.16.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"java-11-openjdk-jmods-11.0.7.0-lp151.3.16.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"java-11-openjdk-src-11.0.7.0-lp151.3.16.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "java-11-openjdk / java-11-openjdk-accessibility / etc");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2020-1512.NASL
    descriptionFrom Red Hat Security Advisory 2020:1512 : The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1512 advisory. - OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754) - OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755) - OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756) - OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757) - OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and DOMXMLSignatureFactory (Security, 8231415) (CVE-2020-2773) - OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781) - OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800) - OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803) - OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805) - OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-06
    modified2020-04-24
    plugin id135953
    published2020-04-24
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135953
    titleOracle Linux 7 : java-1.8.0-openjdk (ELSA-2020-1512)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2020:1512 and 
    # Oracle Linux Security Advisory ELSA-2020-1512 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(135953);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/07/17");
    
      script_cve_id("CVE-2020-2754", "CVE-2020-2755", "CVE-2020-2756", "CVE-2020-2757", "CVE-2020-2773", "CVE-2020-2781", "CVE-2020-2800", "CVE-2020-2803", "CVE-2020-2805", "CVE-2020-2830");
      script_xref(name:"RHSA", value:"2020:1512");
      script_xref(name:"IAVA", value:"2020-A-0134-S");
    
      script_name(english:"Oracle Linux 7 : java-1.8.0-openjdk (ELSA-2020-1512)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis",
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "From Red Hat Security Advisory 2020:1512 :
    
    The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as
    referenced in the RHSA-2020:1512 advisory.
    
      - OpenJDK: Misplaced regular expression syntax error check
        in RegExpScanner (Scripting, 8223898) (CVE-2020-2754)
    
      - OpenJDK: Incorrect handling of empty string nodes in
        regular expression Parser (Scripting, 8223904)
        (CVE-2020-2755)
    
      - OpenJDK: Incorrect handling of references to
        uninitialized class descriptors during deserialization
        (Serialization, 8224541) (CVE-2020-2756)
    
      - OpenJDK: Uncaught InstantiationError exception in
        ObjectStreamClass (Serialization, 8224549)
        (CVE-2020-2757)
    
      - OpenJDK: Unexpected exceptions raised by
        DOMKeyInfoFactory and DOMXMLSignatureFactory (Security,
        8231415) (CVE-2020-2773)
    
      - OpenJDK: Re-use of single TLS session for new
        connections (JSSE, 8234408) (CVE-2020-2781)
    
      - OpenJDK: CRLF injection into HTTP headers in HttpServer
        (Lightweight HTTP Server, 8234825) (CVE-2020-2800)
    
      - OpenJDK: Incorrect bounds checks in NIO Buffers
        (Libraries, 8234841) (CVE-2020-2803)
    
      - OpenJDK: Incorrect type checks in
        MethodType.readObject() (Libraries, 8235274)
        (CVE-2020-2805)
    
