{"id": "JAVA_APR2020_ADVISORY.ASC", "bulletinFamily": "unix", "title": "Multiple vulnerabilities in IBM Java SDK affect AIX", "description": "IBM SECURITY ADVISORY\n\nFirst Issued: Fri Jul 31 09:56:48 CDT 2020\n\nThe most recent version of this document is available here:\n\nhttp://aix.software.ibm.com/aix/efixes/security/java_apr2020_advisory.asc\nhttps://aix.software.ibm.com/aix/efixes/security/java_apr2020_advisory.asc\nftp://aix.software.ibm.com/aix/efixes/security/java_apr2020_advisory.asc\n\nSecurity Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX\n\n===============================================================================\n\nSUMMARY:\n\n There are multiple vulnerabilities in IBM SDK Java Technology Edition,\n Versions 7, 7.1, 8 used by AIX. AIX has addressed the applicable CVEs.\n\n\n===============================================================================\n\nVULNERABILITY DETAILS:\n\n CVEID: CVE-2020-2830\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2830\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2830\n DESCRIPTION: An unspecified vulnerability in Java SE related to the Java \n SE Concurrency component could allow an unauthenticated attacker to\n cause a denial of service resulting in a low availability impact using\n unknown attack vectors.\n CVSS Base Score: 5.3\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/179728\n for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n CVEID: CVE-2020-2805\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2805\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2805\n DESCRIPTION: An unspecified vulnerability in Java SE related to the Java\n SE Libraries component could allow an unauthenticated attacker to \n take control of the system.\n CVSS Base Score: 8.3\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/179703\n for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n CVEID: CVE-2020-2803\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2803\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2803\n DESCRIPTION: An unspecified vulnerability in multiple Oracle products \n could allow an unauthenticated attacker to take control of the system.\n CVSS Base Score: 8.3\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/179701\n for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n CVEID: CVE-2020-2800\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2800\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2800\n DESCRIPTION: An unspecified vulnerability in Java SE related to the Java\n SE Lightweight HTTP Server component could allow an unauthenticated\n attacker to cause low confidentiality impact, low integrity impact,\n and no availability impact.\n CVSS Base Score: 4.8\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/179698\n for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)\n\n CVEID: CVE-2020-2781\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2781\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2781\n DESCRIPTION: An unspecified vulnerability in Java SE related to the Java\n SE JSSE component could allow an unauthenticated attacker to cause a\n denial of service resulting in a low availability impact using unknown\n attack vectors.\n CVSS Base Score: 5.3\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/179681\n for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n CVEID: CVE-2020-2757\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2757\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2757\n DESCRIPTION: An unspecified vulnerability in Java SE related to the Java\n SE Serialization component could allow an unauthenticated attacker to\n cause a denial of service resulting in a low availability impact using\n unknown attack vectors.\n CVSS Base Score: 3.7\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/179657\n for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n CVEID: CVE-2020-2756\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2756\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2756\n DESCRIPTION: An unspecified vulnerability in Java SE related to the Java\n SE Serialization component could allow an unauthenticated attacker to\n cause a denial of service resulting in a low availability impact using\n unknown attack vectors.\n CVSS Base Score: 3.7\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/179656\n for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n CVEID: CVE-2020-2755\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2755\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2755\n DESCRIPTION: An unspecified vulnerability in Java SE related to the Java\n SE Scripting component could allow an unauthenticated attacker to\n cause a denial of service resulting in a low availability impact using\n unknown attack vectors.\n CVSS Base Score: 3.7\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/179655\n for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n CVEID: CVE-2020-2754\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2754\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2754\n DESCRIPTION: An unspecified vulnerability in Java SE related to the Java\n SE Scripting component could allow an unauthenticated attacker to\n cause a denial of service resulting in a low availability impact using\n unknown attack vectors.\n CVSS Base Score: 3.7\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/179654\n for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n CVEID: CVE-2019-2949\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2949\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2949\n DESCRIPTION: An unspecified vulnerability in Java SE related to the\n Kerberos component could allow an unauthenticated attacker to obtain\n sensitive information resulting in a high confidentiality impact using\n unknown attack vectors.\n CVSS Base Score: 6.8\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/169254\n for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n CVEID: CVE-2020-2654\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2654\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2654\n DESCRIPTION: An unspecified vulnerability in Java SE related to the Java\n SE Libraries component could allow an unauthenticated attacker to\n cause a denial of service resulting in a low availability impact using\n unknown attack vectors.\n CVSS Base Score: 3.7\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/174601\n for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n\nAFFECTED PRODUCTS AND VERSIONS:\n\n AIX 7.1, 7.2\n VIOS 2.2, 3.1\n\n The following fileset levels (VRMF) are vulnerable, if the\n respective Java version is installed:\n For Java7: Less than 7.0.0.665\n For Java7.1: Less than 7.1.0.465\n For Java8: Less than 8.0.0.610\n\n Note: To find out whether the affected Java filesets are installed\n on your systems, refer to the lslpp command found in AIX user's guide.\n\n Example: lslpp -L | grep -i java\n\n\nREMEDIATION:\n\n Note: Recommended remediation is to always install the most recent\n Java package available for the respective Java version.\n\n IBM SDK, Java Technology Edition, Version 7 Service Refresh 10 Fix\n Pack 65 and subsequent releases:\n 32-bit: https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=7.0.0.0&platform=AIX+32-bit,+pSeries&function=all\n 64-bit: https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=7.0.0.0&platform=AIX+64-bit,+pSeries&function=all\n\n IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 4 Fix\n Pack 65 and subsequent releases:\n 32-bit: https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=7.1.0.0&platform=AIX+32-bit,+pSeries&function=all\n 64-bit: https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=7.1.0.0&platform=AIX+64-bit,+pSeries&function=all\n\n IBM SDK, Java Technology Edition, Version 8 Service Refresh 6 Fix\n Pack 11 and subsequent releases:\n 32-bit: https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=8.0.0.0&platform=AIX+32-bit,+pSeries&function=all\n 64-bit: https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=8.0.0.0&platform=AIX+64-bit,+pSeries&function=all\n\n\nWORKAROUNDS AND MITIGATIONS:\n\n None.\n\n\n===============================================================================\n\nCONTACT US:\n\n If you would like to receive AIX Security Advisories via email,\n please visit \"My Notifications\":\n\n http://www.ibm.com/support/mynotifications\n\n To view previously issued advisories, please visit:\n\n http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq\n\n Contact IBM Support for questions related to this announcement:\n\n http://ibm.com/support/\n https://ibm.com/support/\n\n To obtain the OpenSSL public key that can be used to verify the\n signed advisories and ifixes:\n\n Download the key from our web page:\n\n http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt\n\n Please contact your local IBM AIX support center for any\n assistance.\n\n\nREFERENCES:\n\n Complete CVSS v2 Guide:\n http://www.first.org/cvss/v2/guide\n On-line Calculator v2:\n http://nvd.nist.gov/CVSS-v2-Calculator\n Complete CVSS v3 Guide:\n http://www.first.org/cvss/user-guide\n On-line Calculator v3:\n http://www.first.org/cvss/calculator/3.0\n\n\nRELATED INFORMATION:\n\n Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX\n https://www.ibm.com/support/pages/node/6255212\n\n\nACKNOWLEDGEMENTS:\n\n None.\n\nCHANGE HISTORY:\n\n First Issued: Fri Jul 31 09:56:48 CDT 2020\n\n\n===============================================================================\n\n*The CVSS Environment Score is customer environment specific and will\nultimately impact the Overall CVSS Score. Customers can evaluate the impact\nof this vulnerability in their environments by accessing the links in the\nReference section of this Security Bulletin.\n\nDisclaimer\nAccording to the Forum of Incident Response and Security Teams (FIRST), the\nCommon Vulnerability Scoring System (CVSS) is an \"industry open standard\ndesigned to convey vulnerability severity and help to determine urgency and\npriority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY\nOF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS\nFOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT\nOF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n\n\n", "published": "2020-07-31T09:56:48", "modified": "2020-07-31T09:56:48", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}, "href": "https://aix.software.ibm.com/aix/efixes/security/java_apr2020_advisory.asc", "reporter": "CentOS Project", "references": [], "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2755", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2019-2949", "CVE-2020-2756", "CVE-2020-2654", "CVE-2020-2754"], "type": "aix", "lastseen": "2020-11-06T01:17:19", "edition": 2, "viewCount": 10, "enchantments": {"dependencies": {"references": [{"type": "nessus", "idList": ["REDHAT-RHSA-2020-2239.NASL", "SUSE_SU-2020-1683-1.NASL", "REDHAT-RHSA-2020-1515.NASL", "REDHAT-RHSA-2020-2241.NASL", "ORACLELINUX_ELSA-2020-1512.NASL", "SUSE_SU-2020-1685-1.NASL", "SUSE_SU-2020-1684-1.NASL", "REDHAT-RHSA-2020-2236.NASL", "REDHAT-RHSA-2020-2237.NASL", "REDHAT-RHSA-2020-2238.NASL"]}, {"type": "redhat", "idList": ["RHSA-2020:1506", "RHSA-2020:1515", "RHSA-2020:1516", "RHSA-2020:2236", "RHSA-2020:1512", "RHSA-2020:2241", "RHSA-2020:2237", "RHSA-2020:1938", "RHSA-2020:2239", "RHSA-2020:2238"]}, {"type": "centos", "idList": ["CESA-2020:1512", "CESA-2020:1509", "CESA-2020:1506", "CESA-2020:1507", "CESA-2020:1508"]}, {"type": "amazon", "idList": ["ALAS-2020-1365", "ALAS2-2020-1424", "ALAS2-2020-1421"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0800-1", "OPENSUSE-SU-2020:0841-1"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-1506", "ELSA-2020-1515", "ELSA-2020-1507", "ELSA-2020-1512", "ELSA-2020-1508"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310877883", "OPENVAS:1361412562310853227", "OPENVAS:1361412562310816855", "OPENVAS:1361412562310883222", "OPENVAS:1361412562310853208", "OPENVAS:1361412562310704668", "OPENVAS:1361412562310877831", "OPENVAS:1361412562310883224", "OPENVAS:1361412562310883230", "OPENVAS:1361412562310877801"]}, {"type": "fedora", "idList": ["FEDORA:6F5D4605A6B2", "FEDORA:3F8B2606CFA7", "FEDORA:F22596075DBD"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2193-1:EADDD", "DEBIAN:DSA-4668-1:C5B44"]}, {"type": "gentoo", "idList": ["GLSA-202006-22"]}, {"type": "ubuntu", "idList": ["USN-4337-1"]}], "modified": "2020-11-06T01:17:19", "rev": 2}, "score": {"value": 6.6, "vector": "NONE", "modified": "2020-11-06T01:17:19", "rev": 2}, "vulnersScore": 6.6}, "aixFileset": [{"fileset": "Java7_64.sdk", "productName": "aix", "productVersions": ["any"], "versionGte": "7.0.0.665", "versionLte": "7.0.0.665"}, {"fileset": "Java8.sdk", "productName": "aix", "productVersions": ["any"], "versionGte": "8.0.0.610", "versionLte": "8.0.0.610"}, {"fileset": "Java7.sdk", "productName": "aix", "productVersions": ["any"], "versionGte": "7.0.0.665", "versionLte": "7.0.0.665"}, {"fileset": "Java7.1_64.jre", "productName": "aix", "productVersions": ["any"], "versionGte": "7.1.0.465", "versionLte": "7.1.0.465"}, {"fileset": "Java7.1.jre", "productName": "aix", "productVersions": ["any"], "versionGte": "7.1.0.465", "versionLte": "7.1.0.465"}, {"fileset": "Java8_64.jre", "productName": "aix", "productVersions": ["any"], "versionGte": "8.0.0.610", "versionLte": "8.0.0.610"}, {"fileset": "Java8_64.sdk", "productName": "aix", "productVersions": ["any"], "versionGte": "8.0.0.610", "versionLte": "8.0.0.610"}, {"fileset": "Java7.1.sdk", "productName": "aix", "productVersions": ["any"], "versionGte": "7.1.0.465", "versionLte": "7.1.0.465"}, {"fileset": "Java8", "productName": "aix", "productVersions": ["any"], "versionGte": "8.0.0.610", "versionLte": "8.0.0.610"}, {"fileset": "Java7", "productName": "aix", "productVersions": ["any"], "versionGte": "7.0.0.665", "versionLte": "7.0.0.665"}, {"fileset": "Java7_64.jre", "productName": "aix", "productVersions": ["any"], "versionGte": "7.0.0.665", "versionLte": "7.0.0.665"}, {"fileset": "Java7.1", "productName": "aix", "productVersions": ["any"], "versionGte": "7.1.0.465", "versionLte": "7.1.0.465"}, {"fileset": "Java7.1_64.sdk", "productName": "aix", "productVersions": ["any"], "versionGte": "7.1.0.465", "versionLte": "7.1.0.465"}, {"fileset": "Java7.jre", "productName": "aix", "productVersions": ["any"], "versionGte": "7.0.0.665", "versionLte": "7.0.0.665"}, {"fileset": "Java8.jre", "productName": "aix", "productVersions": ["any"], "versionGte": "8.0.0.610", "versionLte": "8.0.0.610"}], "aix": {"apars": []}, "scheme": null}

{"nessus": [{"lastseen": "2020-11-21T06:01:14", "description": "The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2239 advisory.\n\n - OpenJDK: Improper handling of Kerberos proxy credentials (Kerberos, 8220302) (CVE-2019-2949)\n\n - OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037) (CVE-2020-2654)\n\n - OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754)\n\n - OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755)\n\n - OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756)\n\n - OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757)\n\n - OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781)\n\n - OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800)\n\n - OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803)\n\n - OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805)\n\n - OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "edition": 4, "cvss3": {"score": 4.8, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "published": "2020-05-20T00:00:00", "title": "RHEL 6 : java-1.8.0-ibm (RHSA-2020:2239)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2755", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2019-2949", "CVE-2020-2756", "CVE-2020-2654", "CVE-2020-2754"], "modified": "2020-05-20T00:00:00", "cpe": ["cpe:/a:redhat:rhel_extras:6", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-devel", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-plugin", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-jdbc", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-src"], "id": "REDHAT-RHSA-2020-2239.NASL", "href": "https://www.tenable.com/plugins/nessus/136740", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:2239. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136740);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/19\");\n\n script_cve_id(\n \"CVE-2019-2949\",\n \"CVE-2020-2654\",\n \"CVE-2020-2754\",\n \"CVE-2020-2755\",\n \"CVE-2020-2756\",\n \"CVE-2020-2757\",\n \"CVE-2020-2781\",\n \"CVE-2020-2800\",\n \"CVE-2020-2803\",\n \"CVE-2020-2805\",\n \"CVE-2020-2830\"\n );\n script_xref(name:\"RHSA\", value:\"2020:2239\");\n\n script_name(english:\"RHEL 6 : java-1.8.0-ibm (RHSA-2020:2239)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2239 advisory.\n\n - OpenJDK: Improper handling of Kerberos proxy credentials (Kerberos, 8220302) (CVE-2019-2949)\n\n - OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037) (CVE-2020-2654)\n\n - OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754)\n\n - OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755)\n\n - OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756)\n\n - OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757)\n\n - OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781)\n\n - OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800)\n\n - OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803)\n\n - OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805)\n\n - OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/20.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/113.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/119.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/185.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/248.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/400.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/522.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/770.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-2949\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2654\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2754\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2755\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2756\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2757\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2781\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2800\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2803\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2805\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2830\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:2239\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1761594\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1791217\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823199\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823200\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823215\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823216\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823527\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823542\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823694\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823844\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823960\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-2800\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_cwe_id(20, 113, 119, 185, 248, 400, 522, 770);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/10/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:rhel_extras:6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-src\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 6.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nrepositories = {\n 'rhel_extras_6': [\n 'rhel-6-desktop-supplementary-debuginfo',\n 'rhel-6-desktop-supplementary-rpms',\n 'rhel-6-desktop-supplementary-source-rpms',\n 'rhel-6-for-hpc-node-supplementary-debuginfo',\n 'rhel-6-for-hpc-node-supplementary-rpms',\n 'rhel-6-for-hpc-node-supplementary-source-rpms',\n 'rhel-6-for-system-z-eus-supplementary-debuginfo',\n 'rhel-6-for-system-z-eus-supplementary-rpms',\n 'rhel-6-for-system-z-eus-supplementary-source-rpms',\n 'rhel-6-for-system-z-supplementary-rpms',\n 'rhel-6-for-system-z-supplementary-source-rpms',\n 'rhel-6-server-aus-supplementary-debuginfo',\n 'rhel-6-server-aus-supplementary-rpms',\n 'rhel-6-server-aus-supplementary-source-rpms',\n 'rhel-6-server-eus-supplementary-debuginfo',\n 'rhel-6-server-eus-supplementary-rpms',\n 'rhel-6-server-eus-supplementary-source-rpms',\n 'rhel-6-server-supplementary-debuginfo',\n 'rhel-6-server-supplementary-rpms',\n 'rhel-6-server-supplementary-source-rpms',\n 'rhel-6-workstation-supplementary-debuginfo',\n 'rhel-6-workstation-supplementary-rpms',\n 'rhel-6-workstation-supplementary-source-rpms',\n 'rhel-hpc-node-6-eus-supplementary-debug-rpms',\n 'rhel-hpc-node-6-eus-supplementary-rpms',\n 'rhel-hpc-node-6-eus-supplementary-source-rpms'\n ]\n};\n\nfound_repos = NULL;\nhost_repo_list = get_kb_list('Host/RedHat/repo-list/*');\nif (!