It was discovered that the StAX XML parser in the JAXP component in OpenJDK performed expansion of external parameter entities even when external entity substitution was disabled. A remote attacker could use this flaw to perform XML eXternal Entity (XXE) attack against applications using the StAX parser to parse untrusted XML documents. (CVE-2014-6517 __)
It was discovered that the DatagramSocket implementation in OpenJDK failed to perform source address checks for packets received on a connected socket. A remote attacker could use this flaw to have their packets processed as if they were received from the expected source. (CVE-2014-6512 __)
It was discovered that the TLS/SSL implementation in the JSSE component in OpenJDK failed to properly verify the server identity during the renegotiation following session resumption, making it possible for malicious TLS/SSL servers to perform a Triple Handshake attack against clients using JSSE and client certificate authentication. (CVE-2014-6457 __)
It was discovered that the CipherInputStream class implementation in OpenJDK did not properly handle certain exceptions. This could possibly allow an attacker to affect the integrity of an encrypted stream handled by this class. (CVE-2014-6558 __)
Affected Packages:
java-1.6.0-openjdk
Issue Correction:
Run yum update java-1.6.0-openjdk to update your system.
{"id": "ALAS-2014-430", "bulletinFamily": "unix", "title": "Important: java-1.6.0-openjdk", "description": "**Issue Overview:**\n\nMultiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. ([CVE-2014-6506 __](<https://access.redhat.com/security/cve/CVE-2014-6506>), [CVE-2014-6531 __](<https://access.redhat.com/security/cve/CVE-2014-6531>), [CVE-2014-6502 __](<https://access.redhat.com/security/cve/CVE-2014-6502>), [CVE-2014-6511 __](<https://access.redhat.com/security/cve/CVE-2014-6511>), [CVE-2014-6504 __](<https://access.redhat.com/security/cve/CVE-2014-6504>), [CVE-2014-6519 __](<https://access.redhat.com/security/cve/CVE-2014-6519>))\n\nIt was discovered that the StAX XML parser in the JAXP component in OpenJDK performed expansion of external parameter entities even when external entity substitution was disabled. A remote attacker could use this flaw to perform XML eXternal Entity (XXE) attack against applications using the StAX parser to parse untrusted XML documents. ([CVE-2014-6517 __](<https://access.redhat.com/security/cve/CVE-2014-6517>))\n\nIt was discovered that the DatagramSocket implementation in OpenJDK failed to perform source address checks for packets received on a connected socket. A remote attacker could use this flaw to have their packets processed as if they were received from the expected source. ([CVE-2014-6512 __](<https://access.redhat.com/security/cve/CVE-2014-6512>))\n\nIt was discovered that the TLS/SSL implementation in the JSSE component in OpenJDK failed to properly verify the server identity during the renegotiation following session resumption, making it possible for malicious TLS/SSL servers to perform a Triple Handshake attack against clients using JSSE and client certificate authentication. ([CVE-2014-6457 __](<https://access.redhat.com/security/cve/CVE-2014-6457>))\n\nIt was discovered that the CipherInputStream class implementation in OpenJDK did not properly handle certain exceptions. This could possibly allow an attacker to affect the integrity of an encrypted stream handled by this class. ([CVE-2014-6558 __](<https://access.redhat.com/security/cve/CVE-2014-6558>))\n\n \n**Affected Packages:** \n\n\njava-1.6.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.6.0-openjdk_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n java-1.6.0-openjdk-debuginfo-1.6.0.33-67.1.13.5.0.67.amzn1.i686 \n java-1.6.0-openjdk-devel-1.6.0.33-67.1.13.5.0.67.amzn1.i686 \n java-1.6.0-openjdk-1.6.0.33-67.1.13.5.0.67.amzn1.i686 \n java-1.6.0-openjdk-javadoc-1.6.0.33-67.1.13.5.0.67.amzn1.i686 \n java-1.6.0-openjdk-src-1.6.0.33-67.1.13.5.0.67.amzn1.i686 \n java-1.6.0-openjdk-demo-1.6.0.33-67.1.13.5.0.67.amzn1.i686 \n \n src: \n java-1.6.0-openjdk-1.6.0.33-67.1.13.5.0.67.amzn1.src \n \n x86_64: \n java-1.6.0-openjdk-demo-1.6.0.33-67.1.13.5.0.67.amzn1.x86_64 \n java-1.6.0-openjdk-javadoc-1.6.0.33-67.1.13.5.0.67.amzn1.x86_64 \n java-1.6.0-openjdk-debuginfo-1.6.0.33-67.1.13.5.0.67.amzn1.x86_64 \n java-1.6.0-openjdk-devel-1.6.0.33-67.1.13.5.0.67.amzn1.x86_64 \n java-1.6.0-openjdk-src-1.6.0.33-67.1.13.5.0.67.amzn1.x86_64 \n java-1.6.0-openjdk-1.6.0.33-67.1.13.5.0.67.amzn1.x86_64 \n \n \n", "published": "2014-10-16T22:15:00", "modified": "2014-10-16T22:15:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "https://alas.aws.amazon.com/ALAS-2014-430.html", "reporter": "Amazon", "references": ["https://rhn.redhat.com/errata/RHSA-2014-1634.html"], "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6512"], "type": "amazon", "lastseen": "2020-11-10T12:36:37", "edition": 4, "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "redhat", "idList": ["RHSA-2014:1881", "RHSA-2014:1620", "RHSA-2014:1636", "RHSA-2014:1634", "RHSA-2014:1877", "RHSA-2014:1657", "RHSA-2014:1658", "RHSA-2014:1633"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3077-1:D6D12", "DEBIAN:DSA-3080-1:2336D", "DEBIAN:DLA-96-1:BD7DB"]}, {"type": "oraclelinux", "idList": ["ELSA-2014-1633", "ELSA-2014-1620", "ELSA-2014-1636", "ELSA-2014-1634"]}, {"type": "centos", "idList": ["CESA-2014:1620", "CESA-2014:1633", "CESA-2014:1636", "CESA-2014:1634"]}, {"type": "amazon", "idList": ["ALAS-2014-431", "ALAS-2014-432"]}, {"type": "nessus", "idList": ["CENTOS_RHSA-2014-1633.NASL", "ALA_ALAS-2014-431.NASL", "ORACLELINUX_ELSA-2014-1633.NASL", "DEBIAN_DSA-3080.NASL", "CENTOS_RHSA-2014-1634.NASL", "REDHAT-RHSA-2014-1620.NASL", "DEBIAN_DSA-3077.NASL", "SL_20141015_JAVA_1_7_0_OPENJDK_ON_SL6_X.NASL", "SL_20141015_JAVA_1_7_0_OPENJDK_ON_SL5_X.NASL", "ORACLELINUX_ELSA-2014-1620.