      - OpenJDK: Regular expression DoS in Scanner (Concurrency,
        8236201) (CVE-2020-2830)
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2020-April/009854.html"
      );
      script_set_attribute(
        attribute:"solution",
        value:"Update the affected java-1.8.0-openjdk packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-2800");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:java-1.8.0-openjdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-accessibility");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-accessibility-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-demo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-demo-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-devel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-headless");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-headless-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-javadoc-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-javadoc-zip");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-javadoc-zip-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-src");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-src-debug");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/24");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"java-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"java-1.8.0-openjdk-accessibility-debug-1.8.0.252.b09-2.el7_8")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"java-1.8.0-openjdk-debug-1.8.0.252.b09-2.el7_8")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"java-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"java-1.8.0-openjdk-demo-debug-1.8.0.252.b09-2.el7_8")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"java-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"java-1.8.0-openjdk-devel-debug-1.8.0.252.b09-2.el7_8")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"java-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"java-1.8.0-openjdk-headless-debug-1.8.0.252.b09-2.el7_8")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"java-1.8.0-openjdk-javadoc-1.8.0.252.b09-2.el7_8")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"java-1.8.0-openjdk-javadoc-debug-1.8.0.252.b09-2.el7_8")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"java-1.8.0-openjdk-javadoc-zip-1.8.0.252.b09-2.el7_8")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"java-1.8.0-openjdk-javadoc-zip-debug-1.8.0.252.b09-2.el7_8")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"java-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"java-1.8.0-openjdk-src-debug-1.8.0.252.b09-2.el7_8")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "java-1.8.0-openjdk / java-1.8.0-openjdk-accessibility / etc");
    }
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2020-1509.NASL
    descriptionThe remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1509 advisory. - OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754) - OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755) - OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756) - OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757) - OpenJDK: Incorrect handling of Certificate messages during TLS handshake (JSSE, 8232581) (CVE-2020-2767) - OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and DOMXMLSignatureFactory (Security, 8231415) (CVE-2020-2773) - OpenJDK: Incomplete enforcement of algorithm restrictions for TLS (JSSE, 8232424) (CVE-2020-2778) - OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781) - OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800) - OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803) - OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805) - OpenJDK: Application data accepted before TLS handshake completion (JSSE, 8235691) (CVE-2020-2816) - OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-06
    modified2020-05-01
    plugin id136196
    published2020-05-01
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136196
    titleCentOS 7 : java-11-openjdk (CESA-2020:1509)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2020-1_0-0290_OPENJDK11.NASL
    descriptionAn update of the openjdk11 package has been released.
    last seen2020-05-03
    modified2020-04-29
    plugin id136109
    published2020-04-29
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136109
    titlePhoton OS 1.0: Openjdk11 PHSA-2020-1.0-0290
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-1506.NASL
    descriptionThe remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1506 advisory. - OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754) - OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755) - OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756) - OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757) - OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and DOMXMLSignatureFactory (Security, 8231415) (CVE-2020-2773) - OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781) - OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800) - OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803) - OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805) - OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-04-30
    modified2020-04-21
    plugin id135776
    published2020-04-21
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135776
    titleRHEL 6 : java-1.8.0-openjdk (RHSA-2020:1506)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2020-1514.NASL
    descriptionFrom Red Hat Security Advisory 2020:1514 : The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1514 advisory. - OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754) - OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755) - OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756) - OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757) - OpenJDK: Incorrect handling of Certificate messages during TLS handshake (JSSE, 8232581) (CVE-2020-2767) - OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and DOMXMLSignatureFactory (Security, 8231415) (CVE-2020-2773) - OpenJDK: Incomplete enforcement of algorithm restrictions for TLS (JSSE, 8232424) (CVE-2020-2778) - OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781) - OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800) - OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803) - OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805) - OpenJDK: Application data accepted before TLS handshake completion (JSSE, 8235691) (CVE-2020-2816) - OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-06
    modified2020-04-24
    plugin id135955
    published2020-04-24
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135955
    titleOracle Linux 8 : java-11-openjdk (ELSA-2020-1514)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2020-1509.NASL