(empty_or_null(host_repo_list))) {\n found_repos = make_list();\n foreach repo_key (keys(repositories)) {\n foreach repo ( repositories[repo_key] ) {\n if (get_kb_item('Host/RedHat/repo-list/' + repo)) {\n append_element(var:found_repos, value:repo_key);\n break;\n }\n }\n }\n if(empty_or_null(found_repos)) audit(AUDIT_RHSA_NOT_AFFECTED, 'RHSA-2020:2239');\n}\n\npkgs = [\n {'reference':'java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el6_10', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_6']},\n {'reference':'java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el6_10', 'cpu':'s390x', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_6']},\n {'reference':'java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el6_10', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_6']},\n {'reference':'java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el6_10', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_6']},\n {'reference':'java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el6_10', 'cpu':'s390x', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_6']},\n {'reference':'java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el6_10', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_6']},\n {'reference':'java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el6_10', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_6']},\n {'reference':'java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el6_10', 'cpu':'s390x', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_6']},\n {'reference':'java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el6_10', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_6']},\n {'reference':'java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el6_10', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_6']},\n {'reference':'java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el6_10', 'cpu':'s390x', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_6']},\n {'reference':'java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el6_10', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_6']},\n {'reference':'java-1.8.0-ibm-plugin-1.8.0.6.10-1jpp.1.el6_10', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_6']},\n {'reference':'java-1.8.0-ibm-plugin-1.8.0.6.10-1jpp.1.el6_10', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_6']},\n {'reference':'java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el6_10', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_6']},\n {'reference':'java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el6_10', 'cpu':'s390x', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_6']},\n {'reference':'java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el6_10', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_6']}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n repocheck = FALSE;\n if (empty_or_null(found_repos))\n {\n repocheck = TRUE;\n }\n else\n {\n foreach repo (repo_list) {\n if (contains_element(var:found_repos, value:repo))\n {\n repocheck = TRUE;\n break;\n }\n }\n }\n if (repocheck && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n if (empty_or_null(host_repo_list)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-1.8.0-ibm / java-1.8.0-ibm-demo / java-1.8.0-ibm-devel / etc');\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-11-21T06:01:12", "description": "The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2237 advisory.\n\n - OpenJDK: Improper handling of Kerberos proxy credentials (Kerberos, 8220302) (CVE-2019-2949)\n\n - OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037) (CVE-2020-2654)\n\n - OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754)\n\n - OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755)\n\n - OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756)\n\n - OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757)\n\n - OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781)\n\n - OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800)\n\n - OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803)\n\n - OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805)\n\n - OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "edition": 4, "cvss3": {"score": 4.8, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "published": "2020-05-20T00:00:00", "title": "RHEL 7 : java-1.8.0-ibm (RHSA-2020:2237)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2755", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2019-2949", "CVE-2020-2756", "CVE-2020-2654", "CVE-2020-2754"], "modified": "2020-05-20T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-devel", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-plugin", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm", "cpe:/a:redhat:rhel_extras:7", "cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-jdbc", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-src"], "id": "REDHAT-RHSA-2020-2237.NASL", "href": "https://www.tenable.com/plugins/nessus/136736", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:2237. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136736);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/19\");\n\n script_cve_id(\n \"CVE-2019-2949\",\n \"CVE-2020-2654\",\n \"CVE-2020-2754\",\n \"CVE-2020-2755\",\n \"CVE-2020-2756\",\n \"CVE-2020-2757\",\n \"CVE-2020-2781\",\n \"CVE-2020-2800\",\n \"CVE-2020-2803\",\n \"CVE-2020-2805\",\n \"CVE-2020-2830\"\n );\n script_xref(name:\"RHSA\", value:\"2020:2237\");\n\n script_name(english:\"RHEL 7 : java-1.8.0-ibm (RHSA-2020:2237)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2237 advisory.\n\n - OpenJDK: Improper handling of Kerberos proxy credentials (Kerberos, 8220302) (CVE-2019-2949)\n\n - OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037) (CVE-2020-2654)\n\n - OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754)\n\n - OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755)\n\n - OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756)\n\n - OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757)\n\n - OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781)\n\n - OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800)\n\n - OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803)\n\n - OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805)\n\n - OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/20.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/113.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/119.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/185.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/248.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/400.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/522.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/770.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-2949\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2654\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2754\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2755\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2756\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2757\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2781\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2800\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2803\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2805\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2830\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:2237\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1761594\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1791217\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823199\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823200\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823215\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823216\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823527\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823542\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823694\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823844\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823960\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-2800\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_cwe_id(20, 113, 119, 185, 248, 400, 522, 770);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/10/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:rhel_extras:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-src\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nrepositories = {\n 'rhel_extras_7': [\n 'rhel-7-desktop-supplementary-rpms',\n 'rhel-7-desktop-supplementary-source-rpms',\n 'rhel-7-for-hpc-node-supplementary-rpms',\n 'rhel-7-for-hpc-node-supplementary-source-rpms',\n 'rhel-7-for-system-z-eus-supplementary-rpms',\n 'rhel-7-for-system-z-eus-supplementary-source-rpms',\n 'rhel-7-for-system-z-supplementary-debug-rpms',\n 'rhel-7-for-system-z-supplementary-rpms',\n 'rhel-7-for-system-z-supplementary-source-rpms',\n 'rhel-7-hpc-node-eus-supplementary-rpms',\n 'rhel-7-server-eus-supplementary-rpms',\n 'rhel-7-server-supplementary-rpms',\n 'rhel-7-server-supplementary-source-rpms',\n 'rhel-7-workstation-supplementary-rpms',\n 'rhel-7-workstation-supplementary-source-rpms'\n ]\n};\n\nfound_repos = NULL;\nhost_repo_list = get_kb_list('Host/RedHat/repo-list/*');\nif (!(empty_or_null(host_repo_list))) {\n found_repos = make_list();\n foreach repo_key (keys(repositories)) {\n foreach repo ( repositories[repo_key] ) {\n if (get_kb_item('Host/RedHat/repo-list/' + repo)) {\n append_element(var:found_repos, value:repo_key);\n break;\n }\n }\n }\n if(empty_or_null(found_repos)) audit(AUDIT_RHSA_NOT_AFFECTED, 'RHSA-2020:2237');\n}\n\npkgs = [\n {'reference':'java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_7']},\n {'reference':'java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_7']},\n {'reference':'java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_7']},\n {'reference':'java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_7']},\n {'reference':'java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_7']},\n {'reference':'java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_7']},\n {'reference':'java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_7']},\n {'reference':'java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_7']},\n {'reference':'java-1.8.0-ibm-plugin-1.8.0.6.10-1jpp.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_7']},\n {'reference':'java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_7']},\n {'reference':'java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_7']}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n repocheck = FALSE;\n if (empty_or_null(found_repos))\n {\n repocheck = TRUE;\n }\n else\n {\n foreach repo (repo_list) {\n if (contains_element(var:found_repos, value:repo))\n {\n repocheck = TRUE;\n break;\n }\n }\n }\n if (repocheck && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n if (empty_or_null(host_repo_list)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-1.8.0-ibm / java-1.8.0-ibm-demo / java-1.8.0-ibm-devel / etc');\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-14T06:28:47", "description": "This update for java-1_8_0-ibm fixes the following issues :\n\njava-1_8_0-ibm was updated to Java 8.0 Service Refresh 6 Fix Pack 10\n(bsc#1172277,bsc#1169511,bsc#1160968)\n\nCVE-2020-2654: Fixed an issue which could have resulted in\nunauthorized ability to cause a partial denial of service\n\nCVE-2020-2754: Forwarded references to Nashorn\n\nCVE-2020-2755: Improved Nashorn matching\n\nCVE-2020-2756: Improved mapping of serial ENUMs\n\nCVE-2020-2757: Less Blocking Array Queues\n\nCVE-2020-2781: Improved TLS session handling\n\nCVE-2020-2800: Improved Headings for HTTP Servers\n\nCVE-2020-2803: Enhanced buffering of byte buffers\n\nCVE-2020-2805: Enhanced typing of methods\n\nCVE-2020-2830: Improved Scanner conversions\n\nCVE-2019-2949: Fixed an issue which could have resulted in\nunauthorized access to critical data\n\nAdded RSA PSS SUPPORT TO IBMPKCS11IMPL\n\nThe pack200 and unpack200 alternatives should be slaves of java\n(bsc#1171352).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 3, "cvss3": {"score": 4.8, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "published": "2020-07-09T00:00:00", "title": "SUSE SLES12 Security Update : java-1_8_0-ibm (SUSE-SU-2020:1685-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2755", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2019-2949", "CVE-2020-2756", "CVE-2020-2654", "CVE-2020-2754"], "modified": "2020-07-09T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-devel", "cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:java-1_8_0-ibm", "p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-plugin", "p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-alsa"], "id": "SUSE_SU-2020-1685-1.NASL", "href": "https://www.tenable.com/plugins/nessus/138280", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:1685-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(138280);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/13\");\n\n script_cve_id(\"CVE-2019-2949\", \"CVE-2020-2654\", \"CVE-2020-2754\", \"CVE-2020-2755\", \"CVE-2020-2756\", \"CVE-2020-2757\", \"CVE-2020-2781\", \"CVE-2020-2800\", \"CVE-2020-2803\", \"CVE-2020-2805\", \"CVE-2020-2830\");\n\n script_name(english:\"SUSE SLES12 Security Update : java-1_8_0-ibm (SUSE-SU-2020:1685-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for java-1_8_0-ibm fixes the following issues :\n\njava-1_8_0-ibm was updated to Java 8.0 Service Refresh 6 Fix Pack 10\n(bsc#1172277,bsc#1169511,bsc#1160968)\n\nCVE-2020-2654: Fixed an issue which could have resulted in\nunauthorized ability to cause a partial denial of service\n\nCVE-2020-2754: Forwarded references to Nashorn\n\nCVE-2020-2755: Improved Nashorn matching\n\nCVE-2020-2756: Improved mapping of serial ENUMs\n\nCVE-2020-2757: Less Blocking Array Queues\n\nCVE-2020-2781: Improved TLS session handling\n\nCVE-2020-2800: Improved Headings for HTTP Servers\n\nCVE-2020-2803: Enhanced buffering of byte buffers\n\nCVE-2020-2805: Enhanced typing of methods\n\nCVE-2020-2830: Improved Scanner conversions\n\nCVE-2019-2949: Fixed an issue which could have resulted in\nunauthorized access to critical data\n\nAdded RSA PSS SUPPORT TO IBMPKCS11IMPL\n\nThe pack200 and unpack200 alternatives should be slaves of java\n(bsc#1171352).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1160968\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1169511\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1171352\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172277\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-2949/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2654/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2754/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2755/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2756/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2757/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2781/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2800/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2803/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2805/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2830/\"\n );\n # https://www.suse.com/support/update/announcement/2020/suse-su-20201685-1\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0d5390ef\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud Crowbar 8 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1685=1\n\nSUSE OpenStack Cloud 8 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-8-2020-1685=1\n\nSUSE OpenStack Cloud 7 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-7-2020-1685=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP5 :\n\nzypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1685=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP4 :\n\nzypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1685=1\n\nSUSE Linux Enterprise Server for SAP 12-SP3 :\n\nzypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1685=1\n\nSUSE Linux Enterprise Server for SAP 12-SP2 :\n\nzypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1685=1\n\nSUSE Linux Enterprise Server 12-SP5 :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1685=1\n\nSUSE Linux Enterprise Server 12-SP4 :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1685=1\n\nSUSE Linux Enterprise Server 12-SP3-LTSS :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1685=1\n\nSUSE Linux Enterprise Server 12-SP3-BCL :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1685=1\n\nSUSE Linux Enterprise Server 12-SP2-LTSS :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1685=1\n\nSUSE Linux Enterprise Server 12-SP2-BCL :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1685=1\n\nSUSE Enterprise Storage 5 :\n\nzypper in -t patch SUSE-Storage-5-2020-1685=1\n\nHPE Helion Openstack 8 :\n\nzypper in -t patch HPE-Helion-OpenStack-8-2020-1685=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-2800\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-alsa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/10/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(2|3|4|5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP2/3/4/5\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"4\", cpu:\"x86_64\", reference:\"java-1_8_0-ibm-alsa-1.8.0_sr6.10-30.69.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", cpu:\"x86_64\", reference:\"java-1_8_0-ibm-plugin-1.8.0_sr6.10-30.69.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"java-1_8_0-ibm-1.8.0_sr6.10-30.69.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"java-1_8_0-ibm-devel-1.8.0_sr6.10-30.69.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", cpu:\"x86_64\", reference:\"java-1_8_0-ibm-alsa-1.8.0_sr6.10-30.69.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", cpu:\"x86_64\", reference:\"java-1_8_0-ibm-plugin-1.8.0_sr6.10-30.69.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"java-1_8_0-ibm-1.8.0_sr6.10-30.69.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"java-1_8_0-ibm-devel-1.8.0_sr6.10-30.69.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_8_0-ibm-alsa-1.8.0_sr6.10-30.69.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_8_0-ibm-plugin-1.8.0_sr6.10-30.69.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"java-1_8_0-ibm-1.8.0_sr6.10-30.69.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"java-1_8_0-ibm-devel-1.8.0_sr6.10-30.69.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", cpu:\"x86_64\", reference:\"java-1_8_0-ibm-alsa-1.8.0_sr6.10-30.69.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", cpu:\"x86_64\", reference:\"java-1_8_0-ibm-plugin-1.8.0_sr6.10-30.69.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"java-1_8_0-ibm-1.8.0_sr6.10-30.69.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"java-1_8_0-ibm-devel-1.8.0_sr6.10-30.69.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1_8_0-ibm\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-07-15T13:29:52", "description": "This update for java-1_8_0-ibm fixes the following issues :\n\njava-1_8_0-ibm was updated to Java 8.0 Service Refresh 6 Fix Pack 10\n(bsc#1172277,bsc#1169511,bsc#1160968)\n\nCVE-2020-2654: Fixed an issue which could have resulted in\nunauthorized ability to cause a partial denial of service\n\nCVE-2020-2754: Forwarded references to Nashorn\n\nCVE-2020-2755: Improved Nashorn matching\n\nCVE-2020-2756: Improved mapping of serial ENUMs\n\nCVE-2020-2757: Less Blocking Array Queues\n\nCVE-2020-2781: Improved TLS session handling\n\nCVE-2020-2800: Improved Headings for HTTP Servers\n\nCVE-2020-2803: Enhanced buffering of byte buffers\n\nCVE-2020-2805: Enhanced typing of methods\n\nCVE-2020-2830: Improved Scanner conversions\n\nCVE-2019-2949: Fixed an issue which could have resulted in\nunauthorized access to critical data\n\nAdded RSA PSS SUPPORT TO IBMPKCS11IMPL\n\nThe pack200 and unpack200 alternatives should be slaves of java\n(bsc#1171352).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 2, "cvss3": {"score": 4.8, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "published": "2020-07-09T00:00:00", "title": "SUSE SLES15 Security Update : java-1_8_0-ibm (SUSE-SU-2020:1684-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2755", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2019-2949", "CVE-2020-2756", "CVE-2020-2654", "CVE-2020-2754"], "modified": "2020-07-09T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-devel", "cpe:/o:novell:suse_linux:15", "p-cpe:/a:novell:suse_linux:java-1_8_0-ibm", "p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-plugin", "p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-alsa"], "id": "SUSE_SU-2020-1684-1.NASL", "href": "https://www.tenable.com/plugins/nessus/138279", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:1684-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(138279);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/07/14\");\n\n script_cve_id(\"CVE-2019-2949\", \"CVE-2020-2654\", \"CVE-2020-2754\", \"CVE-2020-2755\", \"CVE-2020-2756\", \"CVE-2020-2757\", \"CVE-2020-2781\", \"CVE-2020-2800\", \"CVE-2020-2803\", \"CVE-2020-2805\", \"CVE-2020-2830\");\n\n script_name(english:\"SUSE SLES15 Security Update : java-1_8_0-ibm (SUSE-SU-2020:1684-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for java-1_8_0-ibm fixes the following issues :\n\njava-1_8_0-ibm was updated to Java 8.0 Service Refresh 6 Fix Pack 10\n(bsc#1172277,bsc#1169511,bsc#1160968)\n\nCVE-2020-2654: Fixed an issue which could have resulted in\nunauthorized ability to cause a partial denial of service\n\nCVE-2020-2754: Forwarded references to Nashorn\n\nCVE-2020-2755: Improved Nashorn matching\n\nCVE-2020-2756: Improved mapping of serial ENUMs\n\nCVE-2020-2757: Less Blocking Array Queues\n\nCVE-2020-2781: Improved TLS session handling\n\nCVE-2020-2800: Improved Headings for HTTP Servers\n\nCVE-2020-2803: Enhanced buffering of byte buffers\n\nCVE-2020-2805: Enhanced typing of methods\n\nCVE-2020-2830: Improved Scanner conversions\n\nCVE-2019-2949: Fixed an issue which could have resulted in\nunauthorized access to critical data\n\nAdded RSA PSS SUPPORT TO IBMPKCS11IMPL\n\nThe pack200 and unpack200 alternatives should be slaves of java\n(bsc#1171352).