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310871258", "OPENVAS:1361412562310703077", "OPENVAS:1361412562310120343", "OPENVAS:1361412562310703080", "OPENVAS:1361412562310123286", "OPENVAS:1361412562310123291", "OPENVAS:1361412562310123287", "OPENVAS:1361412562310882055", "OPENVAS:1361412562310882058", "OPENVAS:1361412562310871270"]}, {"type": "suse", "idList": ["SUSE-SU-2014:1422-1"]}, {"type": "ubuntu", "idList": ["USN-2388-1", "USN-2388-2", "USN-2386-1"]}, {"type": "cve", "idList": ["CVE-2014-6502", "CVE-2014-6512", "CVE-2014-6519", "CVE-2014-6506", "CVE-2014-6504", "CVE-2014-6457", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6558", "CVE-2014-6517"]}, {"type": "kaspersky", "idList": ["KLA10505"]}, {"type": "f5", "idList": ["SOL15745", "F5:K15745"]}], "modified": "2020-11-10T12:36:37", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2020-11-10T12:36:37", "rev": 2}, "vulnersScore": 7.3}, "affectedPackage": [{"OS": "Amazon Linux", "OSVersion": "1", "arch": "x86_64", "operator": "lt", "packageFilename": "java-1.6.0-openjdk-demo-1.6.0.33-67.1.13.5.0.67.amzn1.x86_64.rpm", "packageName": "java-1.6.0-openjdk-demo", "packageVersion": "1.6.0.33-67.1.13.5.0.67.amzn1"}, {"OS": "Amazon Linux", "OSVersion": "1", "arch": "i686", "operator": "lt", "packageFilename": "java-1.6.0-openjdk-1.6.0.33-67.1.13.5.0.67.amzn1.i686.rpm", "packageName": "java-1.6.0-openjdk", "packageVersion": "1.6.0.33-67.1.13.5.0.67.amzn1"}, {"OS": "Amazon Linux", "OSVersion": "1", "arch": "i686", "operator": "lt", "packageFilename": "java-1.6.0-openjdk-debuginfo-1.6.0.33-67.1.13.5.0.67.amzn1.i686.rpm", "packageName": "java-1.6.0-openjdk-debuginfo", "packageVersion": "1.6.0.33-67.1.13.5.0.67.amzn1"}, {"OS": "Amazon Linux", "OSVersion": "1", "arch": "x86_64", "operator": "lt", "packageFilename": "java-1.6.0-openjdk-devel-1.6.0.33-67.1.13.5.0.67.amzn1.x86_64.rpm", "packageName": "java-1.6.0-openjdk-devel", "packageVersion": "1.6.0.33-67.1.13.5.0.67.amzn1"}, {"OS": "Amazon Linux", "OSVersion": "1", "arch": "i686", "operator": "lt", "packageFilename": "java-1.6.0-openjdk-javadoc-1.6.0.33-67.1.13.5.0.67.amzn1.i686.rpm", "packageName": "java-1.6.0-openjdk-javadoc", "packageVersion": "1.6.0.33-67.1.13.5.0.67.amzn1"}, {"OS": "Amazon Linux", "OSVersion": "1", "arch": "i686", "operator": "lt", "packageFilename": "java-1.6.0-openjdk-src-1.6.0.33-67.1.13.5.0.67.amzn1.i686.rpm", "packageName": "java-1.6.0-openjdk-src", "packageVersion": "1.6.0.33-67.1.13.5.0.67.amzn1"}, {"OS": "Amazon Linux", "OSVersion": "1", "arch": "src", "operator": "lt", "packageFilename": "java-1.6.0-openjdk-1.6.0.33-67.1.13.5.0.67.amzn1.src.rpm", "packageName": "java-1.6.0-openjdk", "packageVersion": "1.6.0.33-67.1.13.5.0.67.amzn1"}, {"OS": "Amazon Linux", "OSVersion": "1", "arch": "i686", "operator": "lt", "packageFilename": "java-1.6.0-openjdk-demo-1.6.0.33-67.1.13.5.0.67.amzn1.i686.rpm", "packageName": "java-1.6.0-openjdk-demo", "packageVersion": "1.6.0.33-67.1.13.5.0.67.amzn1"}, {"OS": "Amazon Linux", "OSVersion": "1", "arch": "x86_64", "operator": "lt", "packageFilename": "java-1.6.0-openjdk-src-1.6.0.33-67.1.13.5.0.67.amzn1.x86_64.rpm", "packageName": "java-1.6.0-openjdk-src", "packageVersion": "1.6.0.33-67.1.13.5.0.67.amzn1"}, {"OS": "Amazon Linux", "OSVersion": "1", "arch": "x86_64", "operator": "lt", "packageFilename": "java-1.6.0-openjdk-debuginfo-1.6.0.33-67.1.13.5.0.67.amzn1.x86_64.rpm", "packageName": "java-1.6.0-openjdk-debuginfo", "packageVersion": "1.6.0.33-67.1.13.5.0.67.amzn1"}, {"OS": "Amazon Linux", "OSVersion": "1", "arch": "x86_64", "operator": "lt", "packageFilename": "java-1.6.0-openjdk-1.6.0.33-67.1.13.5.0.67.amzn1.x86_64.rpm", "packageName": "java-1.6.0-openjdk", "packageVersion": "1.6.0.33-67.1.13.5.0.67.amzn1"}, {"OS": "Amazon Linux", "OSVersion": "1", "arch": "x86_64", "operator": "lt", "packageFilename": "java-1.6.0-openjdk-javadoc-1.6.0.33-67.1.13.5.0.67.amzn1.x86_64.rpm", "packageName": "java-1.6.0-openjdk-javadoc", "packageVersion": "1.6.0.33-67.1.13.5.0.67.amzn1"}, {"OS": "Amazon Linux", "OSVersion": "1", "arch": "i686", "operator": "lt", "packageFilename": "java-1.6.0-openjdk-devel-1.6.0.33-67.1.13.5.0.67.amzn1.i686.rpm", "packageName": "java-1.6.0-openjdk-devel", "packageVersion": "1.6.0.33-67.1.13.5.0.67.amzn1"}], "scheme": null}
{"redhat": [{"lastseen": "2019-08-13T18:45:57", "bulletinFamily": "unix", "cvelist": ["CVE-2014-6457", "CVE-2014-6502", "CVE-2014-6504", "CVE-2014-6506", "CVE-2014-6511", "CVE-2014-6512", "CVE-2014-6517", "CVE-2014-6519", "CVE-2014-6531", "CVE-2014-6558"], "description": "The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the Libraries, 2D, and Hotspot components\nin OpenJDK. An untrusted Java application or applet could use these flaws\nto bypass certain Java sandbox restrictions. (CVE-2014-6506, CVE-2014-6531,\nCVE-2014-6502, CVE-2014-6511, CVE-2014-6504, CVE-2014-6519)\n\nIt was discovered that the StAX XML parser in the JAXP component in OpenJDK\nperformed expansion of external parameter entities even when external\nentity substitution was disabled. A remote attacker could use this flaw to\nperform XML eXternal Entity (XXE) attack against applications using the\nStAX parser to parse untrusted XML documents. (CVE-2014-6517)\n\nIt was discovered that the DatagramSocket implementation in OpenJDK failed\nto perform source address checks for packets received on a connected\nsocket. A remote attacker could use this flaw to have their packets\nprocessed as if they were received from the expected source.