    descriptionFrom Red Hat Security Advisory 2020:1509 : The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1509 advisory. - OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754) - OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755) - OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756) - OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757) - OpenJDK: Incorrect handling of Certificate messages during TLS handshake (JSSE, 8232581) (CVE-2020-2767) - OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and DOMXMLSignatureFactory (Security, 8231415) (CVE-2020-2773) - OpenJDK: Incomplete enforcement of algorithm restrictions for TLS (JSSE, 8232424) (CVE-2020-2778) - OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781) - OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800) - OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803) - OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805) - OpenJDK: Application data accepted before TLS handshake completion (JSSE, 8235691) (CVE-2020-2816) - OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-06
    modified2020-04-24
    plugin id135951
    published2020-04-24
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135951
    titleOracle Linux 7 : java-11-openjdk (ELSA-2020-1509)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2020-2_0-0235_OPENJDK8.NASL
    descriptionAn update of the openjdk8 package has been released.
    last seen2020-05-08
    modified2020-05-05
    plugin id136334
    published2020-05-05
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136334
    titlePhoton OS 2.0: Openjdk8 PHSA-2020-2.0-0235
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4668.NASL
    descriptionSeveral vulnerabilities have been discovered in the OpenJDK Java runtime, resulting in denial of service, insecure TLS handshakes, bypass of sandbox restrictions or HTTP response splitting attacks.
    last seen2020-05-06
    modified2020-04-30
    plugin id136125
    published2020-04-30
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136125
    titleDebian DSA-4668-1 : openjdk-8 - security update
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2020-1512.NASL
    descriptionThe remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1512 advisory. - OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754) - OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755) - OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756) - OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757) - OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and DOMXMLSignatureFactory (Security, 8231415) (CVE-2020-2773) - OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781) - OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800) - OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803) - OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805) - OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-06
    modified2020-05-01
    plugin id136198
    published2020-05-01
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136198
    titleCentOS 7 : java-1.8.0-openjdk (CESA-2020:1512)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-2239.NASL
    descriptionThe remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2239 advisory. - OpenJDK: Improper handling of Kerberos proxy credentials (Kerberos, 8220302) (CVE-2019-2949) - OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037) (CVE-2020-2654) - OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754) - OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755) - OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756) - OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757) - OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781) - OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800) - OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803) - OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805) - OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-05-31
    modified2020-05-20
    plugin id136740
    published2020-05-20
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136740
    titleRHEL 6 : java-1.8.0-ibm (RHSA-2020:2239)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2020-21CA991B3B.NASL
    descriptionUpdate to OpenJDK 8u252 (April Critical Patch Update) - JDK-8223898, CVE-2020-2754: Forward references to Nashorn - JDK-8223904, CVE-2020-2755: Improve Nashorn matching - JDK-8224541, CVE-2020-2756: Better mapping of serial ENUMs - JDK-8224549, CVE-2020-2757: Less Blocking Array Queues - JDK-8225603: Enhancement for big integers - JDK-8227542: Manifest improved jar headers - JDK-8231415, CVE-2020-2773: Better signatures in XML - JDK-8233250: Better X11 rendering - JDK-8233410: Better Build Scripting - JDK-8234027: Better JCEKS key support - JDK-8234408, CVE-2020-2781: Improve TLS session handling - JDK-8234825, CVE-2020-2800: Better Headings for HTTP Servers - JDK-8234841, CVE-2020-2803: Enhance buffering of byte buffers - JDK-8235274, CVE-2020-2805: Enhance typing of methods - JDK-8236201, CVE-2020-2830: Better Scanner conversions - JDK-8238960: linux-i586 builds are inconsistent as the newly build jdk is not able to reserve enough space for object heap Full release notes: https://bitly.com/oj8u252 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-16
    modified2020-05-13
    plugin id136531
    published2020-05-13
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136531
    titleFedora 30 : 1:java-1.8.0-openjdk (2020-21ca991b3b)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4662.NASL
    descriptionSeveral vulnerabilities have been discovered in the OpenJDK Java runtime, resulting in denial of service, insecure TLS handshakes, bypass of sandbox restrictions or HTTP response splitting attacks.
    last seen2020-04-30
    modified2020-04-27
    plugin id135982
    published2020-04-27
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135982
    titleDebian DSA-4662-1 : openjdk-11 - security update
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20200421_JAVA_1_8_0_OPENJDK_ON_SL6_X.NASL
    descriptionSecurity Fix(es) : - OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803) - OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805) - OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and DOMXMLSignatureFactory (Security, 8231415) (CVE-2020-2773) - OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781) - OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800) - OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830) - OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754) - OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755) - OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756) - OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757)
    last seen2020-04-30
    modified2020-04-22
    plugin id135890
    published2020-04-22
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135890
    titleScientific Linux Security Update : java-1.8.0-openjdk on SL6.x i386/x86_64 (20200421)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2020-A60AD9D4EC.NASL