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1160968\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1169511\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1171352\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172277\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-2949/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2654/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2754/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2755/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2756/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2757/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2781/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2800/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2803/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2805/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2830/\"\n );\n # https://www.suse.com/support/update/announcement/2020/suse-su-20201684-1\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6da5b9fd\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 15 :\n\nzypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1684=1\n\nSUSE Linux Enterprise Server 15-LTSS :\n\nzypper in -t patch SUSE-SLE-Product-SLES-15-2020-1684=1\n\nSUSE Linux Enterprise Module for Legacy Software 15-SP2 :\n\nzypper in -t patch SUSE-SLE-Module-Legacy-15-SP2-2020-1684=1\n\nSUSE Linux Enterprise Module for Legacy Software 15-SP1 :\n\nzypper in -t patch SUSE-SLE-Module-Legacy-15-SP1-2020-1684=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-2800\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-alsa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/10/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0|1|2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP0/1/2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"java-1_8_0-ibm-alsa-1.8.0_sr6.10-3.38.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"java-1_8_0-ibm-plugin-1.8.0_sr6.10-3.38.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"java-1_8_0-ibm-1.8.0_sr6.10-3.38.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"java-1_8_0-ibm-devel-1.8.0_sr6.10-3.38.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"java-1_8_0-ibm-1.8.0_sr6.10-3.38.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"java-1_8_0-ibm-devel-1.8.0_sr6.10-3.38.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_8_0-ibm-alsa-1.8.0_sr6.10-3.38.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_8_0-ibm-plugin-1.8.0_sr6.10-3.38.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"java-1_8_0-ibm-1.8.0_sr6.10-3.38.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"java-1_8_0-ibm-devel-1.8.0_sr6.10-3.38.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1_8_0-ibm\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-11-19T05:31:22", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2241 advisory.\n\n - OpenJDK: Improper handling of Kerberos proxy credentials (Kerberos, 8220302) (CVE-2019-2949)\n\n - OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037) (CVE-2020-2654)\n\n - OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754)\n\n - OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755)\n\n - OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756)\n\n - OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757)\n\n - OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781)\n\n - OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800)\n\n - OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803)\n\n - OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805)\n\n - OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "edition": 4, "cvss3": {"score": 4.8, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "published": "2020-05-20T00:00:00", "title": "RHEL 8 : java-1.8.0-ibm (RHSA-2020:2241)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2755", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2019-2949", "CVE-2020-2756", "CVE-2020-2654", "CVE-2020-2754"], "modified": "2020-05-20T00:00:00", "cpe": ["cpe:/a:redhat:rhel_tus:8.2::supplementary", "cpe:/o:redhat:rhel_tus:8.2", "cpe:/a:redhat:rhel_aus:8.2::supplementary", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-devel", "cpe:/o:redhat:rhel_eus:8.4", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-plugin", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm", "cpe:/o:redhat:rhel_e4s:8.2", "cpe:/a:redhat:rhel_eus:8.4::supplementary", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-headless", "cpe:/a:redhat:rhel_eus:8.2::supplementary", "cpe:/o:redhat:rhel_aus:8.2", "cpe:/a:redhat:rhel_e4s:8.2::supplementary", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-webstart", "cpe:/o:redhat:enterprise_linux:8", "cpe:/o:redhat:rhel_eus:8.2", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-jdbc", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-src", "cpe:/a:redhat:enterprise_linux:8::supplementary"], "id": "REDHAT-RHSA-2020-2241.NASL", "href": "https://www.tenable.com/plugins/nessus/136738", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:2241. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136738);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/18\");\n\n script_cve_id(\n \"CVE-2019-2949\",\n \"CVE-2020-2654\",\n \"CVE-2020-2754\",\n \"CVE-2020-2755\",\n \"CVE-2020-2756\",\n \"CVE-2020-2757\",\n \"CVE-2020-2781\",\n \"CVE-2020-2800\",\n \"CVE-2020-2803\",\n \"CVE-2020-2805\",\n \"CVE-2020-2830\"\n );\n script_xref(name:\"RHSA\", value:\"2020:2241\");\n\n script_name(english:\"RHEL 8 : java-1.8.0-ibm (RHSA-2020:2241)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2241 advisory.\n\n - OpenJDK: Improper handling of Kerberos proxy credentials (Kerberos, 8220302) (CVE-2019-2949)\n\n - OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037) (CVE-2020-2654)\n\n - OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754)\n\n - OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755)\n\n - OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756)\n\n - OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757)\n\n - OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781)\n\n - OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800)\n\n - OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803)\n\n - OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805)\n\n - OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/20.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/113.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/119.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/185.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/248.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/400.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/522.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/770.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-2949\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2654\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2754\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2755\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2756\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2757\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2781\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2800\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2803\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2805\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2830\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:2241\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1761594\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1791217\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823199\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823200\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823215\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823216\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823527\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823542\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823694\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823844\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823960\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-2800\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_cwe_id(20, 113, 119, 185, 248, 400, 522, 770);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/10/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:enterprise_linux:8::supplementary\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:rhel_aus:8.2::supplementary\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:rhel_e4s:8.2::supplementary\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:rhel_eus:8.2::supplementary\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:rhel_eus:8.4::supplementary\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:rhel_tus:8.2::supplementary\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-src\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-webstart\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nrepositories = {\n 'enterprise_linux_8_supplementary': [\n 'rhel-8-for-aarch64-supplementary-eus-rpms',\n 'rhel-8-for-aarch64-supplementary-eus-source-rpms',\n 'rhel-8-for-aarch64-supplementary-rpms',\n 'rhel-8-for-aarch64-supplementary-source-rpms',\n 'rhel-8-for-s390x-supplementary-eus-rpms',\n 'rhel-8-for-s390x-supplementary-eus-source-rpms',\n 'rhel-8-for-s390x-supplementary-rpms',\n 'rhel-8-for-s390x-supplementary-source-rpms',\n 'rhel-8-for-x86_64-supplementary-eus-rpms',\n 'rhel-8-for-x86_64-supplementary-eus-source-rpms',\n 'rhel-8-for-x86_64-supplementary-rpms',\n 'rhel-8-for-x86_64-supplementary-source-rpms'\n ],\n 'rhel_eus_8_2_supplementary': [\n 'rhel-8-for-aarch64-supplementary-eus-rpms',\n 'rhel-8-for-aarch64-supplementary-eus-source-rpms',\n 'rhel-8-for-s390x-supplementary-eus-rpms',\n 'rhel-8-for-s390x-supplementary-eus-source-rpms',\n 'rhel-8-for-x86_64-supplementary-eus-rpms',\n 'rhel-8-for-x86_64-supplementary-eus-source-rpms'\n ]\n};\n\nfound_repos = NULL;\nhost_repo_list = get_kb_list('Host/RedHat/repo-list/*');\nif (!(empty_or_null(host_repo_list))) {\n found_repos = make_list();\n foreach repo_key (keys(repositories)) {\n foreach repo ( repositories[repo_key] ) {\n if (get_kb_item('Host/RedHat/repo-list/' + repo)) {\n append_element(var:found_repos, value:repo_key);\n break;\n }\n }\n }\n if(empty_or_null(found_repos)) audit(AUDIT_RHSA_NOT_AFFECTED, 'RHSA-2020:2241');\n}\n\npkgs = [\n {'reference':'java-1.8.0-ibm-1.8.0.6.10-1.el8_2', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['enterprise_linux_8_supplementary', 'rhel_eus_8_2_supplementary']},\n {'reference':'java-1.8.0-ibm-1.8.0.6.10-1.el8_2', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['enterprise_linux_8_supplementary', 'rhel_eus_8_2_supplementary']},\n {'reference':'java-1.8.0-ibm-demo-1.8.0.6.10-1.el8_2', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['enterprise_linux_8_supplementary', 'rhel_eus_8_2_supplementary']},\n {'reference':'java-1.8.0-ibm-demo-1.8.0.6.10-1.el8_2', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['enterprise_linux_8_supplementary', 'rhel_eus_8_2_supplementary']},\n {'reference':'java-1.8.0-ibm-devel-1.8.0.6.10-1.el8_2', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['enterprise_linux_8_supplementary', 'rhel_eus_8_2_supplementary']},\n {'reference':'java-1.8.0-ibm-devel-1.8.0.6.10-1.el8_2', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['enterprise_linux_8_supplementary', 'rhel_eus_8_2_supplementary']},\n {'reference':'java-1.8.0-ibm-headless-1.8.0.6.10-1.el8_2', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['enterprise_linux_8_supplementary', 'rhel_eus_8_2_supplementary']},\n {'reference':'java-1.8.0-ibm-headless-1.8.0.6.10-1.el8_2', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['enterprise_linux_8_supplementary', 'rhel_eus_8_2_supplementary']},\n {'reference':'java-1.8.0-ibm-jdbc-1.8.0.6.10-1.el8_2', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['enterprise_linux_8_supplementary', 'rhel_eus_8_2_supplementary']},\n {'reference':'java-1.8.0-ibm-jdbc-1.8.0.6.10-1.el8_2', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['enterprise_linux_8_supplementary', 'rhel_eus_8_2_supplementary']},\n {'reference':'java-1.8.0-ibm-plugin-1.8.0.6.10-1.el8_2', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['enterprise_linux_8_supplementary', 'rhel_eus_8_2_supplementary']},\n {'reference':'java-1.8.0-ibm-src-1.8.0.6.10-1.el8_2', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['enterprise_linux_8_supplementary', 'rhel_eus_8_2_supplementary']},\n {'reference':'java-1.8.0-ibm-src-1.8.0.6.10-1.el8_2', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['enterprise_linux_8_supplementary', 'rhel_eus_8_2_supplementary']},\n {'reference':'java-1.8.0-ibm-webstart-1.8.0.6.10-1.el8_2', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['enterprise_linux_8_supplementary', 'rhel_eus_8_2_supplementary']}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n repocheck = FALSE;\n if (empty_or_null(found_repos))\n {\n repocheck = TRUE;\n }\n else\n {\n foreach repo (repo_list) {\n if (contains_element(var:found_repos, value:repo))\n {\n repocheck = TRUE;\n break;\n }\n }\n }\n if (repocheck && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n if (empty_or_null(host_repo_list)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-1.8.0-ibm / java-1.8.0-ibm-demo / java-1.8.0-ibm-devel / etc');\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-11-21T06:01:12", "description": "The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2236 advisory.\n\n - OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037) (CVE-2020-2654)\n\n - OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756)\n\n - OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757)\n\n - OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781)\n\n - OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800)\n\n - OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803)\n\n - OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805)\n\n - OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "edition": 4, "cvss3": {"score": 4.8, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "published": "2020-05-20T00:00:00", "title": "RHEL 6 : java-1.7.1-ibm (RHSA-2020:2236)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2020-2756", "CVE-2020-2654"], "modified": "2020-05-20T00:00:00", "cpe": ["cpe:/a:redhat:rhel_extras:6", "p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-jdbc", "p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-plugin", "p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-devel", "p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-src"], "id": "REDHAT-RHSA-2020-2236.NASL", "href": "https://www.tenable.com/plugins/nessus/136739", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:2236. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136739);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/19\");\n\n script_cve_id(\n \"CVE-2020-2654\",\n \"CVE-2020-2756\",\n \"CVE-2020-2757\",\n \"CVE-2020-2781\",\n \"CVE-2020-2800\",\n \"CVE-2020-2803\",\n \"CVE-2020-2805\",\n \"CVE-2020-2830\"\n );\n script_xref(name:\"RHSA\", value:\"2020:2236\");\n\n script_name(english:\"RHEL 6 : java-1.7.1-ibm (RHSA-2020:2236)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2236 advisory.\n\n - OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037) (CVE-2020-2654)\n\n - OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756)\n\n - OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757)\n\n - OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781)\n\n - OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800)\n\n - OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803)\n\n - OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805)\n\n - OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/20.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/113.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/119.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/185.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/248.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/400.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/770.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2654\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2756\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2757\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2781\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2800\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2803\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2805\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2830\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:2236\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1791217\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823215\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823216\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823527\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823542\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823694\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823844\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823960\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-2800\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_cwe_id(20, 113, 119, 185, 248, 400, 770);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:rhel_extras:6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-src\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 6.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nrepositories = {\n 'rhel_extras_6': [\n 'rhel-6-desktop-supplementary-debuginfo',\n 'rhel-6-desktop-supplementary-rpms',\n 'rhel-6-desktop-supplementary-source-rpms',\n 'rhel-6-for-hpc-node-supplementary-debuginfo',\n 'rhel-6-for-hpc-node-supplementary-rpms',\n 'rhel-6-for-hpc-node-supplementary-source-rpms',\n 'rhel-6-for-system-z-eus-supplementary-debuginfo',\n 'rhel-6-for-system-z-eus-supplementary-rpms',\n 'rhel-6-for-system-z-eus-supplementary-source-rpms',\n 'rhel-6-for-system-z-supplementary-rpms',\n 'rhel-6-for-system-z-supplementary-source-rpms',\n 'rhel-6-server-aus-supplementary-debuginfo',\n 'rhel-6-server-aus-supplementary-rpms',\n 'rhel-6-server-aus-supplementary-source-rpms',\n 'rhel-6-server-eus-supplementary-debuginfo',\n 'rhel-6-server-eus-supplementary-rpms',\n 'rhel-6-server-eus-supplementary-source-rpms',\n 'rhel-6-server-supplementary-debuginfo',\n 'rhel-6-server-supplementary-rpms',\n 'rhel-6-server-supplementary-source-rpms',\n 'rhel-6-workstation-supplementary-debuginfo',\n 'rhel-6-workstation-supplementary-rpms',\n 'rhel-6-workstation-supplementary-source-rpms',\n 'rhel-hpc-node-6-eus-supplementary-debug-rpms',\n 'rhel-hpc-node-6-eus-supplementary-rpms',\n 'rhel-hpc-node-6-eus-supplementary-source-rpms'\n ]\n};\n\nfound_repos = NULL;\nhost_repo_list = get_kb_list('Host/RedHat/repo-list/*');\nif (!(empty_or_null(host_repo_list))) {\n found_repos = make_list();\n foreach repo_key (keys(repositories)) {\n foreach repo ( repositories[repo_key] ) {\n if (get_kb_item('Host/RedHat/repo-list/' + repo)) {\n append_element(var:found_repos, value:repo_key);\n break;\n }\n }\n }\n if(empty_or_null(found_repos)) audit(AUDIT_RHSA_NOT_AFFECTED, 'RHSA-2020:2236');\n}\n\npkgs = [\n {'reference':'java-1.7.1-ibm-1.7.1.4.65-1jpp.1.el6_10', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_6']},\n {'reference':'java-1.7.1-ibm-1.7.1.4.65-1jpp.1.el6_10', 'cpu':'s390x', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_6']},\n {'reference':'java-1.7.1-ibm-1.7.1.4.65-1jpp.1.el6_10', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_6']},\n {'reference':'java-1.7.1-ibm-demo-1.7.1.4.65-1jpp.1.el6_10', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_6']},\n {'reference':'java-1.7.1-ibm-demo-1.7.1.4.65-1jpp.1.el6_10', 'cpu':'s390x', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_6']},\n {'reference':'java-1.7.1-ibm-demo-1.7.1.4.65-1jpp.1.el6_10', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_6']},\n {'reference':'java-1.7.1-ibm-devel-1.7.1.4.65-1jpp.1.el6_10', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_6']},\n {'reference':'java-1.7.1-ibm-devel-1.7.1.4.65-1jpp.1.el6_10', 'cpu':'s390x', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_6']},\n {'reference':'java-1.7.1-ibm-devel-1.7.1.4.65-1jpp.1.el6_10', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_6']},\n {'reference':'java-1.7.1-ibm-jdbc-1.7.1.4.65-1jpp.1.el6_10', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_6']},\n {'reference':'java-1.7.1-ibm-jdbc-1.7.1.4.65-1jpp.1.el6_10', 'cpu':'s390x', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_6']},\n {'reference':'java-1.7.1-ibm-jdbc-1.7.1.4.65-1jpp.1.el6_10', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_6']},\n {'reference':'java-1.7.1-ibm-plugin-1.7.1.4.65-1jpp.1.el6_10', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_6']},\n {'reference':'java-1.7.1-ibm-plugin-1.7.1.4.65-1jpp.1.el6_10', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_6']},\n {'reference':'java-1.7.1-ibm-src-1.7.1.4.65-1jpp.1.el6_10', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_6']},\n {'reference':'java-1.7.1-ibm-src-1.7.1.4.65-1jpp.1.el6_10', 'cpu':'s390x', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_6']},\n {'reference':'java-1.7.1-ibm-src-1.7.1.4.65-1jpp.1.el6_10', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_6']}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n repocheck = FALSE;\n if (empty_or_null(found_repos))\n {\n repocheck = TRUE;\n }\n else\n {\n foreach repo (repo_list) {\n if (contains_element(var:found_repos, value:repo))\n {\n repocheck = TRUE;\n break;\n }\n }\n }\n if (repocheck && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n if (empty_or_null(host_repo_list)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-1.7.1-ibm / java-1.7.1-ibm-demo / java-1.7.1-ibm-devel / etc');\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-11-21T06:01:14", "description": "The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2238 advisory.