\n(CVE-2014-6512)\n\nIt was discovered that the TLS/SSL implementation in the JSSE component in\nOpenJDK failed to properly verify the server identity during the\nrenegotiation following session resumption, making it possible for\nmalicious TLS/SSL servers to perform a Triple Handshake attack against\nclients using JSSE and client certificate authentication. (CVE-2014-6457)\n\nIt was discovered that the CipherInputStream class implementation in\nOpenJDK did not properly handle certain exceptions. This could possibly\nallow an attacker to affect the integrity of an encrypted stream handled by\nthis class. (CVE-2014-6558)\n\nThe CVE-2014-6512 was discovered by Florian Weimer of Red Hat Product\nSecurity.\n\nNote: If the web browser plug-in provided by the icedtea-web package was\ninstalled, the issues exposed via Java applets could have been exploited\nwithout user interaction if a user visited a malicious website.\n\nThis update also fixes the following bug:\n\n* The TLS/SSL implementation in OpenJDK previously failed to handle\nDiffie-Hellman (DH) keys with more than 1024 bits. This caused client\napplications using JSSE to fail to establish TLS/SSL connections to servers\nusing larger DH keys during the connection handshake. This update adds\nsupport for DH keys with size up to 2048 bits. (BZ#1148309)\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "modified": "2018-06-09T14:14:55", "published": "2014-10-15T04:00:00", "id": "RHSA-2014:1620", "href": "https://access.redhat.com/errata/RHSA-2014:1620", "type": "redhat", "title": "(RHSA-2014:1620) Important: java-1.7.0-openjdk security and bug fix update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:46:32", "bulletinFamily": "unix", "cvelist": ["CVE-2014-6457", "CVE-2014-6502", "CVE-2014-6504", "CVE-2014-6506", "CVE-2014-6511", "CVE-2014-6512", "CVE-2014-6517", "CVE-2014-6519", "CVE-2014-6531", "CVE-2014-6558"], "description": "The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the Libraries, 2D, and Hotspot components\nin OpenJDK. An untrusted Java application or applet could use these flaws\nto bypass certain Java sandbox restrictions. (CVE-2014-6506, CVE-2014-6531,\nCVE-2014-6502, CVE-2014-6511, CVE-2014-6504, CVE-2014-6519)\n\nIt was discovered that the StAX XML parser in the JAXP component in OpenJDK\nperformed expansion of external parameter entities even when external\nentity substitution was disabled. A remote attacker could use this flaw to\nperform XML eXternal Entity (XXE) attack against applications using the\nStAX parser to parse untrusted XML documents. (CVE-2014-6517)\n\nIt was discovered that the DatagramSocket implementation in OpenJDK failed\nto perform source address checks for packets received on a connected\nsocket. A remote attacker could use this flaw to have their packets\nprocessed as if they were received from the expected source.\n(CVE-2014-6512)\n\nIt was discovered that the TLS/SSL implementation in the JSSE component in\nOpenJDK failed to properly verify the server identity during the\nrenegotiation following session resumption, making it possible for\nmalicious TLS/SSL servers to perform a Triple Handshake attack against\nclients using JSSE and client certificate authentication. (CVE-2014-6457)\n\nIt was discovered that the CipherInputStream class implementation in\nOpenJDK did not properly handle certain exceptions. This could possibly\nallow an attacker to affect the integrity of an encrypted stream handled by\nthis class. (CVE-2014-6558)\n\nThe CVE-2014-6512 was discovered by Florian Weimer of Red Hat Product\nSecurity.\n\nThis update also fixes the following bug:\n\n* The TLS/SSL implementation in OpenJDK previously failed to handle\nDiffie-Hellman (DH) keys with more than 1024 bits. This caused client\napplications using JSSE to fail to establish TLS/SSL connections to servers\nusing larger DH keys during the connection handshake. This update adds\nsupport for DH keys with size up to 2048 bits. (BZ#1148309)\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "modified": "2017-09-08T12:17:47", "published": "2014-10-14T04:00:00", "id": "RHSA-2014:1633", "href": "https://access.redhat.com/errata/RHSA-2014:1633", "type": "redhat", "title": "(RHSA-2014:1633) Important: java-1.7.0-openjdk security and bug fix update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:46:46", "bulletinFamily": "unix", "cvelist": ["CVE-2014-6457", "CVE-2014-6502", "CVE-2014-6504", "CVE-2014-6506", "CVE-2014-6511", "CVE-2014-6512", "CVE-2014-6517", "CVE-2014-6519", "CVE-2014-6531", "CVE-2014-6558"], "description": "The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime\nEnvironment and the OpenJDK 6 Java Software Development Kit.\n\nMultiple flaws were discovered in the Libraries, 2D, and Hotspot components\nin OpenJDK. An untrusted Java application or applet could use these flaws\nto bypass certain Java sandbox restrictions. (CVE-2014-6506, CVE-2014-6531,\nCVE-2014-6502, CVE-2014-6511, CVE-2014-6504, CVE-2014-6519)\n\nIt was discovered that the StAX XML parser in the JAXP component in OpenJDK\nperformed expansion of external parameter entities even when external\nentity substitution was disabled. A remote attacker could use this flaw to\nperform XML eXternal Entity (XXE) attack against applications using the\nStAX parser to parse untrusted XML documents. (CVE-2014-6517)\n\nIt was discovered that the DatagramSocket implementation in OpenJDK failed\nto perform source address checks for packets received on a connected\nsocket. A remote attacker could use this flaw to have their packets\nprocessed as if they were received from the expected source.