    descriptionUpdate to OpenJDK 8u252 (April Critical Patch Update) - JDK-8223898, CVE-2020-2754: Forward references to Nashorn - JDK-8223904, CVE-2020-2755: Improve Nashorn matching - JDK-8224541, CVE-2020-2756: Better mapping of serial ENUMs - JDK-8224549, CVE-2020-2757: Less Blocking Array Queues - JDK-8225603: Enhancement for big integers - JDK-8227542: Manifest improved jar headers - JDK-8231415, CVE-2020-2773: Better signatures in XML - JDK-8233250: Better X11 rendering - JDK-8233410: Better Build Scripting - JDK-8234027: Better JCEKS key support - JDK-8234408, CVE-2020-2781: Improve TLS session handling - JDK-8234825, CVE-2020-2800: Better Headings for HTTP Servers - JDK-8234841, CVE-2020-2803: Enhance buffering of byte buffers - JDK-8235274, CVE-2020-2805: Enhance typing of methods - JDK-8236201, CVE-2020-2830: Better Scanner conversions - JDK-8238960: linux-i586 builds are inconsistent as the newly build jdk is not able to reserve enough space for object heap Full release notes: https://bitly.com/oj8u252 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-22
    modified2020-05-18
    plugin id136682
    published2020-05-18
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136682
    titleFedora 31 : 1:java-1.8.0-openjdk (2020-a60ad9d4ec)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20200421_JAVA_1_8_0_OPENJDK_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803) - OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805) - OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and DOMXMLSignatureFactory (Security, 8231415) (CVE-2020-2773) - OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781) - OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800) - OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830) - OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754) - OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755) - OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756) - OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757)
    last seen2020-04-30
    modified2020-04-22
    plugin id135891
    published2020-04-22
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135891
    titleScientific Linux Security Update : java-1.8.0-openjdk on SL7.x x86_64 (20200421)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2020-1_0-0290_OPENJDK.NASL
    descriptionAn update of the openjdk package has been released.
    last seen2020-05-03
    modified2020-04-29
    plugin id136108
    published2020-04-29
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136108
    titlePhoton OS 1.0: Openjdk PHSA-2020-1.0-0290
  • NASL familyMisc.
    NASL idORACLE_JAVA_CPU_APR_2020_UNIX.NASL
    descriptionThe version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 7 Update 261, 8 Update 251, 11 Update 7, or 14 Update 1. It is, therefore, affected by multiple vulnerabilities related to the following components : - Oracle Java SE and Java SE Embedded are prone to a buffer overflow attack, over
    last seen2020-05-23
    modified2020-04-16
    plugin id135591
    published2020-04-16
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135591
    titleOracle Java SE 1.7.0_261 / 1.8.0_251 / 1.11.0_7 / 1.14.0_1 Multiple Vulnerabilities (Apr 2020 CPU) (Unix)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20200421_JAVA_11_OPENJDK_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803) - OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805) - OpenJDK: Application data accepted before TLS handshake completion (JSSE, 8235691) (CVE-2020-2816) - OpenJDK: Incorrect handling of Certificate messages during TLS handshake (JSSE, 8232581) (CVE-2020-2767) - OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and DOMXMLSignatureFactory (Security, 8231415) (CVE-2020-2773) - OpenJDK: Incomplete enforcement of algorithm restrictions for TLS (JSSE, 8232424) (CVE-2020-2778) - OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781) - OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800) - OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830) - OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754) - OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755) - OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756) - OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757)
    last seen2020-04-30
    modified2020-04-22
    plugin id135887
    published2020-04-22
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135887
    titleScientific Linux Security Update : java-11-openjdk on SL7.x x86_64 (20200421)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-2241.NASL
    descriptionThe remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2241 advisory. - OpenJDK: Improper handling of Kerberos proxy credentials (Kerberos, 8220302) (CVE-2019-2949) - OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037) (CVE-2020-2654) - OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754) - OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755) - OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756) - OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757) - OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781) - OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800) - OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803) - OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805) - OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-05-31
    modified2020-05-20
    plugin id136738
    published2020-05-20
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136738
    titleRHEL 8 : java-1.8.0-ibm (RHSA-2020:2241)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2020-2_0-0235_OPENJDK11.NASL
    descriptionAn update of the openjdk11 package has been released.
    last seen2020-05-08
    modified2020-05-05
    plugin id136333
    published2020-05-05
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136333
    titlePhoton OS 2.0: Openjdk11 PHSA-2020-2.0-0235
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4337-1.NASL