\n\n - OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037) (CVE-2020-2654)\n\n - OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756)\n\n - OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757)\n\n - OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781)\n\n - OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800)\n\n - OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803)\n\n - OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805)\n\n - OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "edition": 4, "cvss3": {"score": 4.8, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "published": "2020-05-20T00:00:00", "title": "RHEL 7 : java-1.7.1-ibm (RHSA-2020:2238)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2020-2756", "CVE-2020-2654"], "modified": "2020-05-20T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-jdbc", "p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-plugin", "p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-devel", "cpe:/a:redhat:rhel_extras:7", "cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm", "p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-src"], "id": "REDHAT-RHSA-2020-2238.NASL", "href": "https://www.tenable.com/plugins/nessus/136735", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:2238. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136735);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/19\");\n\n script_cve_id(\n \"CVE-2020-2654\",\n \"CVE-2020-2756\",\n \"CVE-2020-2757\",\n \"CVE-2020-2781\",\n \"CVE-2020-2800\",\n \"CVE-2020-2803\",\n \"CVE-2020-2805\",\n \"CVE-2020-2830\"\n );\n script_xref(name:\"RHSA\", value:\"2020:2238\");\n\n script_name(english:\"RHEL 7 : java-1.7.1-ibm (RHSA-2020:2238)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2238 advisory.\n\n - OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037) (CVE-2020-2654)\n\n - OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756)\n\n - OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757)\n\n - OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781)\n\n - OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800)\n\n - OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803)\n\n - OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805)\n\n - OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/20.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/113.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/119.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/185.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/248.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/400.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/770.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2654\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2756\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2757\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2781\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2800\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2803\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2805\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2830\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:2238\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1791217\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823215\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823216\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823527\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823542\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823694\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823844\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1823960\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-2800\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_cwe_id(20, 113, 119, 185, 248, 400, 770);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:rhel_extras:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-src\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nrepositories = {\n 'rhel_extras_7': [\n 'rhel-7-desktop-supplementary-rpms',\n 'rhel-7-desktop-supplementary-source-rpms',\n 'rhel-7-for-hpc-node-supplementary-rpms',\n 'rhel-7-for-hpc-node-supplementary-source-rpms',\n 'rhel-7-for-system-z-eus-supplementary-rpms',\n 'rhel-7-for-system-z-eus-supplementary-source-rpms',\n 'rhel-7-for-system-z-supplementary-debug-rpms',\n 'rhel-7-for-system-z-supplementary-rpms',\n 'rhel-7-for-system-z-supplementary-source-rpms',\n 'rhel-7-hpc-node-eus-supplementary-rpms',\n 'rhel-7-server-eus-supplementary-rpms',\n 'rhel-7-server-supplementary-rpms',\n 'rhel-7-server-supplementary-source-rpms',\n 'rhel-7-workstation-supplementary-rpms',\n 'rhel-7-workstation-supplementary-source-rpms'\n ]\n};\n\nfound_repos = NULL;\nhost_repo_list = get_kb_list('Host/RedHat/repo-list/*');\nif (!(empty_or_null(host_repo_list))) {\n found_repos = make_list();\n foreach repo_key (keys(repositories)) {\n foreach repo ( repositories[repo_key] ) {\n if (get_kb_item('Host/RedHat/repo-list/' + repo)) {\n append_element(var:found_repos, value:repo_key);\n break;\n }\n }\n }\n if(empty_or_null(found_repos)) audit(AUDIT_RHSA_NOT_AFFECTED, 'RHSA-2020:2238');\n}\n\npkgs = [\n {'reference':'java-1.7.1-ibm-1.7.1.4.65-1jpp.1.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_7']},\n {'reference':'java-1.7.1-ibm-1.7.1.4.65-1jpp.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_7']},\n {'reference':'java-1.7.1-ibm-demo-1.7.1.4.65-1jpp.1.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_7']},\n {'reference':'java-1.7.1-ibm-demo-1.7.1.4.65-1jpp.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_7']},\n {'reference':'java-1.7.1-ibm-devel-1.7.1.4.65-1jpp.1.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_7']},\n {'reference':'java-1.7.1-ibm-devel-1.7.1.4.65-1jpp.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_7']},\n {'reference':'java-1.7.1-ibm-jdbc-1.7.1.4.65-1jpp.1.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_7']},\n {'reference':'java-1.7.1-ibm-jdbc-1.7.1.4.65-1jpp.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_7']},\n {'reference':'java-1.7.1-ibm-plugin-1.7.1.4.65-1jpp.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_7']},\n {'reference':'java-1.7.1-ibm-src-1.7.1.4.65-1jpp.1.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_7']},\n {'reference':'java-1.7.1-ibm-src-1.7.1.4.65-1jpp.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['rhel_extras_7']}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n repocheck = FALSE;\n if (empty_or_null(found_repos))\n {\n repocheck = TRUE;\n }\n else\n {\n foreach repo (repo_list) {\n if (contains_element(var:found_repos, value:repo))\n {\n repocheck = TRUE;\n break;\n }\n }\n }\n if (repocheck && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n if (empty_or_null(host_repo_list)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-1.7.1-ibm / java-1.7.1-ibm-demo / java-1.7.1-ibm-devel / etc');\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-14T06:28:46", "description": "This update for java-1_7_1-ibm fixes the following issues :\n\njava-1_7_1-ibm was updated to Java 7.1 Service Refresh 4 Fix Pack 65\n(bsc#1172277 and bsc#1169511)\n\nCVE-2020-2654: Fixed an issue which could have resulted in\nunauthorized ability to cause a partial denial of service\n\nCVE-2020-2756: Improved mapping of serial ENUMs\n\nCVE-2020-2757: Less Blocking Array Queues\n\nCVE-2020-2781: Improved TLS session handling\n\nCVE-2020-2800: Improved Headings for HTTP Servers\n\nCVE-2020-2803: Enhanced buffering of byte buffers\n\nCVE-2020-2805: Enhanced typing of methods\n\nCVE-2020-2830: Improved Scanner conversions\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 3, "cvss3": {"score": 4.8, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "published": "2020-07-09T00:00:00", "title": "SUSE SLES12 Security Update : java-1_7_1-ibm (SUSE-SU-2020:1683-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2020-2756", "CVE-2020-2654"], "modified": "2020-07-09T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-jdbc", "p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-devel", "p-cpe:/a:novell:suse_linux:java-1_7_1-ibm", "p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-alsa", "p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-plugin"], "id": "SUSE_SU-2020-1683-1.NASL", "href": "https://www.tenable.com/plugins/nessus/138278", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:1683-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(138278);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/13\");\n\n script_cve_id(\"CVE-2020-2654\", \"CVE-2020-2756\", \"CVE-2020-2757\", \"CVE-2020-2781\", \"CVE-2020-2800\", \"CVE-2020-2803\", \"CVE-2020-2805\", \"CVE-2020-2830\");\n\n script_name(english:\"SUSE SLES12 Security Update : java-1_7_1-ibm (SUSE-SU-2020:1683-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for java-1_7_1-ibm fixes the following issues :\n\njava-1_7_1-ibm was updated to Java 7.1 Service Refresh 4 Fix Pack 65\n(bsc#1172277 and bsc#1169511)\n\nCVE-2020-2654: Fixed an issue which could have resulted in\nunauthorized ability to cause a partial denial of service\n\nCVE-2020-2756: Improved mapping of serial ENUMs\n\nCVE-2020-2757: Less Blocking Array Queues\n\nCVE-2020-2781: Improved TLS session handling\n\nCVE-2020-2800: Improved Headings for HTTP Servers\n\nCVE-2020-2803: Enhanced buffering of byte buffers\n\nCVE-2020-2805: Enhanced typing of methods\n\nCVE-2020-2830: Improved Scanner conversions\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1169511\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172277\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2654/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2756/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2757/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2781/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2800/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2803/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2805/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2830/\"\n );\n # https://www.suse.com/support/update/announcement/2020/suse-su-20201683-1\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e20b7dbe\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud Crowbar 8 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1683=1\n\nSUSE OpenStack Cloud 8 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-8-2020-1683=1\n\nSUSE OpenStack Cloud 7 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-7-2020-1683=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP5 :\n\nzypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1683=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP4 :\n\nzypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1683=1\n\nSUSE Linux Enterprise Server for SAP 12-SP3 :\n\nzypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1683=1\n\nSUSE Linux Enterprise Server for SAP 12-SP2 :\n\nzypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1683=1\n\nSUSE Linux Enterprise Server 12-SP5 :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1683=1\n\nSUSE Linux Enterprise Server 12-SP4 :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1683=1\n\nSUSE Linux Enterprise Server 12-SP3-LTSS :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1683=1\n\nSUSE Linux Enterprise Server 12-SP3-BCL :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1683=1\n\nSUSE Linux Enterprise Server 12-SP2-LTSS :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1683=1\n\nSUSE Linux Enterprise Server 12-SP2-BCL :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1683=1\n\nSUSE Enterprise Storage 5 :\n\nzypper in -t patch SUSE-Storage-5-2020-1683=1\n\nHPE Helion Openstack 8 :\n\nzypper in -t patch HPE-Helion-OpenStack-8-2020-1683=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-2800\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_1-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-alsa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(2|3|4|5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP2/3/4/5\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"4\", cpu:\"x86_64\", reference:\"java-1_7_1-ibm-alsa-1.7.1_sr4.65-38.53.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", cpu:\"x86_64\", reference:\"java-1_7_1-ibm-plugin-1.7.1_sr4.65-38.53.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"java-1_7_1-ibm-1.7.1_sr4.65-38.53.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"java-1_7_1-ibm-devel-1.7.1_sr4.65-38.53.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"java-1_7_1-ibm-jdbc-1.7.1_sr4.65-38.53.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", cpu:\"x86_64\", reference:\"java-1_7_1-ibm-alsa-1.7.1_sr4.65-38.53.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", cpu:\"x86_64\", reference:\"java-1_7_1-ibm-plugin-1.7.1_sr4.65-38.53.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"java-1_7_1-ibm-1.7.1_sr4.65-38.53.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"java-1_7_1-ibm-devel-1.7.1_sr4.65-38.53.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"java-1_7_1-ibm-jdbc-1.7.1_sr4.65-38.53.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_7_1-ibm-alsa-1.7.1_sr4.65-38.53.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_7_1-ibm-plugin-1.7.1_sr4.65-38.53.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"java-1_7_1-ibm-1.7.1_sr4.65-38.53.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"java-1_7_1-ibm-devel-1.7.1_sr4.65-38.53.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"java-1_7_1-ibm-jdbc-1.7.1_sr4.65-38.53.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", cpu:\"x86_64\", reference:\"java-1_7_1-ibm-alsa-1.7.1_sr4.65-38.53.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", cpu:\"x86_64\", reference:\"java-1_7_1-ibm-plugin-1.7.1_sr4.65-38.53.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"java-1_7_1-ibm-1.7.1_sr4.65-38.53.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"java-1_7_1-ibm-devel-1.7.1_sr4.65-38.53.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"java-1_7_1-ibm-jdbc-1.7.1_sr4.65-38.53.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1_7_1-ibm\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-17T12:06:52", "description": "The remote NewStart CGSL host, running version MAIN 4.05, has java-1.8.0-openjdk packages installed that are affected by\nmultiple vulnerabilities:\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported\n versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to\n client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start\n applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the\n specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as\n through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2754, CVE-2020-2755)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization).\n Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241.\n Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple\n protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.\n Note: Applies to client and server deployment of Java. This vulnerability can be exploited through\n sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying\n data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed\n Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2756, CVE-2020-2757)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported\n versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to\n client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start\n applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the\n specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as\n through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2773)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Lightweight HTTP\n Server). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded:\n 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple\n protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well\n as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This\n vulnerability can only be exploited by supplying data to APIs in the specified Component without using\n Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0\n Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (CVE-2020-2800)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency).\n Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241.\n Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple\n protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.\n Note: Applies to client and server deployment of Java. This vulnerability can be exploited through\n sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying\n data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed\n Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2830)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other\n than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly\n impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE,\n Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not\n apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed\n by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS\n Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). (CVE-2020-2803, CVE-2020-2805)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported\n versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily\n exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java\n SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause\n a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server\n deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and\n sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component\n without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web\n service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2781)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 4, "cvss3": {"score": 4.8, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "published": "2020-10-13T00:00:00", "title": "NewStart CGSL MAIN 4.05 : java-1.8.0-openjdk Multiple Vulnerabilities (NS-SA-2020-0051)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2755", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2020-2773", "CVE-2020-2756", "CVE-2020-2754"], "modified": "2020-10-13T00:00:00", "cpe": [], "id": "NEWSTART_CGSL_NS-SA-2020-0051_JAVA-1_8_0-OPENJDK.NASL", "href": "https://www.tenable.com/plugins/nessus/141408", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2020-0051. The text\n# itself is copyright (C) ZTE, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141408);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\n \"CVE-2020-2754\",\n \"CVE-2020-2755\",\n \"CVE-2020-2756\",\n \"CVE-2020-2757\",\n \"CVE-2020-2773\",\n \"CVE-2020-2781\",\n \"CVE-2020-2800\",\n \"CVE-2020-2803\",\n \"CVE-2020-2805\",\n \"CVE-2020-2830\"\n );\n\n script_name(english:\"NewStart CGSL MAIN 4.05 : java-1.8.0-openjdk Multiple Vulnerabilities (NS-SA-2020-0051)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote machine is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version MAIN 4.05, has java-1.8.0-openjdk packages installed that are affected by\nmultiple vulnerabilities:\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported\n versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to\n client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start\n applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the\n specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as\n through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2754, CVE-2020-2755)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization).\n Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241.\n Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple\n protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.\n Note: Applies to client and server deployment of Java. This vulnerability can be exploited through\n sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying\n data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed\n Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2756, CVE-2020-2757)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported\n versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to\n client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start\n applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the\n specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as\n through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2773)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Lightweight HTTP\n Server). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded:\n 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple\n protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well\n as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This\n vulnerability can only be exploited by supplying data to APIs in the specified Component without using\n Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0\n Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (CVE-2020-2800)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency).\n Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241.\n Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple\n protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.