\n(CVE-2014-6512)\n\nIt was discovered that the TLS/SSL implementation in the JSSE component in\nOpenJDK failed to properly verify the server identity during the\nrenegotiation following session resumption, making it possible for\nmalicious TLS/SSL servers to perform a Triple Handshake attack against\nclients using JSSE and client certificate authentication. (CVE-2014-6457)\n\nIt was discovered that the CipherInputStream class implementation in\nOpenJDK did not properly handle certain exceptions. This could possibly\nallow an attacker to affect the integrity of an encrypted stream handled by\nthis class. (CVE-2014-6558)\n\nThe CVE-2014-6512 was discovered by Florian Weimer of Red Hat Product\nSecurity.\n\nThis update also fixes the following bug:\n\n* The TLS/SSL implementation in OpenJDK previously failed to handle\nDiffie-Hellman (DH) keys with more than 1024 bits. This caused client\napplications using JSSE to fail to establish TLS/SSL connections to servers\nusing larger DH keys during the connection handshake. This update adds\nsupport for DH keys with size up to 2048 bits. (BZ#1148309)\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "modified": "2018-06-09T14:14:43", "published": "2014-10-14T04:00:00", "id": "RHSA-2014:1634", "href": "https://access.redhat.com/errata/RHSA-2014:1634", "type": "redhat", "title": "(RHSA-2014:1634) Important: java-1.6.0-openjdk security and bug fix update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:44:34", "bulletinFamily": "unix", "cvelist": ["CVE-2014-6457", "CVE-2014-6468", "CVE-2014-6502", "CVE-2014-6504", "CVE-2014-6506", "CVE-2014-6511", "CVE-2014-6512", "CVE-2014-6517", "CVE-2014-6519", "CVE-2014-6531", "CVE-2014-6558", "CVE-2014-6562"], "description": "The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime\nEnvironment and the OpenJDK 8 Java Software Development Kit.\n\nIt was discovered that the Libraries component in OpenJDK failed to\nproperly handle ZIP archives that contain entries with a NUL byte used in\nthe file names. An untrusted Java application or applet could use this flaw\nto bypass Java sandbox restrictions. (CVE-2014-6562)\n\nMultiple flaws were discovered in the Libraries, 2D, and Hotspot components\nin OpenJDK. An untrusted Java application or applet could use these flaws\nto bypass certain Java sandbox restrictions. (CVE-2014-6506, CVE-2014-6531,\nCVE-2014-6502, CVE-2014-6511, CVE-2014-6504, CVE-2014-6519)\n\nIt was discovered that the StAX XML parser in the JAXP component in OpenJDK\nperformed expansion of external parameter entities even when external\nentity substitution was disabled. A remote attacker could use this flaw to\nperform XML eXternal Entity (XXE) attack against applications using the\nStAX parser to parse untrusted XML documents. (CVE-2014-6517)\n\nIt was discovered that the Hotspot component in OpenJDK failed to properly\nhandle malformed Shared Archive files. A local attacker able to modify a\nShared Archive file used by a virtual machine of a different user could\npossibly use this flaw to escalate their privileges. (CVE-2014-6468)\n\nIt was discovered that the DatagramSocket implementation in OpenJDK failed\nto perform source address checks for packets received on a connected\nsocket. A remote attacker could use this flaw to have their packets\nprocessed as if they were received from the expected source.\n(CVE-2014-6512)\n\nIt was discovered that the TLS/SSL implementation in the JSSE component in\nOpenJDK failed to properly verify the server identity during the\nrenegotiation following session resumption, making it possible for\nmalicious TLS/SSL servers to perform a Triple Handshake attack against\nclients using JSSE and client certificate authentication. (CVE-2014-6457)\n\nIt was discovered that the CipherInputStream class implementation in\nOpenJDK did not properly handle certain exceptions. This could possibly\nallow an attacker to affect the integrity of an encrypted stream handled by\nthis class. (CVE-2014-6558)\n\nThe CVE-2014-6512 was discovered by Florian Weimer of Red Hat Product\nSecurity.\n\nAll users of java-1.8.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "modified": "2018-06-09T14:14:46", "published": "2014-10-14T04:00:00", "id": "RHSA-2014:1636", "href": "https://access.redhat.com/errata/RHSA-2014:1636", "type": "redhat", "title": "(RHSA-2014:1636) Important: java-1.8.0-openjdk security update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:45:43", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3065", "CVE-2014-3566", "CVE-2014-6457", "CVE-2014-6502", "CVE-2014-6506", "CVE-2014-6511", "CVE-2014-6512", "CVE-2014-6531", "CVE-2014-6558"], "description": "IBM J2SE version 5.0 includes the IBM Java Runtime Environment and the IBM\nJava Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Detailed\nvulnerability descriptions are linked from the IBM Security alerts\npage, listed in the References section. (CVE-2014-3065, CVE-2014-3566,\nCVE-2014-6457, CVE-2014-6502, CVE-2014-6506, CVE-2014-6511, CVE-2014-6512,\nCVE-2014-6531, CVE-2014-6558)\n\nThe CVE-2014-6512 issue was discovered by Florian Weimer of Red Hat\nProduct Security.