    descriptionIt was discovered that OpenJDK incorrectly handled certain regular expressions. An attacker could possibly use this issue to cause a denial of service while processing a specially crafted regular expression. (CVE-2020-2754, CVE-2020-2755) It was discovered that OpenJDK incorrectly handled class descriptors and catching exceptions during object stream deserialization. An attacker could possibly use this issue to cause a denial of service while processing a specially crafted serialized input. (CVE-2020-2756, CVE-2020-2757) Bengt Jonsson, Juraj Somorovsky, Kostis Sagonas, Paul Fiterau Brostean and Robert Merget discovered that OpenJDK incorrectly handled certificate messages during TLS handshake. An attacker could possibly use this issue to bypass certificate verification and insert, edit or obtain sensitive information. This issue only affected OpenJDK 11. (CVE-2020-2767) It was discovered that OpenJDK incorrectly handled exceptions thrown by unmarshalKeyInfo() and unmarshalXMLSignature(). An attacker could possibly use this issue to cause a denial of service while reading key info or XML signature data from XML input. (CVE-2020-2773) Peter Dettman discovered that OpenJDK incorrectly handled SSLParameters in setAlgorithmConstraints(). An attacker could possibly use this issue to override the defined systems security policy and lead to the use of weak crypto algorithms that should be disabled. This issue only affected OpenJDK 11. (CVE-2020-2778) Simone Bordet discovered that OpenJDK incorrectly re-used single null TLS sessions for new TLS connections. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2020-2781) Dan Amodio discovered that OpenJDK did not restrict the use of CR and LF characters in values for HTTP headers. An attacker could possibly use this issue to insert, edit or obtain sensitive information. (CVE-2020-2800) Nils Emmerich discovered that OpenJDK incorrectly checked boundaries or argument types. An attacker could possibly use this issue to bypass sandbox restrictions causing unspecified impact. (CVE-2020-2803, CVE-2020-2805) It was discovered that OpenJDK incorrectly handled application data packets during TLS handshake. An attacker could possibly use this issue to insert, edit or obtain sensitive information. This issue only affected OpenJDK 11. (CVE-2020-2816) It was discovered that OpenJDK incorrectly handled certain regular expressions. An attacker could possibly use this issue to cause a denial of service. (CVE-2020-2830). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-04-30
    modified2020-04-24
    plugin id135967
    published2020-04-24
    reporterUbuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135967
    titleUbuntu 16.04 LTS / 18.04 LTS / 19.10 : openjdk-8, openjdk-lts vulnerabilities (USN-4337-1)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2020-1506.NASL
    descriptionThe remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1506 advisory. - OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754) - OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755) - OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756) - OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757) - OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and DOMXMLSignatureFactory (Security, 8231415) (CVE-2020-2773) - OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781) - OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800) - OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803) - OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805) - OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-06
    modified2020-04-28
    plugin id136018
    published2020-04-28
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136018
    titleCentOS 6 : java-1.8.0-openjdk (CESA-2020:1506)
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2020-1410.NASL
    descriptionFurther information about this update can be found in the Corretto 11 change log (https://github.com/corretto/corretto-11/blob/develop/CHANGELOG.md)
    last seen2020-04-30
    modified2020-04-16
    plugin id135595
    published2020-04-16
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135595
    titleAmazon Linux 2 : java-11-amazon-corretto (ALAS-2020-1410)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-1509.NASL
    descriptionThe remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1509 advisory. - OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754) - OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755) - OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756) - OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757) - OpenJDK: Incorrect handling of Certificate messages during TLS handshake (JSSE, 8232581) (CVE-2020-2767) - OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and DOMXMLSignatureFactory (Security, 8231415) (CVE-2020-2773) - OpenJDK: Incomplete enforcement of algorithm restrictions for TLS (JSSE, 8232424) (CVE-2020-2778) - OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781) - OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800) - OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803) - OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805) - OpenJDK: Application data accepted before TLS handshake completion (JSSE, 8235691) (CVE-2020-2816) - OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-04-30
    modified2020-04-22
    plugin id135905
    published2020-04-22
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135905
    titleRHEL 7 : java-11-openjdk (RHSA-2020:1509)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2020-3_0-0084_OPENJDK11.NASL
    descriptionAn update of the openjdk11 package has been released.
    last seen2020-05-03
    modified2020-04-29
    plugin id136100
    published2020-04-29
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136100
    titlePhoton OS 3.0: Openjdk11 PHSA-2020-3.0-0084
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-2237.NASL
    descriptionThe remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2237 advisory. - OpenJDK: Improper handling of Kerberos proxy credentials (Kerberos, 8220302) (CVE-2019-2949) - OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037) (CVE-2020-2654) - OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754) - OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755) - OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756) - OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757) - OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781) - OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800) - OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803) - OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805) - OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-05-31
    modified2020-05-20
    plugin id136736
    published2020-05-20
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136736
    titleRHEL 7 : java-1.8.0-ibm (RHSA-2020:2237)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2020-1506.NASL
    descriptionFrom Red Hat Security Advisory 2020:1506 : The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1506 advisory. - OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754) - OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755) - OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756) - OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757) - OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and DOMXMLSignatureFactory (Security, 8231415) (CVE-2020-2773) - OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781) - OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800) - OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803) - OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805) - OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-06
    modified2020-04-22
    plugin id135884
    published2020-04-22
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135884
    titleOracle Linux 6 : java-1.8.0-openjdk (ELSA-2020-1506)