\n Note: Applies to client and server deployment of Java. This vulnerability can be exploited through\n sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying\n data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed\n Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2830)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other\n than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly\n impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE,\n Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not\n apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed\n by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS\n Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). (CVE-2020-2803, CVE-2020-2805)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported\n versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily\n exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java\n SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause\n a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server\n deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and\n sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component\n without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web\n service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2781)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2020-0051\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL java-1.8.0-openjdk packages. Note that updated packages may not be available yet. Please\ncontact ZTE for more information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-2800\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item('Host/ZTE-CGSL/release');\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, 'NewStart Carrier Grade Server Linux');\n\nif (release !~ \"CGSL MAIN 4.05\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 4.05');\n\nif (!get_kb_item('Host/ZTE-CGSL/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'NewStart Carrier Grade Server Linux', cpu);\n\nflag = 0;\n\npkgs = {\n 'CGSL MAIN 4.05': [\n 'java-1.8.0-openjdk-1.8.0.252.b09-2.el6_10',\n 'java-1.8.0-openjdk-debug-1.8.0.252.b09-2.el6_10',\n 'java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el6_10',\n 'java-1.8.0-openjdk-demo-1.8.0.252.b09-2.el6_10',\n 'java-1.8.0-openjdk-demo-debug-1.8.0.252.b09-2.el6_10',\n 'java-1.8.0-openjdk-devel-1.8.0.252.b09-2.el6_10',\n 'java-1.8.0-openjdk-devel-debug-1.8.0.252.b09-2.el6_10',\n 'java-1.8.0-openjdk-headless-1.8.0.252.b09-2.el6_10',\n 'java-1.8.0-openjdk-headless-debug-1.8.0.252.b09-2.el6_10',\n 'java-1.8.0-openjdk-javadoc-1.8.0.252.b09-2.el6_10',\n 'java-1.8.0-openjdk-javadoc-debug-1.8.0.252.b09-2.el6_10',\n 'java-1.8.0-openjdk-src-1.8.0.252.b09-2.el6_10',\n 'java-1.8.0-openjdk-src-debug-1.8.0.252.b09-2.el6_10'\n ]\n};\npkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:'ZTE ' + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-1.8.0-openjdk');\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-07-19T21:25:27", "description": "This update for java-1_8_0-openjdk to version jdk8u252 fixes the\nfollowing issues :\n\nCVE-2020-2754: Forward references to Nashorn (bsc#1169511)\n\nCVE-2020-2755: Improve Nashorn matching (bsc#1169511)\n\nCVE-2020-2756: Better mapping of serial ENUMs (bsc#1169511)\n\nCVE-2020-2757: Less Blocking Array Queues (bsc#1169511)\n\nCVE-2020-2773: Better signatures in XML (bsc#1169511)\n\nCVE-2020-2781: Improve TLS session handling (bsc#1169511)\n\nCVE-2020-2800: Better Headings for HTTP Servers (bsc#1169511)\n\nCVE-2020-2803: Enhance buffering of byte buffers (bsc#1169511)\n\nCVE-2020-2805: Enhance typing of methods (bsc#1169511)\n\nCVE-2020-2830: Better Scanner conversions (bsc#1169511)\n\nIgnore whitespaces after the header or footer in PEM X.509 cert\n(bsc#1171352)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 2, "cvss3": {"score": 4.8, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "published": "2020-07-15T00:00:00", "title": "SUSE SLES15 Security Update : java-1_8_0-openjdk (SUSE-SU-2020:1569-2)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2755", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2020-2773", "CVE-2020-2756", "CVE-2020-2754"], "modified": "2020-07-15T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-headless", "p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-debugsource", "p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-demo-debuginfo", "cpe:/o:novell:suse_linux:15", "p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-devel-debuginfo", "p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-debuginfo", "p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-demo", "p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-devel", "p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-headless-debuginfo", "p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk"], "id": "SUSE_SU-2020-1569-2.NASL", "href": "https://www.tenable.com/plugins/nessus/138491", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:1569-2.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(138491);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/07/17\");\n\n script_cve_id(\"CVE-2020-2754\", \"CVE-2020-2755\", \"CVE-2020-2756\", \"CVE-2020-2757\", \"CVE-2020-2773\", \"CVE-2020-2781\", \"CVE-2020-2800\", \"CVE-2020-2803\", \"CVE-2020-2805\", \"CVE-2020-2830\");\n\n script_name(english:\"SUSE SLES15 Security Update : java-1_8_0-openjdk (SUSE-SU-2020:1569-2)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for java-1_8_0-openjdk to version jdk8u252 fixes the\nfollowing issues :\n\nCVE-2020-2754: Forward references to Nashorn (bsc#1169511)\n\nCVE-2020-2755: Improve Nashorn matching (bsc#1169511)\n\nCVE-2020-2756: Better mapping of serial ENUMs (bsc#1169511)\n\nCVE-2020-2757: Less Blocking Array Queues (bsc#1169511)\n\nCVE-2020-2773: Better signatures in XML (bsc#1169511)\n\nCVE-2020-2781: Improve TLS session handling (bsc#1169511)\n\nCVE-2020-2800: Better Headings for HTTP Servers (bsc#1169511)\n\nCVE-2020-2803: Enhance buffering of byte buffers (bsc#1169511)\n\nCVE-2020-2805: Enhance typing of methods (bsc#1169511)\n\nCVE-2020-2830: Better Scanner conversions (bsc#1169511)\n\nIgnore whitespaces after the header or footer in PEM X.509 cert\n(bsc#1171352)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1160398\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1169511\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1171352\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2754/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2755/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2756/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2757/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2773/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2781/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2800/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2803/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2805/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-2830/\"\n );\n # https://www.suse.com/support/update/announcement/2020/suse-su-20201569-2\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?fd2454b7\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for Legacy Software 15-SP2 :\n\nzypper in -t patch SUSE-SLE-Module-Legacy-15-SP2-2020-1569=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-2800\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-demo-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-headless-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"java-1_8_0-openjdk-1.8.0.252-3.35.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"java-1_8_0-openjdk-debuginfo-1.8.0.252-3.35.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"java-1_8_0-openjdk-debugsource-1.8.0.252-3.35.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"java-1_8_0-openjdk-demo-1.8.0.252-3.35.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"java-1_8_0-openjdk-demo-debuginfo-1.8.0.252-3.35.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"java-1_8_0-openjdk-devel-1.8.0.252-3.35.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"java-1_8_0-openjdk-devel-debuginfo-1.8.0.252-3.35.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"java-1_8_0-openjdk-headless-1.8.0.252-3.35.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"java-1_8_0-openjdk-headless-debuginfo-1.8.0.252-3.35.3\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1_8_0-openjdk\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "redhat": [{"lastseen": "2020-05-20T15:57:24", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2949", "CVE-2020-2654", "CVE-2020-2754", "CVE-2020-2755", "CVE-2020-2756", "CVE-2020-2757", "CVE-2020-2781", "CVE-2020-2800", "CVE-2020-2803", "CVE-2020-2805", "CVE-2020-2830"], "description": "IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.\n\nThis update upgrades IBM Java SE 8 to version 8 SR6-FP10.\n\nSecurity Fix(es):\n\n* OpenJDK: Improper handling of Kerberos proxy credentials (Kerberos, 8220302) (CVE-2019-2949)\n\n* OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803)\n\n* OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805)\n\n* OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037) (CVE-2020-2654)\n\n* OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781)\n\n* OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800)\n\n* OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830)\n\n* OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754)\n\n* OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755)\n\n* OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756)\n\n* OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2020-05-20T18:12:35", "published": "2020-05-20T17:54:13", "id": "RHSA-2020:2239", "href": "https://access.redhat.com/errata/RHSA-2020:2239", "type": "redhat", "title": "(RHSA-2020:2239) Important: java-1.8.0-ibm security update", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-05-20T15:55:41", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2949", "CVE-2020-2654", "CVE-2020-2754", "CVE-2020-2755", "CVE-2020-2756", "CVE-2020-2757", "CVE-2020-2781", "CVE-2020-2800", "CVE-2020-2803", "CVE-2020-2805", "CVE-2020-2830"], "description": "IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.\n\nThis update upgrades IBM Java SE 8 to version 8 SR6-FP10.\n\nSecurity Fix(es):\n\n* OpenJDK: Improper handling of Kerberos proxy credentials (Kerberos, 8220302) (CVE-2019-2949)\n\n* OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803)\n\n* OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805)\n\n* OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037) (CVE-2020-2654)\n\n* OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781)\n\n* OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800)\n\n* OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830)\n\n* OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754)\n\n* OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755)\n\n* OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756)\n\n* OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2020-05-20T18:06:41", "published": "2020-05-20T17:54:08", "id": "RHSA-2020:2237", "href": "https://access.redhat.com/errata/RHSA-2020:2237", "type": "redhat", "title": "(RHSA-2020:2237) Important: java-1.8.0-ibm security update", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-05-20T17:50:09", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2949", "CVE-2020-2654", "CVE-2020-2754", "CVE-2020-2755", "CVE-2020-2756", "CVE-2020-2757", "CVE-2020-2781", "CVE-2020-2800", "CVE-2020-2803", "CVE-2020-2805", "CVE-2020-2830"], "description": "IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.\n\nThis update upgrades IBM Java SE 8 to version 8 SR6-FP10.\n\nSecurity Fix(es):\n\n* OpenJDK: Improper handling of Kerberos proxy credentials (Kerberos, 8220302) (CVE-2019-2949)\n\n* OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803)\n\n* OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805)\n\n* OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037) (CVE-2020-2654)\n\n* OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781)\n\n* OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800)\n\n* OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830)\n\n* OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754)\n\n* OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755)\n\n* OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756)\n\n* OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2020-05-20T19:52:58", "published": "2020-05-20T19:49:29", "id": "RHSA-2020:2241", "href": "https://access.redhat.com/errata/RHSA-2020:2241", "type": "redhat", "title": "(RHSA-2020:2241) Important: java-1.8.0-ibm security update", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-05-20T15:55:06", "bulletinFamily": "unix", "cvelist": ["CVE-2020-2654", "CVE-2020-2756", "CVE-2020-2757", "CVE-2020-2781", "CVE-2020-2800", "CVE-2020-2803", "CVE-2020-2805", "CVE-2020-2830"], "description": "IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.\n\nThis update upgrades IBM Java SE 7 to version 7R1 SR4-FP65.\n\nSecurity Fix(es):\n\n* OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803)\n\n* OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805)\n\n* OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037) (CVE-2020-2654)\n\n* OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781)\n\n* OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800)\n\n* OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830)\n\n* OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756)\n\n* OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2020-05-20T18:06:40", "published": "2020-05-20T17:54:06", "id": "RHSA-2020:2236", "href": "https://access.redhat.com/errata/RHSA-2020:2236", "type": "redhat", "title": "(RHSA-2020:2236) Important: java-1.7.1-ibm security update", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-05-20T15:56:20", "bulletinFamily": "unix", "cvelist": ["CVE-2020-2654", "CVE-2020-2756", "CVE-2020-2757", "CVE-2020-2781", "CVE-2020-2800", "CVE-2020-2803", "CVE-2020-2805", "CVE-2020-2830"], "description": "IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.\n\nThis update upgrades IBM Java SE 7 to version 7R1 SR4-FP65.\n\nSecurity Fix(es):\n\n* OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803)\n\n* OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805)\n\n* OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037) (CVE-2020-2654)\n\n* OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781)\n\n* OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800)\n\n* OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830)\n\n* OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756)\n\n* OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2020-05-20T18:12:36", "published": "2020-05-20T17:54:11", "id": "RHSA-2020:2238", "href": "https://access.redhat.com/errata/RHSA-2020:2238", "type": "redhat", "title": "(RHSA-2020:2238) Important: java-1.7.1-ibm security update", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-04-22T09:54:55", "bulletinFamily": "unix", "cvelist": ["CVE-2020-2754", "CVE-2020-2755", "CVE-2020-2756", "CVE-2020-2757", "CVE-2020-2773", "CVE-2020-2781", "CVE-2020-2800", "CVE-2020-2803", "CVE-2020-2805", "CVE-2020-2830"], "description": "The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803)\n\n* OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805)\n\n* OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and DOMXMLSignatureFactory (Security, 8231415) (CVE-2020-2773)\n\n* OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781)\n\n* OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800)\n\n* OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830)\n\n* OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754)\n\n* OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755)\n\n* OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756)\n\n* OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2020-04-22T13:04:35", "published": "2020-04-22T12:56:46", "id": "RHSA-2020:1515", "href": "https://access.redhat.com/errata/RHSA-2020:1515", "type": "redhat", "title": "(RHSA-2020:1515) Important: java-1.8.0-openjdk security update", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-04-21T09:44:48", "bulletinFamily": "unix", "cvelist": ["CVE-2020-2754", "CVE-2020-2755", "CVE-2020-2756", "CVE-2020-2757", "CVE-2020-2773", "CVE-2020-2781", "CVE-2020-2800", "CVE-2020-2803", "CVE-2020-2805", "CVE-2020-2830"], "description": "The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803)\n\n* OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805)\n\n* OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and DOMXMLSignatureFactory (Security, 8231415) (CVE-2020-2773)\n\n* OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781)\n\n* OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800)\n\n* OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830)\n\n* OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754)\n\n* OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755)\n\n* OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756)\n\n* OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2020-04-21T13:32:54", "published": "2020-04-21T13:12:34", "id": "RHSA-2020:1506", "href": "https://access.redhat.com/errata/RHSA-2020:1506", "type": "redhat", "title": "(RHSA-2020:1506) Important: java-1.8.0-openjdk security update", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-04-21T11:55:11", "bulletinFamily": "unix", "cvelist": ["CVE-2020-2754", "CVE-2020-2755", "CVE-2020-2756", "CVE-2020-2757", "CVE-2020-2773", "CVE-2020-2781", "CVE-2020-2800", "CVE-2020-2803", "CVE-2020-2805", "CVE-2020-2830"], "description": "The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803)\n\n* OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805)\n\n* OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and DOMXMLSignatureFactory (Security, 8231415) (CVE-2020-2773)\n\n* OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781)\n\n* OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800)\n\n* OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830)\n\n* OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754)\n\n* OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755)\n\n* OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756)\n\n* OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2020-04-21T13:58:43", "published": "2020-04-21T13:11:34", "id": "RHSA-2020:1512", "href": "https://access.redhat.com/errata/RHSA-2020:1512", "type": "redhat", "title": "(RHSA-2020:1512) Important: java-1.8.0-openjdk security update", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-04-22T09:54:03", "bulletinFamily": "unix", "cvelist": ["CVE-2020-2754", "CVE-2020-2755", "CVE-2020-2756", "CVE-2020-2757", "CVE-2020-2773", "CVE-2020-2781", "CVE-2020-2800", "CVE-2020-2803", "CVE-2020-2805", "CVE-2020-2830"], "description": "The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803)\n\n* OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805)\n\n* OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and DOMXMLSignatureFactory (Security, 8231415) (CVE-2020-2773)\n\n* OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781)\n\n* OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800)\n\n* OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830)\n\n* OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754)\n\n* OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755)\n\n* OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756)\n\n* OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2020-04-22T13:04:34", "published": "2020-04-22T12:56:47", "id": "RHSA-2020:1516", "href": "https://access.redhat.com/errata/RHSA-2020:1516", "type": "redhat", "title": "(RHSA-2020:1516) Important: java-1.8.0-openjdk security update", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-05-05T23:12:14", "bulletinFamily": "unix", "cvelist": ["CVE-2019-19354", "CVE-2020-2754", "CVE-2020-2755", "CVE-2020-2756", "CVE-2020-2757", "CVE-2020-2773", "CVE-2020-2781", "CVE-2020-2800", "CVE-2020-2803", "CVE-2020-2805", "CVE-2020-2830"], "description": "Red Hat OpenShift Container Platform is Red Hat's cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* operator-framework/hadoop: /etc/passwd was given incorrect privileges (CVE-2019-19354)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2020-05-04T14:41:56", "published": "2020-05-04T14:40:44", "id": "RHSA-2020:1938", "href": "https://access.redhat.com/errata/RHSA-2020:1938", "type": "redhat", "title": "(RHSA-2020:1938) Moderate: OpenShift Container Platform 4.4.3 hadoop-container security update", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "centos": [{"lastseen": "2020-04-28T05:03:20", "bulletinFamily": "unix", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2755", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2020-2773", "CVE-2020-2756", "CVE-2020-2754"], "description": "**CentOS Errata and Security Advisory** CESA-2020:1506\n\n\nThe java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803)\n\n* OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805)\n\n* OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and DOMXMLSignatureFactory (Security, 8231415) (CVE-2020-2773)\n\n* OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781)\n\n* OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800)\n\n* OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830)\n\n* OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754)\n\n* OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755)\n\n* OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756)\n\n* OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2020-April/035702.html\n\n**Affected