\n\nNote: With this update, the IBM SDK now disables the SSL 3.0 protocol to\naddress the CVE-2014-3566 issue (also known as POODLE). Refer to the IBM\narticle linked to in the References section for additional details about\nthis change and instructions on how to re-enable SSL 3.0 support if needed.\n\nAll users of java-1.5.0-ibm are advised to upgrade to these updated\npackages, containing the IBM J2SE 5.0 SR16-FP8 release. All running\ninstances of IBM Java must be restarted for this update to take effect.\n", "modified": "2018-06-07T09:04:20", "published": "2014-11-20T05:00:00", "id": "RHSA-2014:1881", "href": "https://access.redhat.com/errata/RHSA-2014:1881", "type": "redhat", "title": "(RHSA-2014:1881) Important: java-1.5.0-ibm security update", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:44:41", "bulletinFamily": "unix", "cvelist": ["CVE-2014-4288", "CVE-2014-6457", "CVE-2014-6458", "CVE-2014-6492", "CVE-2014-6493", "CVE-2014-6502", "CVE-2014-6503", "CVE-2014-6504", "CVE-2014-6506", "CVE-2014-6511", "CVE-2014-6512", "CVE-2014-6515", "CVE-2014-6517", "CVE-2014-6531", "CVE-2014-6532", "CVE-2014-6558"], "description": "Oracle Java SE version 6 includes the Oracle Java Runtime Environment and\nthe Oracle Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the Oracle Java Runtime\nEnvironment and the Oracle Java Software Development Kit. Further\ninformation about these flaws can be found on the Oracle Java SE Critical\nPatch Update Advisory page, listed in the References section.\n(CVE-2014-4288, CVE-2014-6457, CVE-2014-6458, CVE-2014-6492, CVE-2014-6493,\nCVE-2014-6502, CVE-2014-6503, CVE-2014-6504, CVE-2014-6506, CVE-2014-6511,\nCVE-2014-6512, CVE-2014-6515, CVE-2014-6517, CVE-2014-6531, CVE-2014-6532,\nCVE-2014-6558)\n\nThe CVE-2014-6512 issue was discovered by Florian Weimer of Red Hat\nProduct Security.\n\nAll users of java-1.6.0-sun are advised to upgrade to these updated\npackages, which provide Oracle Java 6 Update 85 and resolve these issues.\nAll running instances of Oracle Java must be restarted for the update to\ntake effect.", "modified": "2018-06-07T18:20:30", "published": "2014-10-17T02:52:46", "id": "RHSA-2014:1658", "href": "https://access.redhat.com/errata/RHSA-2014:1658", "type": "redhat", "title": "(RHSA-2014:1658) Important: java-1.6.0-sun security update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:46", "bulletinFamily": "unix", "cvelist": ["CVE-2014-4288", "CVE-2014-6456", "CVE-2014-6457", "CVE-2014-6458", "CVE-2014-6476", "CVE-2014-6492", "CVE-2014-6493", "CVE-2014-6502", "CVE-2014-6503", "CVE-2014-6504", "CVE-2014-6506", "CVE-2014-6511", "CVE-2014-6512", "CVE-2014-6515", "CVE-2014-6517", "CVE-2014-6519", "CVE-2014-6527", "CVE-2014-6531", "CVE-2014-6532", "CVE-2014-6558"], "description": "Oracle Java SE version 7 includes the Oracle Java Runtime Environment and\nthe Oracle Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the Oracle Java Runtime\nEnvironment and the Oracle Java Software Development Kit. Further\ninformation about these flaws can be found on the Oracle Java SE Critical\nPatch Update Advisory page, listed in the References section.\n(CVE-2014-4288, CVE-2014-6456, CVE-2014-6457, CVE-2014-6458, CVE-2014-6476,\nCVE-2014-6492, CVE-2014-6493, CVE-2014-6502, CVE-2014-6503, CVE-2014-6504,\nCVE-2014-6506, CVE-2014-6511, CVE-2014-6512, CVE-2014-6515, CVE-2014-6517,\nCVE-2014-6519, CVE-2014-6527, CVE-2014-6531, CVE-2014-6532, CVE-2014-6558)\n\nThe CVE-2014-6512 issue was discovered by Florian Weimer of Red Hat\nProduct Security.\n\nAll users of java-1.7.0-oracle are advised to upgrade to these updated\npackages, which provide Oracle Java 7 Update 72 and resolve these issues.\nAll running instances of Oracle Java must be restarted for the update to\ntake effect.", "modified": "2018-06-07T18:20:30", "published": "2014-10-17T02:51:08", "id": "RHSA-2014:1657", "href": "https://access.redhat.com/errata/RHSA-2014:1657", "type": "redhat", "title": "(RHSA-2014:1657) Critical: java-1.7.0-oracle security update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:26", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3065", "CVE-2014-3566", "CVE-2014-4288", "CVE-2014-6457", "CVE-2014-6458", "CVE-2014-6492", "CVE-2014-6493", "CVE-2014-6502", "CVE-2014-6503", "CVE-2014-6506", "CVE-2014-6511", "CVE-2014-6512", "CVE-2014-6515", "CVE-2014-6531", "CVE-2014-6532", "CVE-2014-6558"], "description": "IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM\nJava Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Detailed\nvulnerability descriptions are linked from the IBM Security alerts\npage, listed in the References section. (CVE-2014-3065, CVE-2014-3566,\nCVE-2014-4288, CVE-2014-6457, CVE-2014-6458, CVE-2014-6492, CVE-2014-6493,\nCVE-2014-6502, CVE-2014-6503, CVE-2014-6506, CVE-2014-6511, CVE-2014-6512,\nCVE-2014-6515, CVE-2014-6531, CVE-2014-6532, CVE-2014-6558)\n\nThe CVE-2014-6512 issue was discovered by Florian Weimer of Red Hat\nProduct Security.\n\nNote: With this update, the IBM SDK now disables the SSL 3.0 protocol to\naddress the CVE-2014-3566 issue (also known as POODLE). Refer to the IBM\narticle linked to in the References section for additional details about\nthis change and instructions on how to re-enable SSL 3.0 support if needed.\n\nAll users of java-1.6.0-ibm are advised to upgrade to these updated\npackages, containing the IBM Java SE 6 SR16-FP2 release. All running\ninstances of IBM Java must be restarted for the update to take effect.