Redhat

rpms
  • java-1.8.0-openjdk-1:1.8.0.252.b09-2.el6_10
  • java-1.8.0-openjdk-debug-1:1.8.0.252.b09-2.el6_10
  • java-1.8.0-openjdk-debuginfo-1:1.8.0.252.b09-2.el6_10
  • java-1.8.0-openjdk-demo-1:1.8.0.252.b09-2.el6_10
  • java-1.8.0-openjdk-demo-debug-1:1.8.0.252.b09-2.el6_10
  • java-1.8.0-openjdk-devel-1:1.8.0.252.b09-2.el6_10
  • java-1.8.0-openjdk-devel-debug-1:1.8.0.252.b09-2.el6_10
  • java-1.8.0-openjdk-headless-1:1.8.0.252.b09-2.el6_10
  • java-1.8.0-openjdk-headless-debug-1:1.8.0.252.b09-2.el6_10
  • java-1.8.0-openjdk-javadoc-1:1.8.0.252.b09-2.el6_10
  • java-1.8.0-openjdk-javadoc-debug-1:1.8.0.252.b09-2.el6_10
  • java-1.8.0-openjdk-src-1:1.8.0.252.b09-2.el6_10
  • java-1.8.0-openjdk-src-debug-1:1.8.0.252.b09-2.el6_10
  • java-11-openjdk-1:11.0.7.10-4.el7_8
  • java-11-openjdk-debuginfo-1:11.0.7.10-4.el7_8
  • java-11-openjdk-demo-1:11.0.7.10-4.el7_8
  • java-11-openjdk-devel-1:11.0.7.10-4.el7_8
  • java-11-openjdk-headless-1:11.0.7.10-4.el7_8
  • java-11-openjdk-javadoc-1:11.0.7.10-4.el7_8
  • java-11-openjdk-javadoc-zip-1:11.0.7.10-4.el7_8
  • java-11-openjdk-jmods-1:11.0.7.10-4.el7_8
  • java-11-openjdk-src-1:11.0.7.10-4.el7_8
  • java-1.8.0-openjdk-1:1.8.0.252.b09-2.el7_8
  • java-1.8.0-openjdk-accessibility-1:1.8.0.252.b09-2.el7_8
  • java-1.8.0-openjdk-debuginfo-1:1.8.0.252.b09-2.el7_8
  • java-1.8.0-openjdk-demo-1:1.8.0.252.b09-2.el7_8
  • java-1.8.0-openjdk-devel-1:1.8.0.252.b09-2.el7_8
  • java-1.8.0-openjdk-headless-1:1.8.0.252.b09-2.el7_8
  • java-1.8.0-openjdk-javadoc-1:1.8.0.252.b09-2.el7_8
  • java-1.8.0-openjdk-javadoc-zip-1:1.8.0.252.b09-2.el7_8
  • java-1.8.0-openjdk-src-1:1.8.0.252.b09-2.el7_8
  • java-11-openjdk-1:11.0.7.10-1.el8_1
  • java-11-openjdk-debuginfo-1:11.0.7.10-1.el8_1
  • java-11-openjdk-debugsource-1:11.0.7.10-1.el8_1
  • java-11-openjdk-demo-1:11.0.7.10-1.el8_1
  • java-11-openjdk-devel-1:11.0.7.10-1.el8_1
  • java-11-openjdk-devel-debuginfo-1:11.0.7.10-1.el8_1
  • java-11-openjdk-devel-slowdebug-debuginfo-1:11.0.7.10-1.el8_1
  • java-11-openjdk-headless-1:11.0.7.10-1.el8_1