packages:**\njava-1.8.0-openjdk\njava-1.8.0-openjdk-debug\njava-1.8.0-openjdk-demo\njava-1.8.0-openjdk-demo-debug\njava-1.8.0-openjdk-devel\njava-1.8.0-openjdk-devel-debug\njava-1.8.0-openjdk-headless\njava-1.8.0-openjdk-headless-debug\njava-1.8.0-openjdk-javadoc\njava-1.8.0-openjdk-javadoc-debug\njava-1.8.0-openjdk-src\njava-1.8.0-openjdk-src-debug\n\n**Upstream details at:**\n", "edition": 1, "modified": "2020-04-28T00:26:13", "published": "2020-04-28T00:26:13", "id": "CESA-2020:1506", "href": "http://lists.centos.org/pipermail/centos-announce/2020-April/035702.html", "title": "java security update", "type": "centos", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-05-01T20:52:29", "bulletinFamily": "unix", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2755", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2020-2773", "CVE-2020-2756", "CVE-2020-2754"], "description": "**CentOS Errata and Security Advisory** CESA-2020:1512\n\n\nThe java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803)\n\n* OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805)\n\n* OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and DOMXMLSignatureFactory (Security, 8231415) (CVE-2020-2773)\n\n* OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781)\n\n* OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800)\n\n* OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830)\n\n* OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754)\n\n* OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755)\n\n* OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756)\n\n* OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2020-April/035706.html\n\n**Affected packages:**\njava-1.8.0-openjdk\njava-1.8.0-openjdk-accessibility\njava-1.8.0-openjdk-demo\njava-1.8.0-openjdk-devel\njava-1.8.0-openjdk-headless\njava-1.8.0-openjdk-javadoc\njava-1.8.0-openjdk-javadoc-zip\njava-1.8.0-openjdk-src\n\n**Upstream details at:**\n", "edition": 1, "modified": "2020-04-30T19:53:37", "published": "2020-04-30T19:53:37", "id": "CESA-2020:1512", "href": "http://lists.centos.org/pipermail/centos-announce/2020-April/035706.html", "title": "java security update", "type": "centos", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-04-28T05:05:30", "bulletinFamily": "unix", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2020-2773", "CVE-2020-2756"], "description": "**CentOS Errata and Security Advisory** CESA-2020:1508\n\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803)\n\n* OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805)\n\n* OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and DOMXMLSignatureFactory (Security, 8231415) (CVE-2020-2773)\n\n* OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781)\n\n* OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800)\n\n* OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830)\n\n* OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756)\n\n* OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2020-April/035701.html\n\n**Affected packages:**\njava-1.7.0-openjdk\njava-1.7.0-openjdk-demo\njava-1.7.0-openjdk-devel\njava-1.7.0-openjdk-javadoc\njava-1.7.0-openjdk-src\n\n**Upstream details at:**\n", "edition": 1, "modified": "2020-04-28T00:24:04", "published": "2020-04-28T00:24:04", "id": "CESA-2020:1508", "href": "http://lists.centos.org/pipermail/centos-announce/2020-April/035701.html", "title": "java security update", "type": "centos", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-05-01T20:52:55", "bulletinFamily": "unix", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2020-2773", "CVE-2020-2756"], "description": "**CentOS Errata and Security Advisory** CESA-2020:1507\n\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803)\n\n* OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805)\n\n* OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and DOMXMLSignatureFactory (Security, 8231415) (CVE-2020-2773)\n\n* OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781)\n\n* OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800)\n\n* OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830)\n\n* OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756)\n\n* OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2020-April/035707.html\n\n**Affected packages:**\njava-1.7.0-openjdk\njava-1.7.0-openjdk-accessibility\njava-1.7.0-openjdk-demo\njava-1.7.0-openjdk-devel\njava-1.7.0-openjdk-headless\njava-1.7.0-openjdk-javadoc\njava-1.7.0-openjdk-src\n\n**Upstream details at:**\n", "edition": 1, "modified": "2020-04-30T19:54:04", "published": "2020-04-30T19:54:04", "id": "CESA-2020:1507", "href": "http://lists.centos.org/pipermail/centos-announce/2020-April/035707.html", "title": "java security update", "type": "centos", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "amazon": [{"lastseen": "2020-11-10T12:34:55", "bulletinFamily": "unix", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2755", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2020-2773", "CVE-2020-2756", "CVE-2020-2754"], "description": "**Issue Overview:**\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). ([CVE-2020-2756 __](<https://access.redhat.com/security/cve/CVE-2020-2756>))\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). ([CVE-2020-2755 __](<https://access.redhat.com/security/cve/CVE-2020-2755>))\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). ([CVE-2020-2830 __](<https://access.redhat.com/security/cve/CVE-2020-2830>))\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). ([CVE-2020-2803 __](<https://access.redhat.com/security/cve/CVE-2020-2803>))\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). ([CVE-2020-2754 __](<https://access.redhat.com/security/cve/CVE-2020-2754>))\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). ([CVE-2020-2781 __](<https://access.redhat.com/security/cve/CVE-2020-2781>))\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Lightweight HTTP Server). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). ([CVE-2020-2773 __](<https://access.redhat.com/security/cve/CVE-2020-2773>))\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). ([CVE-2020-2773 __](<https://access.redhat.com/security/cve/CVE-2020-2773>))\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). ([CVE-2020-2757 __](<https://access.redhat.com/security/cve/CVE-2020-2757>))\n\nA flaw was found in the way the readObject() method of the MethodType class in the Libraries component of OpenJDK checked argument types. This flaw allows an untrusted Java application or applet to bypass Java sandbox restrictions. ([CVE-2020-2805 __](<https://access.redhat.com/security/cve/CVE-2020-2805>)) \n\n \n**Affected Packages:** \n\n\njava-1.8.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.8.0-openjdk_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n aarch64: \n java-1.8.0-openjdk-1.8.0.252.b09-2.amzn2.0.1.aarch64 \n java-1.8.0-openjdk-debug-1.8.0.252.b09-2.amzn2.0.1.aarch64 \n java-1.8.0-openjdk-headless-1.8.0.252.b09-2.amzn2.0.1.aarch64 \n java-1.8.0-openjdk-headless-debug-1.8.0.252.b09-2.amzn2.0.1.aarch64 \n java-1.8.0-openjdk-devel-1.8.0.252.b09-2.amzn2.0.1.aarch64 \n java-1.8.0-openjdk-devel-debug-1.8.0.252.b09-2.amzn2.0.1.aarch64 \n java-1.8.0-openjdk-demo-1.8.0.252.b09-2.amzn2.0.1.aarch64 \n java-1.8.0-openjdk-demo-debug-1.8.0.252.b09-2.amzn2.0.1.aarch64 \n java-1.8.0-openjdk-src-1.8.0.252.b09-2.amzn2.0.1.aarch64 \n java-1.8.0-openjdk-src-debug-1.8.0.252.b09-2.amzn2.0.1.aarch64 \n java-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.amzn2.0.1.aarch64 \n java-1.8.0-openjdk-accessibility-debug-1.8.0.252.b09-2.amzn2.0.1.aarch64 \n java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.amzn2.0.1.aarch64 \n \n i686: \n java-1.8.0-openjdk-1.8.0.252.b09-2.amzn2.0.1.i686 \n java-1.8.0-openjdk-debug-1.8.0.252.b09-2.amzn2.0.1.i686 \n java-1.8.0-openjdk-headless-1.8.0.252.b09-2.amzn2.0.1.i686 \n java-1.8.0-openjdk-headless-debug-1.8.0.252.b09-2.amzn2.0.1.i686 \n java-1.8.0-openjdk-devel-1.8.0.252.b09-2.amzn2.0.1.i686 \n java-1.8.0-openjdk-devel-debug-1.8.0.252.b09-2.amzn2.0.1.i686 \n java-1.8.0-openjdk-demo-1.8.0.252.b09-2.amzn2.0.1.i686 \n java-1.8.0-openjdk-demo-debug-1.8.0.252.b09-2.amzn2.0.1.i686 \n java-1.8.0-openjdk-src-1.8.0.252.b09-2.amzn2.0.1.i686 \n java-1.8.0-openjdk-src-debug-1.8.0.252.b09-2.amzn2.0.1.i686 \n java-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.amzn2.0.1.i686 \n java-1.8.0-openjdk-accessibility-debug-1.8.0.252.b09-2.amzn2.0.1.i686 \n java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.amzn2.0.1.i686 \n \n noarch: \n java-1.8.0-openjdk-javadoc-1.8.0.252.b09-2.amzn2.0.1.noarch \n java-1.8.0-openjdk-javadoc-zip-1.8.0.252.b09-2.amzn2.0.1.noarch \n java-1.8.0-openjdk-javadoc-debug-1.8.0.252.b09-2.amzn2.0.1.noarch \n java-1.8.0-openjdk-javadoc-zip-debug-1.8.0.252.b09-2.amzn2.0.1.noarch \n \n src: \n java-1.8.0-openjdk-1.8.0.252.b09-2.amzn2.0.1.src \n \n x86_64: \n java-1.8.0-openjdk-1.8.0.252.b09-2.amzn2.0.1.x86_64 \n java-1.8.0-openjdk-debug-1.8.0.252.b09-2.amzn2.0.1.x86_64 \n java-1.8.0-openjdk-headless-1.8.0.252.b09-2.amzn2.0.1.x86_64 \n java-1.8.0-openjdk-headless-debug-1.8.0.252.b09-2.amzn2.0.1.x86_64 \n java-1.8.0-openjdk-devel-1.8.0.252.b09-2.amzn2.0.1.x86_64 \n java-1.8.0-openjdk-devel-debug-1.8.0.252.b09-2.amzn2.0.1.x86_64 \n java-1.8.0-openjdk-demo-1.8.0.252.b09-2.amzn2.0.1.x86_64 \n java-1.8.0-openjdk-demo-debug-1.8.0.252.b09-2.amzn2.0.1.x86_64 \n java-1.8.0-openjdk-src-1.8.0.252.b09-2.amzn2.0.1.x86_64 \n java-1.8.0-openjdk-src-debug-1.8.0.252.b09-2.amzn2.0.1.x86_64 \n java-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.amzn2.0.1.x86_64 \n java-1.8.0-openjdk-accessibility-debug-1.8.0.252.b09-2.amzn2.0.1.x86_64 \n java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.amzn2.0.1.x86_64 \n \n \n", "edition": 1, "modified": "2020-05-05T01:18:00", "published": "2020-05-05T01:18:00", "id": "ALAS2-2020-1421", "href": "https://alas.aws.amazon.com/AL2/ALAS-2020-1421.html", "title": "Important: java-1.8.0-openjdk", "type": "amazon", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-11-10T12:34:35", "bulletinFamily": "unix", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2020-2773", "CVE-2020-2756"], "description": "**Issue Overview:**\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). ([CVE-2020-2756 __](<https://access.redhat.com/security/cve/CVE-2020-2756>))\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). ([CVE-2020-2757 __](<https://access.redhat.com/security/cve/CVE-2020-2757>))\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). ([CVE-2020-2773 __](<https://access.redhat.com/security/cve/CVE-2020-2773>))\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). ([CVE-2020-2781 __](<https://access.redhat.com/security/cve/CVE-2020-2781>))\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Lightweight HTTP Server). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). ([CVE-2020-2800 __](<https://access.redhat.com/security/cve/CVE-2020-2800>))\n\nA flaw was found in the boundary checks in the java.nio buffer classes in the Libraries component of OpenJDK, where it is bypassed in certain cases. This flaw allows an untrusted Java application or applet o bypass Java sandbox restrictions. ([CVE-2020-2803 __](<https://access.redhat.com/security/cve/CVE-2020-2803>))\n\nA flaw was found in the way the readObject() method of the MethodType class in the Libraries component of OpenJDK checked argument types. This flaw allows an untrusted Java application or applet to bypass Java sandbox restrictions. ([CVE-2020-2805 __](<https://access.redhat.com/security/cve/CVE-2020-2805>))\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). ([CVE-2020-2830 __](<https://access.redhat.com/security/cve/CVE-2020-2830>))\n\n \n**Affected Packages:** \n\n\njava-1.7.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.7.0-openjdk_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n java-1.7.0-openjdk-demo-1.7.0.261-2.6.22.1.83.amzn1.i686 \n java-1.7.0-openjdk-devel-1.7.0.261-2.6.22.1.83.amzn1.i686 \n java-1.7.0-openjdk-src-1.7.0.261-2.6.22.1.83.amzn1.i686 \n java-1.7.0-openjdk-debuginfo-1.7.0.261-2.6.22.1.83.amzn1.i686 \n java-1.7.0-openjdk-1.7.0.261-2.6.22.1.83.amzn1.i686 \n \n noarch: \n java-1.7.0-openjdk-javadoc-1.7.0.261-2.6.22.1.83.amzn1.noarch \n \n src: \n java-1.7.0-openjdk-1.7.0.261-2.6.22.1.83.amzn1.src \n \n x86_64: \n java-1.7.0-openjdk-src-1.7.0.261-2.6.22.1.83.amzn1.x86_64 \n java-1.7.0-openjdk-demo-1.7.0.261-2.6.22.1.83.amzn1.x86_64 \n java-1.7.0-openjdk-1.7.0.261-2.6.22.1.83.amzn1.x86_64 \n java-1.7.0-openjdk-debuginfo-1.7.0.261-2.6.22.1.83.amzn1.x86_64 \n java-1.7.0-openjdk-devel-1.7.0.261-2.6.22.1.83.amzn1.x86_64 \n \n \n", "edition": 3, "modified": "2020-05-08T20:10:00", "published": "2020-05-08T20:10:00", "id": "ALAS-2020-1365", "href": "https://alas.aws.amazon.com/ALAS-2020-1365.html", "title": "Important: java-1.7.0-openjdk", "type": "amazon", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-11-10T12:37:35", "bulletinFamily": "unix", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2020-2773", "CVE-2020-2756"], "description": "**Issue Overview:**\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). ([CVE-2020-2756 __](<https://access.redhat.com/security/cve/CVE-2020-2756>))\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). ([CVE-2020-2757 __](<https://access.redhat.com/security/cve/CVE-2020-2757>))\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). ([CVE-2020-2773 __](<https://access.redhat.com/security/cve/CVE-2020-2773>))\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). ([CVE-2020-2781 __](<https://access.redhat.com/security/cve/CVE-2020-2781>))\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Lightweight HTTP Server). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). ([CVE-2020-2800 __](<https://access.redhat.com/security/cve/CVE-2020-2800>))\n\nA flaw was found in the boundary checks in the java.nio buffer classes in the Libraries component of OpenJDK, where it is bypassed in certain cases. This flaw allows an untrusted Java application or applet o bypass Java sandbox restrictions. ([CVE-2020-2803 __](<https://access.redhat.com/security/cve/CVE-2020-2803>))\n\nA flaw was found in the way the readObject() method of the MethodType class in the Libraries component of OpenJDK checked argument types. This flaw allows an untrusted Java application or applet to bypass Java sandbox restrictions. ([CVE-2020-2805 __](<https://access.redhat.com/security/cve/CVE-2020-2805>))\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). ([CVE-2020-2830 __](<https://access.redhat.com/security/cve/CVE-2020-2830>)) \n\n\n \n**Affected Packages:** \n\n\njava-1.7.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.7.0-openjdk_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n java-1.7.0-openjdk-1.7.0.261-2.6.22.2.amzn2.0.1.i686 \n java-1.7.0-openjdk-headless-1.7.0.261-2.6.22.2.amzn2.0.1.i686 \n java-1.7.0-openjdk-devel-1.7.0.261-2.6.22.2.amzn2.0.1.i686 \n java-1.7.0-openjdk-demo-1.7.0.261-2.6.22.2.amzn2.0.1.i686 \n java-1.7.0-openjdk-src-1.7.0.261-2.6.22.2.amzn2.0.1.i686 \n java-1.7.0-openjdk-accessibility-1.7.0.261-2.6.22.2.amzn2.0.1.i686 \n java-1.7.0-openjdk-debuginfo-1.7.0.261-2.6.22.2.amzn2.0.1.i686 \n \n noarch: \n java-1.7.0-openjdk-javadoc-1.7.0.261-2.6.22.2.amzn2.0.1.noarch \n \n src: \n java-1.7.0-openjdk-1.7.0.261-2.6.22.2.amzn2.0.1.src \n \n x86_64: \n java-1.7.0-openjdk-1.7.0.261-2.6.22.2.amzn2.0.1.x86_64 \n java-1.7.0-openjdk-headless-1.7.0.261-2.6.22.2.amzn2.0.1.x86_64 \n java-1.7.0-openjdk-devel-1.7.0.261-2.6.22.2.amzn2.0.1.x86_64 \n java-1.7.0-openjdk-demo-1.7.0.261-2.6.22.2.amzn2.0.1.x86_64 \n java-1.7.0-openjdk-src-1.7.0.261-2.6.22.2.amzn2.0.1.x86_64 \n java-1.7.0-openjdk-accessibility-1.7.0.261-2.6.22.2.amzn2.0.1.x86_64 \n java-1.7.0-openjdk-debuginfo-1.7.0.261-2.6.22.2.amzn2.0.1.x86_64 \n \n \n", "edition": 1, "modified": "2020-05-08T20:58:00", "published": "2020-05-08T20:58:00", "id": "ALAS2-2020-1424", "href": "https://alas.aws.amazon.com/AL2/ALAS-2020-1424.html", "title": "Important: java-1.7.0-openjdk", "type": "amazon", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "suse": [{"lastseen": "2020-06-13T11:22:38", "bulletinFamily": "unix", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2755", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2020-2773", "CVE-2020-2756", "CVE-2020-2754"], "description": "This update for java-1_8_0-openjdk to version jdk8u252 fixes the following\n issues:\n\n - CVE-2020-2754: Forward references to Nashorn (bsc#1169511)\n - CVE-2020-2755: Improve Nashorn matching (bsc#1169511)\n - CVE-2020-2756: Better mapping of serial ENUMs (bsc#1169511)\n - CVE-2020-2757: Less Blocking Array Queues (bsc#1169511)\n - CVE-2020-2773: Better signatures in XML (bsc#1169511)\n - CVE-2020-2781: Improve TLS session handling (bsc#1169511)\n - CVE-2020-2800: Better Headings for HTTP Servers (bsc#1169511)\n - CVE-2020-2803: Enhance buffering of byte buffers (bsc#1169511)\n - CVE-2020-2805: Enhance typing of methods (bsc#1169511)\n - CVE-2020-2830: Better Scanner conversions (bsc#1169511)\n - Ignore whitespaces after the header or footer in PEM X.509 cert\n (bsc#1171352)\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n", "edition": 1, "modified": "2020-06-13T09:37:07", "published": "2020-06-13T09:37:07", "id": "OPENSUSE-SU-2020:0800-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html", "title": "Security update for java-1_8_0-openjdk (important)", "type": "suse", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-06-24T13:23:30", "bulletinFamily": "unix", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2755", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2020-2773", "CVE-2020-2756", "CVE-2020-2754"], "description": "This update for java-1_8_0-openj9 fixes the following issues:\n\n java-1_8_0-openj9 was updated to Java 8.0 Service Refresh 6 Fix Pack 10\n (bsc#1169511)\n\n - CVE-2020-2830: Improved Scanner conversions\n - CVE-2020-2805: Enhanced typing of methods\n - CVE-2020-2803: Enhanced buffering of byte buffers\n - CVE-2020-2800: Improved Headings for HTTP Servers\n - CVE-2020-2781: Improved TLS session handling\n - CVE-2020-2773: Fixed an issue which could have allowed an attacker to\n caise denial of service\n - CVE-2020-2757: Less Blocking Array Queues\n - CVE-2020-2756: Improved mapping of serial ENUMs\n - CVE-2020-2755: Improved Nashorn matching\n - CVE-2020-2754: Forwarded references to Nashorn\n - The pack200 and unpack200 alternatives should be slaves of java\n (bsc#1171352).\n\n", "edition": 1, "modified": "2020-06-24T12:14:20", "published": "2020-06-24T12:14:20", "id": "OPENSUSE-SU-2020:0841-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html", "title": "Security update for java-1_8_0-openj9 (important)", "type": "suse", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-06-02T17:21:28", "bulletinFamily": "unix", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2755", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2816", "CVE-2020-2805", "CVE-2020-2773", "CVE-2020-2756", "CVE-2020-2778", "CVE-2020-2767", "CVE-2020-2754"], "description": "This update for java-11-openjdk fixes the following issues:\n\n Java was updated to jdk-11.0.7+10 (April 2020 CPU, bsc#1169511).\n\n Security issues fixed:\n\n - CVE-2020-2754: Fixed an incorrect handling of regular expressions that\n could have resulted in denial of service (bsc#1169511).\n - CVE-2020-2755: Fixed an incorrect handling of regular expressions that\n could have resulted in denial of service (bsc#1169511).\n - CVE-2020-2756: Fixed an incorrect handling of regular expressions that\n could have resulted in denial of service (bsc#1169511).\n - CVE-2020-2757: Fixed an object deserialization issue that could have\n resulted in denial of service via crafted serialized input (bsc#1169511).\n - CVE-2020-2767: Fixed an incorrect handling of certificate messages\n during TLS handshakes (bsc#1169511).\n - CVE-2020-2773: Fixed the incorrect handling of exceptions thrown by\n unmarshalKeyInfo() and unmarshalXMLSignature() (bsc#1169511).\n - CVE-2020-2778: Fixed the incorrect handling of SSLParameters in\n setAlgorithmConstraints(), which could have been abused to override the\n defined systems security policy and lead to the use of weak crypto\n algorithms (bsc#1169511).\n - CVE-2020-2781: Fixed the incorrect re-use of single null TLS sessions\n (bsc#1169511).\n - CVE-2020-2800: Fixed an HTTP header injection issue caused by\n mishandling of CR/LF in header values (bsc#1169511).\n - CVE-2020-2803: Fixed a boundary check and type check issue that could\n have led to a sandbox bypass (bsc#1169511).\n - CVE-2020-2805: Fixed a boundary check and type check issue that could\n have led to a sandbox bypass (bsc#1169511).\n - CVE-2020-2816: Fixed an incorrect handling of application data packets\n during TLS handshakes (bsc#1169511).\n - CVE-2020-2830: Fixed an incorrect handling of regular expressions that\n could have resulted in denial of service (bsc#1169511).\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n", "edition": 1, "modified": "2020-06-02T15:13:37", "published": "2020-06-02T15:13:37", "id": "OPENSUSE-SU-2020:0757-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html", "title": "Security update for java-11-openjdk (important)", "type": "suse", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "oraclelinux": [{"lastseen": "2020-04-22T04:55:20", "bulletinFamily": "unix", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2755", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2020-2773", "CVE-2020-2756", "CVE-2020-2754"], "description": "[1:1.8.0.252.b09-2]\n- Add release notes.\n- Resolves: rhbz#1810557\n[1:1.8.0.252.b09-1]\n- Make use of --with-extra-asflags introduced in jdk8u252-b01.\n- Resolves: rhbz#1810557\n[1:1.8.0.252.b09-0]\n- Update to aarch64-shenandoah-jdk8u242-b09.