\n", "modified": "2018-06-07T09:04:33", "published": "2014-11-19T05:00:00", "id": "RHSA-2014:1877", "href": "https://access.redhat.com/errata/RHSA-2014:1877", "type": "redhat", "title": "(RHSA-2014:1877) Critical: java-1.6.0-ibm security update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2019-05-30T02:21:48", "bulletinFamily": "unix", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6512"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3077-1 security@debian.org\nhttp://www.debian.org/security/ Moritz Muehlenhoff\nNovember 26, 2014 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : openjdk-6\nCVE ID : CVE-2014-6457 CVE-2014-6502 CVE-2014-6504 CVE-2014-6506 \n CVE-2014-6511 CVE-2014-6512 CVE-2014-6517 CVE-2014-6519\n CVE-2014-6531 CVE-2014-6558\n\nSeveral vulnerabilities have been discovered in OpenJDK, an \nimplementation of the Oracle Java platform, resulting in the execution \nof arbitrary code, information disclosure or denial of service.\n\nFor the stable distribution (wheezy), these problems have been fixed in\nversion 6b33-1.13.5-2~deb7u1.\n\nWe recommend that you upgrade your openjdk-6 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 3, "modified": "2014-11-26T19:10:46", "published": "2014-11-26T19:10:46", "id": "DEBIAN:DSA-3077-1:D6D12", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2014/msg00267.html", "title": "[SECURITY] [DSA 3077-1] openjdk-6 security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-12T00:51:28", "bulletinFamily": "unix", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6512"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3080-1 security@debian.org\nhttp://www.debian.org/security/ Moritz Muehlenhoff\nNovember 29, 2014 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : openjdk-7\nCVE ID : CVE-2014-6457 CVE-2014-6502 CVE-2014-6504 CVE-2014-6506 \n CVE-2014-6511 CVE-2014-6512 CVE-2014-6517 CVE-2014-6519\n CVE-2014-6531 CVE-2014-6558\n\nSeveral vulnerabilities have been discovered in OpenJDK, an \nimplementation of the Oracle Java platform, resulting in the execution \nof arbitrary code, information disclosure or denial of service.\n\nFor the stable distribution (wheezy), these problems have been fixed in\nversion 7u71-2.5.3-2~deb7u1.\n\nFor the upcoming stable distribution (jessie), these problems have been\nfixed in version 7u71-2.5.3-1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 7u71-2.5.3-1.\n\nWe recommend that you upgrade your openjdk-7 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 9, "modified": "2014-11-29T12:44:06", "published": "2014-11-29T12:44:06", "id": "DEBIAN:DSA-3080-1:2336D", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2014/msg00270.html", "title": "[SECURITY] [DSA 3080-1] openjdk-7 security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-11T13:16:11", "bulletinFamily": "unix", "cvelist": ["CVE-2014-6506", "CVE-2014-4262", "CVE-2014-6558", "CVE-2014-2490", "CVE-2014-4263", "CVE-2014-4218", "CVE-2014-6519", "CVE-2014-4268", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-4266", "CVE-2014-4244", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-4209", "CVE-2014-4216", "CVE-2014-4252", "CVE-2014-4219", "CVE-2014-6512"], "description": "Package : openjdk-6\nVersion : 6b33-1.13.5-2~deb6u1\nCVE ID : CVE-2014-2490 CVE-2014-4209 CVE-2014-4216 CVE-2014-4218 CVE-2014-4219\n CVE-2014-4244 CVE-2014-4252 CVE-2014-4262 CVE-2014-4263 CVE-2014-4266\n\t\t CVE-2014-4268 CVE-2014-6457 CVE-2014-6502 CVE-2014-6504 CVE-2014-6506\n\t\t CVE-2014-6511 CVE-2014-6512 CVE-2014-6517 CVE-2014-6519 CVE-2014-6531\n\t\t CVE-2014-6558\n\nSeveral vulnerabilities have been discovered in OpenJDK, an implementation\nof the Oracle Java platform, resulting in the execution of arbitrary code,\nbreakouts of the Java sandbox, information disclosure or denial of service.\n\nFor Debian 6 \u201cSqueeze\u201d, these problems have been fixed in version\n6b33-1.13.5-2~deb6u1.\n\nWe recommend that you upgrade your openjdk-6 packages and that you\nsubscribe to https://lists.debian.org/debian-lts/ to help test updated\npackages before we release them.\n\nThank you.\n-- \nRapha\u00ebl Hertzog \u25c8 Debian Developer\n\nSupport Debian LTS: http://www.freexian.com/services/debian-lts.html\nLearn to master Debian: http://debian-handbook.info/get/\n", "edition": 11, "modified": "2014-11-28T10:26:06", "published": "2014-11-28T10:26:06", "id": "DEBIAN:DLA-96-1:BD7DB", "href": "https://lists.debian.org/debian-lts-announce/2014/debian-lts-announce-201411/msg00014.html", "title": "[SECURITY] [DLA 96-1] openjdk-6 security update", "type": "debian", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "amazon": [{"lastseen": "2020-11-10T12:36:30", "bulletinFamily": "unix", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6512"], "description": "**Issue Overview:**\n\nMultiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. ([CVE-2014-6506 __](<https://access.redhat.com/security/cve/CVE-2014-6506>), [CVE-2014-6531 __](<https://access.redhat.com/security/cve/CVE-2014-6531>), [CVE-2014-6502 __](<https://access.redhat.com/security/cve/CVE-2014-6502>), [CVE-2014-6511 __](<https://access.redhat.com/security/cve/CVE-2014-6511>), [CVE-2014-6504 __](<https://access.redhat.com/security/cve/CVE-2014-6504>), [CVE-2014-6519 __](<https://access.redhat.com/security/cve/CVE-2014-6519>))\n\nIt was discovered that the StAX XML parser in the JAXP component in OpenJDK performed expansion of external parameter entities even when external entity substitution was disabled. A remote attacker could use this flaw to perform XML eXternal Entity (XXE) attack against applications