  • java-11-openjdk-headless-debuginfo-1:11.0.7.10-1.el8_1
  • java-11-openjdk-headless-slowdebug-debuginfo-1:11.0.7.10-1.el8_1
  • java-11-openjdk-javadoc-1:11.0.7.10-1.el8_1
  • java-11-openjdk-javadoc-zip-1:11.0.7.10-1.el8_1
  • java-11-openjdk-jmods-1:11.0.7.10-1.el8_1
  • java-11-openjdk-slowdebug-debuginfo-1:11.0.7.10-1.el8_1
  • java-11-openjdk-src-1:11.0.7.10-1.el8_1
  • java-1.8.0-openjdk-1:1.8.0.252.b09-2.el8_1
  • java-1.8.0-openjdk-accessibility-1:1.8.0.252.b09-2.el8_1
  • java-1.8.0-openjdk-debuginfo-1:1.8.0.252.b09-2.el8_1
  • java-1.8.0-openjdk-debugsource-1:1.8.0.252.b09-2.el8_1
  • java-1.8.0-openjdk-demo-1:1.8.0.252.b09-2.el8_1
  • java-1.8.0-openjdk-demo-debuginfo-1:1.8.0.252.b09-2.el8_1
  • java-1.8.0-openjdk-demo-slowdebug-debuginfo-1:1.8.0.252.b09-2.el8_1
  • java-1.8.0-openjdk-devel-1:1.8.0.252.b09-2.el8_1
  • java-1.8.0-openjdk-devel-debuginfo-1:1.8.0.252.b09-2.el8_1
  • java-1.8.0-openjdk-devel-slowdebug-debuginfo-1:1.8.0.252.b09-2.el8_1
  • java-1.8.0-openjdk-headless-1:1.8.0.252.b09-2.el8_1
  • java-1.8.0-openjdk-headless-debuginfo-1:1.8.0.252.b09-2.el8_1
  • java-1.8.0-openjdk-headless-slowdebug-debuginfo-1:1.8.0.252.b09-2.el8_1
  • java-1.8.0-openjdk-javadoc-1:1.8.0.252.b09-2.el8_1
  • java-1.8.0-openjdk-javadoc-zip-1:1.8.0.252.b09-2.el8_1
  • java-1.8.0-openjdk-slowdebug-debuginfo-1:1.8.0.252.b09-2.el8_1
  • java-1.8.0-openjdk-src-1:1.8.0.252.b09-2.el8_1
  • java-1.8.0-openjdk-1:1.8.0.252.b09-2.el8_0
  • java-1.8.0-openjdk-accessibility-1:1.8.0.252.b09-2.el8_0
  • java-1.8.0-openjdk-debuginfo-1:1.8.0.252.b09-2.el8_0
  • java-1.8.0-openjdk-debugsource-1:1.8.0.252.b09-2.el8_0
  • java-1.8.0-openjdk-demo-1:1.8.0.252.b09-2.el8_0
  • java-1.8.0-openjdk-demo-debuginfo-1:1.8.0.252.b09-2.el8_0
  • java-1.8.0-openjdk-demo-slowdebug-debuginfo-1:1.8.0.252.b09-2.el8_0
  • java-1.8.0-openjdk-devel-1:1.8.0.252.b09-2.el8_0
  • java-1.8.0-openjdk-devel-debuginfo-1:1.8.0.252.b09-2.el8_0
  • java-1.8.0-openjdk-devel-slowdebug-debuginfo-1:1.8.0.252.b09-2.el8_0
  • java-1.8.0-openjdk-headless-1:1.8.0.252.b09-2.el8_0
  • java-1.8.0-openjdk-headless-debuginfo-1:1.8.0.252.b09-2.el8_0