\n- Switch to GA mode for final release.\n- Resolves: rhbz#1810557\n[1:1.8.0.252.b08-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u252-b08.\n- Resolves: rhbz#1810557\n[1:1.8.0.252.b07-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u252-b07.\n- Resolves: rhbz#1810557\n[1:1.8.0.252.b06-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u252-b06.\n- Resolves: rhbz#1810557\n[1:1.8.0.252.b05-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u252-b05.\n- Resolves: rhbz#1810557\n[1:1.8.0.252.b04-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u252-b04.\n- Resolves: rhbz#1810557\n[1:1.8.0.252.b03-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u252-b03.\n- Resolves: rhbz#1810557\n[1:1.8.0.252.b02-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u252-b02.\n- Resolves: rhbz#1810557\n[1:1.8.0.252.b01-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u252-b01.\n- Switch to EA mode.\n- Adjust JDK-8199936/PR3533 patch following JDK-8227397 configure change\n- Resolves: rhbz#1810557\n[1:1.8.0.242.b08-0]\n- Update to aarch64-shenandoah-jdk8u242-b08.\n- Remove local copies of JDK-8031111 & JDK-8132111 as replaced by upstream versions.\n- Resolves: rhbz#1785753", "edition": 1, "modified": "2020-04-21T00:00:00", "published": "2020-04-21T00:00:00", "id": "ELSA-2020-1506", "href": "http://linux.oracle.com/errata/ELSA-2020-1506.html", "title": "java-1.8.0-openjdk security update", "type": "oraclelinux", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-04-23T00:59:29", "bulletinFamily": "unix", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2755", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2020-2773", "CVE-2020-2756", "CVE-2020-2754"], "description": "[1:1.8.0.252.b09-2]\n- Add release notes.\n- Mark license files with appropriate macro.\n- Resolves: rhbz#1810557\n[1:1.8.0.252.b09-1]\n- Make use of --with-extra-asflags introduced in jdk8u252-b01.\n- Resolves: rhbz#1810557\n[1:1.8.0.252.b09-0]\n- Update to aarch64-shenandoah-jdk8u242-b09.\n- Switch to GA mode for final release.\n- Resolves: rhbz#1810557\n[1:1.8.0.252.b08-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u252-b08.\n- Resolves: rhbz#1810557\n[1:1.8.0.252.b07-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u252-b07.\n- Resolves: rhbz#1810557\n[1:1.8.0.252.b06-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u252-b06.\n- Resolves: rhbz#1810557\n[1:1.8.0.252.b05-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u252-b05.\n- Resolves: rhbz#1810557\n[1:1.8.0.252.b04-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u252-b04.\n- Resolves: rhbz#1810557\n[1:1.8.0.252.b03-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u252-b03.\n- Adjust PR2974/RH1337583 & PR3083/RH1346460 following context changes in JDK-8230978\n- Resolves: rhbz#1810557\n[1:1.8.0.252.b02-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u252-b02.\n- Resolves: rhbz#1810557\n[1:1.8.0.252.b01-0.1.ea]\n- Update to aarch64-shenandoah-jdk8u252-b01.\n- Switch to EA mode.\n- Adjust JDK-8199936/PR3533 patch following JDK-8227397 configure change\n- Remove local copies of JDK-8231991 & JDK-8234107 as replaced by upstream versions.\n- Resolves: rhbz#1810557", "edition": 2, "modified": "2020-04-22T00:00:00", "published": "2020-04-22T00:00:00", "id": "ELSA-2020-1512", "href": "http://linux.oracle.com/errata/ELSA-2020-1512.html", "title": "java-1.8.0-openjdk security update", "type": "oraclelinux", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-04-23T05:00:55", "bulletinFamily": "unix", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2755", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2020-2773", "CVE-2020-2756", "CVE-2020-2754"], "description": "[1:1.8.0.252.b09-2]\n- Add release notes.\n- Resolves: rhbz#1810557\n[1:1.8.0.252.b09-1]\n- Make use of --with-extra-asflags introduced in jdk8u252-b01.\n- Resolves: rhbz#1810557\n[1:1.8.0.252.b09-0]\n- Update to aarch64-shenandoah-jdk8u252-b09.\n- Switch to GA mode for final release.\n- Resolves: rhbz#1810557\n[1:1.8.0.252.b08-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u252-b08.\n- Resolves: rhbz#1810557\n[1:1.8.0.252.b07-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u252-b07.\n- Resolves: rhbz#1810557\n[1:1.8.0.252.b06-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u252-b06.\n- Resolves: rhbz#1810557\n[1:1.8.0.252.b05-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u252-b05.\n- Resolves: rhbz#1810557\n[1:1.8.0.252.b04-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u252-b04.\n- Resolves: rhbz#1810557\n[1:1.8.0.252.b03-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u252-b03.\n- Adjust PR2974/RH1337583 & PR3083/RH1346460 following context changes in JDK-8230978\n- Resolves: rhbz#1810557\n[1:1.8.0.252.b02-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u252-b02.\n- Resolves: rhbz#1810557\n[1:1.8.0.252.b01-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u252-b01.\n- Switch to EA mode.\n- Adjust JDK-8199936/PR3533 patch following JDK-8227397 configure change\n- Resolves: rhbz#1810557", "edition": 1, "modified": "2020-04-22T00:00:00", "published": "2020-04-22T00:00:00", "id": "ELSA-2020-1515", "href": "http://linux.oracle.com/errata/ELSA-2020-1515.html", "title": "java-1.8.0-openjdk security update", "type": "oraclelinux", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-04-22T05:00:36", "bulletinFamily": "unix", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2020-2773", "CVE-2020-2756"], "description": "[1:1.7.0.261-2.6.22.1.0.1]\n- Update DISTRO_NAME in specfile\n[1:1.7.0.261-2.6.22.1]\n- Add release notes from IcedTea.\n- Resolves: rhbz#1810557\n[1:1.7.0.261-2.6.22.0]\n- Bump to 2.6.22 and OpenJDK 7u261-b02.\n- Resolves: rhbz#1810557", "edition": 1, "modified": "2020-04-21T00:00:00", "published": "2020-04-21T00:00:00", "id": "ELSA-2020-1508", "href": "http://linux.oracle.com/errata/ELSA-2020-1508.html", "title": "java-1.7.0-openjdk security update", "type": "oraclelinux", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-04-23T07:01:10", "bulletinFamily": "unix", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2020-2773", "CVE-2020-2756"], "description": "[1:1.7.0.261-2.6.22.2.0.1]\n- Update DISTRO_NAME in specfile\n[1:1.7.0.261-2.6.22.2]\n- Modify NEWS installation to avoid subpackage naming.\n- Resolves: rhbz#1810557\n[1:1.7.0.261-2.6.22.1]\n- Add release notes from IcedTea.\n- Mark license files with appropriate macro.\n- Resolves: rhbz#1810557\n[1:1.7.0.261-2.6.22.0]\n- Bump to 2.6.22 and OpenJDK 7u261-b02.\n- Resolves: rhbz#1810557", "edition": 3, "modified": "2020-04-22T00:00:00", "published": "2020-04-22T00:00:00", "id": "ELSA-2020-1507", "href": "http://linux.oracle.com/errata/ELSA-2020-1507.html", "title": "java-1.7.0-openjdk security update", "type": "oraclelinux", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-04-22T08:56:33", "bulletinFamily": "unix", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2755", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2816", "CVE-2020-2805", "CVE-2020-2773", "CVE-2020-2756", "CVE-2020-2778", "CVE-2020-2767", "CVE-2020-2754"], "description": "[1:11.0.7.10-1]\n- Add JDK-8228407 backport to resolve crashes during verification.\n- Resolves: rhbz#1810557\n[1:11.0.7.10-1]\n- Amend release notes, removing issue actually fixed in 11.0.6.\n- Resolves: rhbz#1810557\n[1:11.0.7.10-1]\n- Re-apply --with-extra-asflags as crash was not due to this.\n- Resolves: rhbz#1810557\n[1:11.0.7.10-1]\n- Add release notes.\n- Resolves: rhbz#1810557\n[1:11.0.7.10-1]\n- Revert asflags changes as build remains broken.\n- Resolves: rhbz#1810557\n[1:11.0.7.10-1]\n- Build still failing with just assembler build notes option, trying with just optimisation flags.\n- Resolves: rhbz#1810557\n[1:11.0.7.10-1]\n- Passing optimisation flags to assembler causes build to crash.\n- Resolves: rhbz#1810557\n[1:11.0.7.10-1]\n- Make use of --with-extra-asflags introduced in jdk-11.0.6+1.\n- Resolves: rhbz#1810557\n[1:11.0.7.10-0]\n- Update to shenandoah-jdk-11.0.7+10 (GA)\n- Switch to GA mode for final release.\n- Resolves: rhbz#1810557\n[1:11.0.7.9-0.0.ea]\n- Update to shenandoah-jdk-11.0.7+9 (EA)\n- Resolves: rhbz#1810557\n[1:11.0.7.8-0.0.ea]\n- Update to shenandoah-jdk-11.0.7+8 (EA)\n- Resolves: rhbz#1810557\n[1:11.0.7.7-0.0.ea]\n- Update to shenandoah-jdk-11.0.7+7 (EA)\n- Resolves: rhbz#1810557\n[1:11.0.7.6-0.0.ea]\n- Update to shenandoah-jdk-11.0.7+6 (EA)\n- Resolves: rhbz#1810557\n[1:11.0.7.5-0.0.ea]\n- Update to shenandoah-jdk-11.0.7+5 (EA)\n- Resolves: rhbz#1810557\n[1:11.0.7.4-0.0.ea]\n- Update to shenandoah-jdk-11.0.7+4 (EA)\n- Resolves: rhbz#1810557\n[1:11.0.7.3-0.0.ea]\n- Update to shenandoah-jdk-11.0.7+3 (EA)\n- Resolves: rhbz#1810557\n[1:11.0.7.2-0.0.ea]\n- Update to shenandoah-jdk-11.0.7+2 (EA)\n- Resolves: rhbz#1810557\n[1:11.0.7.1-0.0.ea]\n- Update to shenandoah-jdk-11.0.7+1 (EA)\n- Switch to EA mode for 11.0.7 pre-release builds.\n- Drop JDK-8236039 backport now applied upstream.\n- Resolves: rhbz#1810557", "edition": 1, "modified": "2020-04-21T00:00:00", "published": "2020-04-21T00:00:00", "id": "ELSA-2020-1514", "href": "http://linux.oracle.com/errata/ELSA-2020-1514.html", "title": "java-11-openjdk security update", "type": "oraclelinux", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "openvas": [{"lastseen": "2020-06-03T15:39:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2755", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2020-2773", "CVE-2020-2756", "CVE-2020-2754"], "description": "The remote host is missing an update for the ", "modified": "2020-05-29T00:00:00", "published": "2020-05-29T00:00:00", "id": "OPENVAS:1361412562310877883", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877883", "type": "openvas", "title": "Fedora: Security Advisory for java-1.8.0-openjdk (FEDORA-2020-a60ad9d4ec)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877883\");\n script_version(\"2020-05-29T08:53:11+0000\");\n script_cve_id(\"CVE-2020-2754\", \"CVE-2020-2755\", \"CVE-2020-2756\", \"CVE-2020-2757\", \"CVE-2020-2773\", \"CVE-2020-2781\", \"CVE-2020-2800\", \"CVE-2020-2803\", \"CVE-2020-2805\", \"CVE-2020-2830\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-05-29 08:53:11 +0000 (Fri, 29 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-05-29 03:29:02 +0000 (Fri, 29 May 2020)\");\n script_name(\"Fedora: Security Advisory for java-1.8.0-openjdk (FEDORA-2020-a60ad9d4ec)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC31\");\n\n script_xref(name:\"FEDORA\", value:\"2020-a60ad9d4ec\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java-1.8.0-openjdk'\n package(s) announced via the FEDORA-2020-a60ad9d4ec advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The OpenJDK runtime environment 8.\");\n\n script_tag(name:\"affected\", value:\"'java-1.8.0-openjdk' package(s) on Fedora 31.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC31\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk\", rpm:\"java-1.8.0-openjdk~1.8.0.252.b09~0.fc31\", rls:\"FC31\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-05-06T01:15:42", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2755", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2020-2773", "CVE-2020-2756", "CVE-2020-2754"], "description": "The remote host is missing an update for the ", "modified": "2020-04-30T00:00:00", "published": "2020-04-28T00:00:00", "id": "OPENVAS:1361412562310883222", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310883222", "type": "openvas", "title": "CentOS: Security Advisory for java (CESA-2020:1506)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.883222\");\n script_version(\"2020-04-30T08:51:29+0000\");\n script_cve_id(\"CVE-2020-2754\", \"CVE-2020-2755\", \"CVE-2020-2756\", \"CVE-2020-2757\", \"CVE-2020-2773\", \"CVE-2020-2781\", \"CVE-2020-2800\", \"CVE-2020-2803\", \"CVE-2020-2805\", \"CVE-2020-2830\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-04-30 08:51:29 +0000 (Thu, 30 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-04-28 03:00:43 +0000 (Tue, 28 Apr 2020)\");\n script_name(\"CentOS: Security Advisory for java (CESA-2020:1506)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n\n script_xref(name:\"CESA\", value:\"2020:1506\");\n script_xref(name:\"URL\", value:\"https://lists.centos.org/pipermail/centos-announce/2020-April/035702.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java'\n package(s) announced via the CESA-2020:1506 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime\nEnvironment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es):\n\n * OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841)\n(CVE-2020-2803)\n\n * OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries,\n8235274) (CVE-2020-2805)\n\n * OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and\nDOMXMLSignatureFactory (Security, 8231415) (CVE-2020-2773)\n\n * OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408)\n(CVE-2020-2781)\n\n * OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP\nServer, 8234825) (CVE-2020-2800)\n\n * OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201)\n(CVE-2020-2830)\n\n * OpenJDK: Misplaced regular expression syntax error check in RegExpScanner\n(Scripting, 8223898) (CVE-2020-2754)\n\n * OpenJDK: Incorrect handling of empty string nodes in regular expression\nParser (Scripting, 8223904) (CVE-2020-2755)\n\n * OpenJDK: Incorrect handling of references to uninitialized class\ndescriptors during deserialization (Serialization, 8224541) (CVE-2020-2756)\n\n * OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass\n(Serialization, 8224549) (CVE-2020-2757)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section.\");\n\n script_tag(name:\"affected\", value:\"'java' package(s) on CentOS 6.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"CentOS6\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk\", rpm:\"java-1.8.0-openjdk~1.8.0.252.b09~2.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-debug\", rpm:\"java-1.8.0-openjdk-debug~1.8.0.252.b09~2.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-demo\", rpm:\"java-1.8.0-openjdk-demo~1.8.0.252.b09~2.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-demo-debug\", rpm:\"java-1.8.0-openjdk-demo-debug~1.8.0.252.b09~2.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-devel\", rpm:\"java-1.8.0-openjdk-devel~1.8.0.252.b09~2.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-devel-debug\", rpm:\"java-1.8.0-openjdk-devel-debug~1.8.0.252.b09~2.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-headless\", rpm:\"java-1.8.0-openjdk-headless~1.8.0.252.b09~2.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-headless-debug\", rpm:\"java-1.8.0-openjdk-headless-debug~1.8.0.252.b09~2.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-javadoc\", rpm:\"java-1.8.0-openjdk-javadoc~1.8.0.252.b09~2.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-javadoc-debug\", rpm:\"java-1.8.0-openjdk-javadoc-debug~1.8.0.252.b09~2.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-src\", rpm:\"java-1.8.0-openjdk-src~1.8.0.252.b09~2.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-src-debug\", rpm:\"java-1.8.0-openjdk-src-debug~1.8.0.252.b09~2.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-05-18T15:23:38", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2755", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2020-2773", "CVE-2020-2756", "CVE-2020-2754"], "description": "The remote host is missing an update for the ", "modified": "2020-05-15T00:00:00", "published": "2020-05-11T00:00:00", "id": "OPENVAS:1361412562310877801", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877801", "type": "openvas", "title": "Fedora: Security Advisory for java-1.8.0-openjdk (FEDORA-2020-5386fe3bbb)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877801\");\n script_version(\"2020-05-15T04:25:55+0000\");\n script_cve_id(\"CVE-2020-2754\", \"CVE-2020-2755\", \"CVE-2020-2756\", \"CVE-2020-2757\", \"CVE-2020-2773\", \"CVE-2020-2781\", \"CVE-2020-2800\", \"CVE-2020-2803\", \"CVE-2020-2805\", \"CVE-2020-2830\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-05-15 04:25:55 +0000 (Fri, 15 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-05-11 03:21:47 +0000 (Mon, 11 May 2020)\");\n script_name(\"Fedora: Security Advisory for java-1.8.0-openjdk (FEDORA-2020-5386fe3bbb)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC32\");\n\n script_xref(name:\"FEDORA\", value:\"2020-5386fe3bbb\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java-1.8.0-openjdk'\n package(s) announced via the FEDORA-2020-5386fe3bbb advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The OpenJDK runtime environment 8.\");\n\n script_tag(name:\"affected\", value:\"'java-1.8.0-openjdk' package(s) on Fedora 32.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC32\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"java\", rpm:\"java~1.8.0~openjdk~1.8.0.252.b09~0.fc32\", rls:\"FC32\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-06-25T13:27:23", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2755", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2020-2773", "CVE-2020-2756", "CVE-2020-2754"], "description": "The remote host is missing an update for the ", "modified": "2020-06-24T00:00:00", "published": "2020-06-14T00:00:00", "id": "OPENVAS:1361412562310853208", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310853208", "type": "openvas", "title": "openSUSE: Security Advisory for java-1_8_0-openjdk (openSUSE-SU-2020:0800-1)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.853208\");\n script_version(\"2020-06-24T03:42:18+0000\");\n script_cve_id(\"CVE-2020-2754\", \"CVE-2020-2755\", \"CVE-2020-2756\", \"CVE-2020-2757\", \"CVE-2020-2773\", \"CVE-2020-2781\", \"CVE-2020-2800\", \"CVE-2020-2803\", \"CVE-2020-2805\", \"CVE-2020-2830\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-06-24 03:42:18 +0000 (Wed, 24 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-14 03:01:16 +0000 (Sun, 14 Jun 2020)\");\n script_name(\"openSUSE: Security Advisory for java-1_8_0-openjdk (openSUSE-SU-2020:0800-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.1\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2020:0800-1\");\n script_xref(name:\"URL\", value:\"http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java-1_8_0-openjdk'\n package(s) announced via the openSUSE-SU-2020:0800-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for java-1_8_0-openjdk to version jdk8u252 fixes the following\n issues:\n\n - CVE-2020-2754: Forward references to Nashorn (bsc#1169511)\n\n - CVE-2020-2755: Improve Nashorn matching (bsc#1169511)\n\n - CVE-2020-2756: Better mapping of serial ENUMs (bsc#1169511)\n\n - CVE-2020-2757: Less Blocking Array Queues (bsc#1169511)\n\n - CVE-2020-2773: Better signatures in XML (bsc#1169511)\n\n - CVE-2020-2781: Improve TLS session handling (bsc#1169511)\n\n - CVE-2020-2800: Better Headings for HTTP Servers (bsc#1169511)\n\n - CVE-2020-2803: Enhance buffering of byte buffers (bsc#1169511)\n\n - CVE-2020-2805: Enhance typing of methods (bsc#1169511)\n\n - CVE-2020-2830: Better Scanner conversions (bsc#1169511)\n\n - Ignore whitespaces after the header or footer in PEM X.509 cert\n (bsc#1171352)\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2020-800=1\");\n\n script_tag(name:\"affected\", value:\"'java-1_8_0-openjdk' package(s) on openSUSE Leap 15.1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk\", rpm:\"java-1_8_0-openjdk~1.8.0.252~lp151.2.12.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-accessibility\", rpm:\"java-1_8_0-openjdk-accessibility~1.8.0.252~lp151.2.12.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-debuginfo\", rpm:\"java-1_8_0-openjdk-debuginfo~1.8.0.252~lp151.2.12.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-debugsource\", rpm:\"java-1_8_0-openjdk-debugsource~1.8.0.252~lp151.2.12.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-demo\", rpm:\"java-1_8_0-openjdk-demo~1.8.0.252~lp151.2.12.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-demo-debuginfo\", rpm:\"java-1_8_0-openjdk-demo-debuginfo~1.8.0.252~lp151.2.12.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-devel\", rpm:\"java-1_8_0-openjdk-devel~1.8.0.252~lp151.2.12.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-devel-debuginfo\", rpm:\"java-1_8_0-openjdk-devel-debuginfo~1.8.0.252~lp151.2.12.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-headless\", rpm:\"java-1_8_0-openjdk-headless~1.8.0.252~lp151.2.12.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-headless-debuginfo\", rpm:\"java-1_8_0-openjdk-headless-debuginfo~1.8.0.252~lp151.2.12.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-src\", rpm:\"java-1_8_0-openjdk-src~1.8.0.252~lp151.2.12.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-javadoc\", rpm:\"java-1_8_0-openjdk-javadoc~1.8.0.252~lp151.2.12.