using the StAX parser to parse untrusted XML documents. ([CVE-2014-6517 __](<https://access.redhat.com/security/cve/CVE-2014-6517>))\n\nIt was discovered that the DatagramSocket implementation in OpenJDK failed to perform source address checks for packets received on a connected socket. A remote attacker could use this flaw to have their packets processed as if they were received from the expected source. ([CVE-2014-6512 __](<https://access.redhat.com/security/cve/CVE-2014-6512>))\n\nIt was discovered that the TLS/SSL implementation in the JSSE component in OpenJDK failed to properly verify the server identity during the renegotiation following session resumption, making it possible for malicious TLS/SSL servers to perform a Triple Handshake attack against clients using JSSE and client certificate authentication. ([CVE-2014-6457 __](<https://access.redhat.com/security/cve/CVE-2014-6457>))\n\nIt was discovered that the CipherInputStream class implementation in OpenJDK did not properly handle certain exceptions. This could possibly allow an attacker to affect the integrity of an encrypted stream handled by this class. ([CVE-2014-6558 __](<https://access.redhat.com/security/cve/CVE-2014-6558>))\n\n \n**Affected Packages:** \n\n\njava-1.7.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.7.0-openjdk_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n java-1.7.0-openjdk-demo-1.7.0.71-2.5.3.1.49.amzn1.i686 \n java-1.7.0-openjdk-devel-1.7.0.71-2.5.3.1.49.amzn1.i686 \n java-1.7.0-openjdk-src-1.7.0.71-2.5.3.1.49.amzn1.i686 \n java-1.7.0-openjdk-debuginfo-1.7.0.71-2.5.3.1.49.amzn1.i686 \n java-1.7.0-openjdk-1.7.0.71-2.5.3.1.49.amzn1.i686 \n \n noarch: \n java-1.7.0-openjdk-javadoc-1.7.0.71-2.5.3.1.49.amzn1.noarch \n \n src: \n java-1.7.0-openjdk-1.7.0.71-2.5.3.1.49.amzn1.src \n \n x86_64: \n java-1.7.0-openjdk-1.7.0.71-2.5.3.1.49.amzn1.x86_64 \n java-1.7.0-openjdk-debuginfo-1.7.0.71-2.5.3.1.49.amzn1.x86_64 \n java-1.7.0-openjdk-src-1.7.0.71-2.5.3.1.49.amzn1.x86_64 \n java-1.7.0-openjdk-devel-1.7.0.71-2.5.3.1.49.amzn1.x86_64 \n java-1.7.0-openjdk-demo-1.7.0.71-2.5.3.1.49.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2014-10-16T22:16:00", "published": "2014-10-16T22:16:00", "id": "ALAS-2014-431", "href": "https://alas.aws.amazon.com/ALAS-2014-431.html", "title": "Important: java-1.7.0-openjdk", "type": "amazon", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-10T12:35:47", "bulletinFamily": "unix", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6562", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6468", "CVE-2014-6512"], "description": "**Issue Overview:**\n\nIt was discovered that the Libraries component in OpenJDK failed to properly handle ZIP archives that contain entries with a NUL byte used in the file names. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. ([CVE-2014-6562 __](<https://access.redhat.com/security/cve/CVE-2014-6562>))\n\nMultiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. ([CVE-2014-6506 __](<https://access.redhat.com/security/cve/CVE-2014-6506>), [CVE-2014-6531 __](<https://access.redhat.com/security/cve/CVE-2014-6531>), [CVE-2014-6502 __](<https://access.redhat.com/security/cve/CVE-2014-6502>), [CVE-2014-6511 __](<https://access.redhat.com/security/cve/CVE-2014-6511>), [CVE-2014-6504 __](<https://access.redhat.com/security/cve/CVE-2014-6504>), [CVE-2014-6519 __](<https://access.redhat.com/security/cve/CVE-2014-6519>))\n\nIt was discovered that the StAX XML parser in the JAXP component in OpenJDK performed expansion of external parameter entities even when external entity substitution was disabled. A remote attacker could use this flaw to perform XML eXternal Entity (XXE) attack against applications using the StAX parser to parse untrusted XML documents. ([CVE-2014-6517 __](<https://access.redhat.com/security/cve/CVE-2014-6517>))\n\nIt was discovered that the Hotspot component in OpenJDK failed to properly handle malformed Shared Archive files. A local attacker able to modify a Shared Archive file used by a virtual machine of a different user could possibly use this flaw to escalate their privileges. ([CVE-2014-6468 __](<https://access.redhat.com/security/cve/CVE-2014-6468>))\n\nIt was discovered that the DatagramSocket implementation in OpenJDK failed to perform source address checks for packets received on a connected socket. A remote attacker could use this flaw to have their packets processed as if they were received from the expected source. ([CVE-2014-6512 __](<https://access.redhat.com/security/cve/CVE-2014-6512>))\n\nIt was discovered that the TLS/SSL implementation in the JSSE component in OpenJDK failed to properly verify the server identity during the renegotiation following session resumption, making it possible for malicious TLS/SSL servers to perform a Triple Handshake attack against clients using JSSE and client certificate authentication. ([CVE-2014-6457 __](<https://access.redhat.com/security/cve/CVE-2014-6457>))\n\nIt was discovered that the CipherInputStream class implementation in OpenJDK did not properly handle certain exceptions. This could possibly allow an attacker to affect the integrity of an encrypted stream handled by this class. ([CVE-2014-6558 __](<https://access.redhat.com/security/cve/CVE-2014-6558>))\n\n \n**Affected Packages:** \n\n\njava-1.8.