  • java-1.8.0-openjdk-headless-slowdebug-debuginfo-1:1.8.0.252.b09-2.el8_0
  • java-1.8.0-openjdk-javadoc-1:1.8.0.252.b09-2.el8_0
  • java-1.8.0-openjdk-javadoc-zip-1:1.8.0.252.b09-2.el8_0
  • java-1.8.0-openjdk-slowdebug-debuginfo-1:1.8.0.252.b09-2.el8_0
  • java-1.8.0-openjdk-src-1:1.8.0.252.b09-2.el8_0
  • java-11-openjdk-1:11.0.7.10-1.el8_0
  • java-11-openjdk-debuginfo-1:11.0.7.10-1.el8_0
  • java-11-openjdk-debugsource-1:11.0.7.10-1.el8_0
  • java-11-openjdk-demo-1:11.0.7.10-1.el8_0
  • java-11-openjdk-devel-1:11.0.7.10-1.el8_0
  • java-11-openjdk-devel-debuginfo-1:11.0.7.10-1.el8_0
  • java-11-openjdk-devel-slowdebug-debuginfo-1:11.0.7.10-1.el8_0
  • java-11-openjdk-headless-1:11.0.7.10-1.el8_0
  • java-11-openjdk-headless-debuginfo-1:11.0.7.10-1.el8_0
  • java-11-openjdk-headless-slowdebug-debuginfo-1:11.0.7.10-1.el8_0
  • java-11-openjdk-javadoc-1:11.0.7.10-1.el8_0
  • java-11-openjdk-javadoc-zip-1:11.0.7.10-1.el8_0
  • java-11-openjdk-jmods-1:11.0.7.10-1.el8_0
  • java-11-openjdk-slowdebug-debuginfo-1:11.0.7.10-1.el8_0
  • java-11-openjdk-src-1:11.0.7.10-1.el8_0
  • java-1.8.0-ibm-1:1.8.0.6.10-1jpp.1.el7
  • java-1.8.0-ibm-demo-1:1.8.0.6.10-1jpp.1.el7
  • java-1.8.0-ibm-devel-1:1.8.0.6.10-1jpp.1.el7
  • java-1.8.0-ibm-jdbc-1:1.8.0.6.10-1jpp.1.el7
  • java-1.8.0-ibm-plugin-1:1.8.0.6.10-1jpp.1.el7
  • java-1.8.0-ibm-src-1:1.8.0.6.10-1jpp.1.el7
  • java-1.8.0-ibm-1:1.8.0.6.10-1jpp.1.el6_10
  • java-1.8.0-ibm-demo-1:1.8.0.6.10-1jpp.1.el6_10
  • java-1.8.0-ibm-devel-1:1.8.0.6.10-1jpp.1.el6_10
  • java-1.8.0-ibm-jdbc-1:1.8.0.6.10-1jpp.1.el6_10
  • java-1.8.0-ibm-plugin-1:1.8.0.6.10-1jpp.1.el6_10
  • java-1.8.0-ibm-src-1:1.8.0.6.10-1jpp.1.el6_10
  • java-1.8.0-ibm-1:1.8.0.6.10-1.el8_2
  • java-1.8.0-ibm-demo-1:1.8.0.6.10-1.el8_2
  • java-1.8.0-ibm-devel-1:1.8.0.6.10-1.el8_2
  • java-1.8.0-ibm-headless-1:1.8.0.6.10-1.el8_2
  • java-1.8.0-ibm-jdbc-1:1.8.0.6.10-1.el8_2
  • java-1.8.0-ibm-plugin-1:1.8.0.6.10-1.el8_2
  • java-1.8.0-ibm-src-1:1.8.0.6.10-1.el8_2
  • java-1.8.0-ibm-webstart-1:1.8.0.6.10-1.el8_2

References