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-07-21T19:30:40", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2755", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2020-2773", "CVE-2020-2756", "CVE-2020-2754"], "description": "The remote host is missing an update for the ", "modified": "2020-06-30T00:00:00", "published": "2020-06-25T00:00:00", "id": "OPENVAS:1361412562310853227", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310853227", "type": "openvas", "title": "openSUSE: Security Advisory for java-1_8_0-openj9 (openSUSE-SU-2020:0841-1)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.853227\");\n script_version(\"2020-06-30T06:18:22+0000\");\n script_cve_id(\"CVE-2020-2754\", \"CVE-2020-2755\", \"CVE-2020-2756\", \"CVE-2020-2757\", \"CVE-2020-2773\", \"CVE-2020-2781\", \"CVE-2020-2800\", \"CVE-2020-2803\", \"CVE-2020-2805\", \"CVE-2020-2830\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-06-30 06:18:22 +0000 (Tue, 30 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-25 03:00:41 +0000 (Thu, 25 Jun 2020)\");\n script_name(\"openSUSE: Security Advisory for java-1_8_0-openj9 (openSUSE-SU-2020:0841-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.2\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2020:0841-1\");\n script_xref(name:\"URL\", value:\"http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java-1_8_0-openj9'\n package(s) announced via the openSUSE-SU-2020:0841-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for java-1_8_0-openj9 fixes the following issues:\n\n java-1_8_0-openj9 was updated to Java 8.0 Service Refresh 6 Fix Pack 10\n (bsc#1169511)\n\n - CVE-2020-2830: Improved Scanner conversions\n\n - CVE-2020-2805: Enhanced typing of methods\n\n - CVE-2020-2803: Enhanced buffering of byte buffers\n\n - CVE-2020-2800: Improved Headings for HTTP Servers\n\n - CVE-2020-2781: Improved TLS session handling\n\n - CVE-2020-2773: Fixed an issue which could have allowed an attacker to\n caise denial of service\n\n - CVE-2020-2757: Less Blocking Array Queues\n\n - CVE-2020-2756: Improved mapping of serial ENUMs\n\n - CVE-2020-2755: Improved Nashorn matching\n\n - CVE-2020-2754: Forwarded references to Nashorn\n\n - The pack200 and unpack200 alternatives should be slaves of java\n (bsc#1171352).\n\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.2:\n\n zypper in -t patch openSUSE-2020-841=1\");\n\n script_tag(name:\"affected\", value:\"'java-1_8_0-openj9' package(s) on openSUSE Leap 15.2.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.2\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openj9-javadoc\", rpm:\"java-1_8_0-openj9-javadoc~1.8.0.252~lp152.2.3.1\", rls:\"openSUSELeap15.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openj9\", rpm:\"java-1_8_0-openj9~1.8.0.252~lp152.2.3.1\", rls:\"openSUSELeap15.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openj9-accessibility\", rpm:\"java-1_8_0-openj9-accessibility~1.8.0.252~lp152.2.3.1\", rls:\"openSUSELeap15.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openj9-debuginfo\", rpm:\"java-1_8_0-openj9-debuginfo~1.8.0.252~lp152.2.3.1\", rls:\"openSUSELeap15.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openj9-debugsource\", rpm:\"java-1_8_0-openj9-debugsource~1.8.0.252~lp152.2.3.1\", rls:\"openSUSELeap15.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openj9-demo\", rpm:\"java-1_8_0-openj9-demo~1.8.0.252~lp152.2.3.1\", rls:\"openSUSELeap15.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openj9-demo-debuginfo\", rpm:\"java-1_8_0-openj9-demo-debuginfo~1.8.0.252~lp152.2.3.1\", rls:\"openSUSELeap15.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openj9-devel\", rpm:\"java-1_8_0-openj9-devel~1.8.0.252~lp152.2.3.1\", rls:\"openSUSELeap15.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openj9-headless\", rpm:\"java-1_8_0-openj9-headless~1.8.0.252~lp152.2.3.1\", rls:\"openSUSELeap15.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openj9-src\", rpm:\"java-1_8_0-openj9-src~1.8.0.252~lp152.2.3.1\", rls:\"openSUSELeap15.2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-05-22T13:29:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2755", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2020-2773", "CVE-2020-2756", "CVE-2020-2754"], "description": "The remote host is missing an update for the ", "modified": "2020-05-20T00:00:00", "published": "2020-05-15T00:00:00", "id": "OPENVAS:1361412562310877831", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877831", "type": "openvas", "title": "Fedora: Security Advisory for java-1.8.0-openjdk (FEDORA-2020-21ca991b3b)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877831\");\n script_version(\"2020-05-20T02:28:18+0000\");\n script_cve_id(\"CVE-2020-2754\", \"CVE-2020-2755\", \"CVE-2020-2756\", \"CVE-2020-2757\", \"CVE-2020-2773\", \"CVE-2020-2781\", \"CVE-2020-2800\", \"CVE-2020-2803\", \"CVE-2020-2805\", \"CVE-2020-2830\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-05-20 02:28:18 +0000 (Wed, 20 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-05-15 03:23:34 +0000 (Fri, 15 May 2020)\");\n script_name(\"Fedora: Security Advisory for java-1.8.0-openjdk (FEDORA-2020-21ca991b3b)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2020-21ca991b3b\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java-1.8.0-openjdk'\n package(s) announced via the FEDORA-2020-21ca991b3b advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The OpenJDK runtime environment 8.\");\n\n script_tag(name:\"affected\", value:\"'java-1.8.0-openjdk' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk\", rpm:\"java-1.8.0-openjdk~1.8.0.252.b09~0.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-05-08T17:12:41", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2755", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2020-2773", "CVE-2020-2756", "CVE-2020-2754"], "description": "The remote host is missing an update for the ", "modified": "2020-05-07T00:00:00", "published": "2020-05-01T00:00:00", "id": "OPENVAS:1361412562310883230", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310883230", "type": "openvas", "title": "CentOS: Security Advisory for java (CESA-2020:1512)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.883230\");\n script_version(\"2020-05-07T07:41:43+0000\");\n script_cve_id(\"CVE-2020-2754\", \"CVE-2020-2755\", \"CVE-2020-2756\", \"CVE-2020-2757\", \"CVE-2020-2773\", \"CVE-2020-2781\", \"CVE-2020-2800\", \"CVE-2020-2803\", \"CVE-2020-2805\", \"CVE-2020-2830\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-05-07 07:41:43 +0000 (Thu, 07 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-05-01 03:01:24 +0000 (Fri, 01 May 2020)\");\n script_name(\"CentOS: Security Advisory for java (CESA-2020:1512)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n\n script_xref(name:\"CESA\", value:\"2020:1512\");\n script_xref(name:\"URL\", value:\"https://lists.centos.org/pipermail/centos-announce/2020-April/035706.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java'\n package(s) announced via the CESA-2020:1512 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime\nEnvironment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es):\n\n * OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841)\n(CVE-2020-2803)\n\n * OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries,\n8235274) (CVE-2020-2805)\n\n * OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and\nDOMXMLSignatureFactory (Security, 8231415) (CVE-2020-2773)\n\n * OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408)\n(CVE-2020-2781)\n\n * OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP\nServer, 8234825) (CVE-2020-2800)\n\n * OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201)\n(CVE-2020-2830)\n\n * OpenJDK: Misplaced regular expression syntax error check in RegExpScanner\n(Scripting, 8223898) (CVE-2020-2754)\n\n * OpenJDK: Incorrect handling of empty string nodes in regular expression\nParser (Scripting, 8223904) (CVE-2020-2755)\n\n * OpenJDK: Incorrect handling of references to uninitialized class\ndescriptors during deserialization (Serialization, 8224541) (CVE-2020-2756)\n\n * OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass\n(Serialization, 8224549) (CVE-2020-2757)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section.\");\n\n script_tag(name:\"affected\", value:\"'java' package(s) on CentOS 7.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"CentOS7\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk\", rpm:\"java-1.8.0-openjdk~1.8.0.252.b09~2.el7_8\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-accessibility\", rpm:\"java-1.8.0-openjdk-accessibility~1.8.0.252.b09~2.el7_8\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-demo\", rpm:\"java-1.8.0-openjdk-demo~1.8.0.252.b09~2.el7_8\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-devel\", rpm:\"java-1.8.0-openjdk-devel~1.8.0.252.b09~2.el7_8\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-headless\", rpm:\"java-1.8.0-openjdk-headless~1.8.0.252.b09~2.el7_8\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-javadoc\", rpm:\"java-1.8.0-openjdk-javadoc~1.8.0.252.b09~2.el7_8\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-javadoc-zip\", rpm:\"java-1.8.0-openjdk-javadoc-zip~1.8.0.252.b09~2.el7_8\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-src\", rpm:\"java-1.8.0-openjdk-src~1.8.0.252.b09~2.el7_8\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-05-06T01:16:03", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2755", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2020-2773", "CVE-2020-2756", "CVE-2020-2754"], "description": "The remote host is missing an update for the ", "modified": "2020-04-30T00:00:00", "published": "2020-04-30T00:00:00", "id": "OPENVAS:1361412562310704668", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704668", "type": "openvas", "title": "Debian: Security Advisory for openjdk-8 (DSA-4668-1)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704668\");\n script_version(\"2020-04-30T03:00:24+0000\");\n script_cve_id(\"CVE-2020-2754\", \"CVE-2020-2755\", \"CVE-2020-2756\", \"CVE-2020-2757\", \"CVE-2020-2773\", \"CVE-2020-2781\", \"CVE-2020-2800\", \"CVE-2020-2803\", \"CVE-2020-2805\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-04-30 03:00:24 +0000 (Thu, 30 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-04-30 03:00:24 +0000 (Thu, 30 Apr 2020)\");\n script_name(\"Debian: Security Advisory for openjdk-8 (DSA-4668-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2020/dsa-4668.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DSA-4668-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'openjdk-8'\n package(s) announced via the DSA-4668-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Several vulnerabilities have been discovered in the OpenJDK Java runtime,\nresulting in denial of service, insecure TLS handshakes, bypass of\nsandbox restrictions or HTTP response splitting attacks.\");\n\n script_tag(name:\"affected\", value:\"'openjdk-8' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For the oldstable distribution (stretch), these problems have been fixed\nin version 8u252-b09-1~deb9u1.\n\nWe recommend that you upgrade your openjdk-8 packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-8-dbg\", ver:\"8u252-b09-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-8-demo\", ver:\"8u252-b09-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-8-doc\", ver:\"8u252-b09-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-8-jdk\", ver:\"8u252-b09-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-8-jdk-headless\", ver:\"8u252-b09-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-8-jre\", ver:\"8u252-b09-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-8-jre-headless\", ver:\"8u252-b09-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-8-jre-zero\", ver:\"8u252-b09-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-8-source\", ver:\"8u252-b09-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-05-15T15:39:20", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2020-2773", "CVE-2020-2756"], "description": "The host is installed with Oracle Java SE\n and is prone to multiple security vulnerabilities.", "modified": "2020-05-12T00:00:00", "published": "2020-04-15T00:00:00", "id": "OPENVAS:1361412562310816855", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310816855", "type": "openvas", "title": "Oracle Java SE Security Updates(apr2020) 01 - Windows", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.816855\");\n script_version(\"2020-05-12T13:57:17+0000\");\n script_cve_id(\"CVE-2020-2803\", \"CVE-2020-2805\", \"CVE-2020-2781\", \"CVE-2020-2830\",\n \"CVE-2020-2800\", \"CVE-2020-2773\", \"CVE-2020-2756\", \"CVE-2020-2757\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-05-12 13:57:17 +0000 (Tue, 12 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-04-15 08:39:55 +0530 (Wed, 15 Apr 2020)\");\n script_name(\"Oracle Java SE Security Updates(apr2020) 01 - Windows\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Oracle Java SE\n and is prone to multiple security vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to errors in components\n Libraries, JSSE, Concurrency, Lightweight HTTP Server, Serialization and Security.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attacker to have an impact on confidentiality, integrity and availability.\");\n\n script_tag(name:\"affected\", value:\"Oracle Java SE version 7u251 (1.7.0.251)\n and earlier, 8u241 (1.8.0.241) and earlier, 11.0.6 and earlier, 14 on Windows.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixJAVA\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_java_prdts_detect_win.nasl\");\n script_mandatory_keys(\"Sun/Java/JDK_or_JRE/Win/installed\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\ncpe_list = make_list(\"cpe:/a:oracle:jre\", \"cpe:/a:sun:jre\");\n\nif(!infos = get_app_version_and_location_from_list(cpe_list:cpe_list, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif(version_in_range(version:vers, test_version:\"1.8.0\", test_version2:\"1.8.0.241\") ||\n version_in_range(version:vers, test_version:\"1.7.0\", test_version2:\"1.7.0.251\") ||\n version_in_range(version:vers, test_version:\"11.0\", test_version2:\"11.0.6\") ||\n version_is_equal(version:vers, test_version:\"14.0\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version: \"Apply the patch\", install_path:path);\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-05-06T01:15:41", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2020-2773", "CVE-2020-2756"], "description": "The remote host is missing an update for the ", "modified": "2020-04-30T00:00:00", "published": "2020-04-28T00:00:00", "id": "OPENVAS:1361412562310883224", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310883224", "type": "openvas", "title": "CentOS: Security Advisory for java (CESA-2020:1508)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.883224\");\n script_version(\"2020-04-30T08:51:29+0000\");\n script_cve_id(\"CVE-2020-2756\", \"CVE-2020-2757\", \"CVE-2020-2773\", \"CVE-2020-2781\", \"CVE-2020-2800\", \"CVE-2020-2803\", \"CVE-2020-2805\", \"CVE-2020-2830\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-04-30 08:51:29 +0000 (Thu, 30 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-04-28 03:00:56 +0000 (Tue, 28 Apr 2020)\");\n script_name(\"CentOS: Security Advisory for java (CESA-2020:1508)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n\n script_xref(name:\"CESA\", value:\"2020:1508\");\n script_xref(name:\"URL\", value:\"https://lists.centos.org/pipermail/centos-announce/2020-April/035701.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java'\n package(s) announced via the CESA-2020:1508 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nSecurity Fix(es):\n\n * OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841)\n(CVE-2020-2803)\n\n * OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries,\n8235274) (CVE-2020-2805)\n\n * OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and\nDOMXMLSignatureFactory (Security, 8231415) (CVE-2020-2773)\n\n * OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408)\n(CVE-2020-2781)\n\n * OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP\nServer, 8234825) (CVE-2020-2800)\n\n * OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201)\n(CVE-2020-2830)\n\n * OpenJDK: Incorrect handling of references to uninitialized class\ndescriptors during deserialization (Serialization, 8224541) (CVE-2020-2756)\n\n * OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass\n(Serialization, 8224549) (CVE-2020-2757)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section.\");\n\n script_tag(name:\"affected\", value:\"'java' package(s) on CentOS 6.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"CentOS6\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.261~2.6.22.1.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.261~2.6.22.1.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.261~2.6.22.1.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.261~2.6.22.1.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.261~2.6.22.1.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "fedora": [{"lastseen": "2020-12-21T08:17:56", "bulletinFamily": "unix", "cvelist": ["CVE-2020-2754", "CVE-2020-2755", "CVE-2020-2756", "CVE-2020-2757", "CVE-2020-2773", "CVE-2020-2781", "CVE-2020-2800", "CVE-2020-2803", "CVE-2020-2830"], "description": "The OpenJDK runtime environment 8. ", "modified": "2020-05-07T03:11:08", "published": "2020-05-07T03:11:08", "id": "FEDORA:F22596075DBD", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: java-1.8.0-openjdk-1.8.0.252.b09-0.fc32", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:56", "bulletinFamily": "unix", "cvelist": ["CVE-2020-2754", "CVE-2020-2755", "CVE-2020-2756", "CVE-2020-2757", "CVE-2020-2773", "CVE-2020-2781", "CVE-2020-2800", "CVE-2020-2803", "CVE-2020-2830"], "description": "The OpenJDK runtime environment 8. ", "modified": "2020-05-18T03:23:13", "published": "2020-05-18T03:23:13", "id": "FEDORA:6F5D4605A6B2", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 31 Update: java-1.8.0-openjdk-1.8.0.252.b09-0.fc31", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:56", "bulletinFamily": "unix", "cvelist": ["CVE-2020-2754", "CVE-2020-2755", "CVE-2020-2756", "CVE-2020-2757", "CVE-2020-2773", "CVE-2020-2781", "CVE-2020-2800", "CVE-2020-2803", "CVE-2020-2830"], "description": "The OpenJDK runtime environment 8. ", "modified": "2020-05-13T03:36:38", "published": "2020-05-13T03:36:38", "id": "FEDORA:3F8B2606CFA7", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: java-1.8.0-openjdk-1.8.0.252.b09-0.fc30", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "debian": [{"lastseen": "2020-08-12T01:09:24", "bulletinFamily": "unix", "cvelist": ["CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2755", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2020-2773", "CVE-2020-2756", "CVE-2020-2754"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4668-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nApril 28, 2020 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : openjdk-8\nCVE ID : CVE-2020-2754 CVE-2020-2755 CVE-2020-2756 CVE-2020-2757 \n CVE-2020-2773 CVE-2020-2781 CVE-2020-2800 CVE-2020-2803 \n CVE-2020-2805\n\nSeveral vulnerabilities have been discovered in the OpenJDK Java runtime,\nresulting in denial of service, insecure TLS handshakes, bypass of\nsandbox restrictions or HTTP response splitting attacks.\n\nFor the oldstable distribution (stretch), these problems have been fixed\nin version 8u252-b09-1~deb9u1.\n\nWe recommend that you upgrade your openjdk-8 packages.\n\nFor the detailed security status of openjdk-8 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/openjdk-8\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 7, "modified": "2020-04-28T19:35:33", "published": "2020-04-28T19:35:33", "id": "DEBIAN:DSA-4668-1:C5B44", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2020/msg00070.html", "title": "[SECURITY] [DSA 4668-1] openjdk-8 security update", "type": "debian", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-08-12T00:57:58", "bulletinFamily": "unix", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2020-2773", "CVE-2020-2756"], "description": "Package : openjdk-7\nVersion : 7u261-2.6.22-1~deb8u1\nCVE ID : CVE-2020-2756 CVE-2020-2757 CVE-2020-2773 CVE-2020-2781 \n CVE-2020-2800 CVE-2020-2803 CVE-2020-2805 CVE-2020-2830\n\n\nSeveral vulnerabilities have been discovered in the OpenJDK Java\nruntime, resulting in denial of service, insecure TLS handshakes, bypass\nof sandbox restrictions or HTTP response splitting attacks.\n\nFor Debian 8 &quot;Jessie&quot;, these problems have been fixed in version\n7u261-2.6.22-1~deb8u1.\n\nWe recommend that you upgrade your openjdk-7 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 7, "modified": "2020-04-29T00:49:13", "published": "2020-04-29T00:49:13", "id": "DEBIAN:DLA-2193-1:EADDD", "href": "https://lists.debian.org/debian-lts-announce/2020/debian-lts-announce-202004/msg00024.html", "title": "[SECURITY] [DLA 2193-1] openjdk-7 security update", "type": "debian", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "gentoo": [{"lastseen": "2020-06-15T19:22:55", "bulletinFamily": "unix", "cvelist": ["CVE-2020-2830", "CVE-2020-2803", "CVE-2020-2781", "CVE-2020-2755", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-2805", "CVE-2020-2585", "CVE-2020-2773", "CVE-2020-2756"], "description": "### Background\n\nOpenJDK is a free and open-source implementation of the Java Platform, Standard Edition. \n\nIcedTea\u2019s aim is to provide OpenJDK in a form suitable for easy configuration, compilation and distribution with the primary goal of allowing inclusion in GNU/Linux distributions. \n\n### Description\n\nMultiple vulnerabilities have been discovered in OpenJDK and IcedTea. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nPlease review the referenced CVE identifiers for details.\n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll OpenJDK binary users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-java/openjdk-bin-8.252_p09\"\n \n\nAll OpenJDK JRE binary users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=dev-java/openjdk-jre-bin-8.252_p09\"\n \n\nAll IcedTea binary users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-java/icedtea-bin-3.16.0\"", "edition": 1, "modified": "2020-06-15T00:00:00", "published": "2020-06-15T00:00:00", "id": "GLSA-202006-22", "href": "https://security.gentoo.org/glsa/202006-22", "title": "OpenJDK, IcedTea: Multiple vulnerabilities", "type": "gentoo", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}]}