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.8.0-openjdk_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n java-1.8.0-openjdk-devel-1.8.0.25-0.b18.4.amzn1.i686 \n java-1.8.0-openjdk-headless-1.8.0.25-0.b18.4.amzn1.i686 \n java-1.8.0-openjdk-1.8.0.25-0.b18.4.amzn1.i686 \n java-1.8.0-openjdk-debuginfo-1.8.0.25-0.b18.4.amzn1.i686 \n java-1.8.0-openjdk-demo-1.8.0.25-0.b18.4.amzn1.i686 \n java-1.8.0-openjdk-src-1.8.0.25-0.b18.4.amzn1.i686 \n \n noarch: \n java-1.8.0-openjdk-javadoc-1.8.0.25-0.b18.4.amzn1.noarch \n \n src: \n java-1.8.0-openjdk-1.8.0.25-0.b18.4.amzn1.src \n \n x86_64: \n java-1.8.0-openjdk-devel-1.8.0.25-0.b18.4.amzn1.x86_64 \n java-1.8.0-openjdk-1.8.0.25-0.b18.4.amzn1.x86_64 \n java-1.8.0-openjdk-debuginfo-1.8.0.25-0.b18.4.amzn1.x86_64 \n java-1.8.0-openjdk-src-1.8.0.25-0.b18.4.amzn1.x86_64 \n java-1.8.0-openjdk-demo-1.8.0.25-0.b18.4.amzn1.x86_64 \n java-1.8.0-openjdk-headless-1.8.0.25-0.b18.4.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2014-10-16T22:16:00", "published": "2014-10-16T22:16:00", "id": "ALAS-2014-432", "href": "https://alas.aws.amazon.com/ALAS-2014-432.html", "title": "Important: java-1.8.0-openjdk", "type": "amazon", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:37:54", "bulletinFamily": "unix", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6512"], "description": "[1:1.7.0.71-2.5.3.1.0.1.el5_11]\n- Add oracle-enterprise.patch\n- Fix DISTRO_NAME to 'Enterprise Linux'\n[1:1.7.0.71-2.5.3.1]\n- Bump to 2.5.3 with security updates.\n- Remove obsolete patches which are now included upstream.\n- Disable LCMS via environment variables rather than maintaining a patch.\n- Resolves: rhbz#1148890", "edition": 4, "modified": "2014-10-15T00:00:00", "published": "2014-10-15T00:00:00", "id": "ELSA-2014-1633", "href": "http://linux.oracle.com/errata/ELSA-2014-1633.html", "title": "java-1.7.0-openjdk security and bug fix update", "type": "oraclelinux", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:57", "bulletinFamily": "unix", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6512"], "description": "[1:1.6.0.33-1.13.5.0]\r\n- Update to IcedTea 1.13.5\r\n- Remove upstreamed patches.\r\n- Regenerate add-final-location-rpaths patch against new release.\r\n- Change versioning to match java-1.7.0-openjdk so revisions work.\r\n- Use xz for tarballs to reduce file size.\r\n- No need to explicitly disable system LCMS any more (bug fixed upstream).\r\n- Add icedteasnapshot to setup lines so they work with pre-release tarballs.\r\n- Resolves: rhbz#1148901\r", "edition": 4, "modified": "2014-10-14T00:00:00", "published": "2014-10-14T00:00:00", "id": "ELSA-2014-1634", "href": "http://linux.oracle.com/errata/ELSA-2014-1634.html", "title": "java-1.6.0-openjdk security and bug fix update", "type": "oraclelinux", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:39:40", "bulletinFamily": "unix", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6512"], "description": "[1:1.7.0.65-2.5.3.1.0.1.el7_0]\n- Update DISTRO_NAME in specfile\n[1:1.7.0.65-2.5.3.1]\n- Bump to 2.5.3 for latest security fixes.\n- Remove obsolete patches.\n- Add hsbootstrap option to pre-build HotSpot when required.\n- Resolves: rhbz#1148893", "edition": 4, "modified": "2014-10-15T00:00:00", "published": "2014-10-15T00:00:00", "id": "ELSA-2014-1620", "href": "http://linux.oracle.com/errata/ELSA-2014-1620.html", "title": "java-1.7.0-openjdk security and bug fix update", "type": "oraclelinux", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:36", "bulletinFamily": "unix", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6562", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6468", "CVE-2014-6512"], "description": "[1:1.8.0.25-1.b17]\r\n- Update to October CPU patch update.\r\n- Resolves: RHBZ#1148896\r\n \n[1:1.8.0.20-3.b26]\r\n- fixed headless (policytool moved to normal)\r\n - jre/bin/policytool added to not headless exclude list\r\n- updated aarch694 source\r\n- ppc64le synced from fedora\r\n- Resolves: rhbz#1081073\r\n \n[1:1.8.0.20-2.b26]\r\n- forcing build by itself (jdk8 by jdk8)\r\n- Resolves: rhbz#1081073\r\n \n[1:1.8.0.20-1.b26]\r\n- updated to u20-b26\r\n- adapted patch9999 enableArm64.patch\r\n- adapted patch100 s390-java-opts.patch\r\n- adapted patch102 size_t.patch\r\n- removed upstreamed patch 0001-PPC64LE-arch-support-in-openjdk-1.8.patch\r\n- adapted system-lcms.patch\r\n- removed patch8 set-active-window.patch\r\n- removed patch9 javadoc-error-jdk-8029145.patch\r\n- removed patch10 javadoc-error-jdk-8037484.patch\r\n- removed patch99 applet-hole.patch - itw 1.5.1 is able to ive without it\r\n- Resolves: rhbz#1081073\r\n \n[1:1.8.0.11-19.b12]\r\n- fixed desktop icons\r\n- Icon set to java-1.8.0\r\n- Development removed from policy tool\r\n- Resolves: rhbz#1081073\r\n \n[1:1.8.0.11-18.b12]\r\n- fixed jstack\r\n- Resolves: rhbz#1081073\r\n \n[1:1.8.0.11-15.b12]\r\n- fixed provides/obsolates\r\n- Resolves: rhbz#1081073\r\n \n[1:1.8.0.11-14.b12]\r\n- mayor rework of specfile - sync with f21\r\n - accessibility kept removed\r\n - lua script kept unsync\r\n - priority and epoch kept on 0 - not included disable-doclint patch\r\n - kept bundled lcms\r\n - unused OrderWithRequires\r\n - used with-stdcpplib instead of with-stdc++lib\r\n- Resolves: rhbz#1081073\r\n \n[1:1.8.0.11-4.b13]\r\n- Added security patches\r\n- Resolves: rhbz#1081073\r\n \n[1:1.8.0.5-6.b13]\r\n- Removed accessibility package\r\n - removed patch3 java-atk-wrapper-security.patch\r\n - removed its files and declaration\r\n - removed creation of libatk-wrapper.so and java-atk-wrapper.jar symlinks\r\n - removed generation of accessibility.properties\r\n- Resolves: rhbz#1113078\r\n \n[1:1.8.0.5-5.b13]\r\n- priority lowered to 00000\r\n- Resolves: rhbz#1081073\r\n \n[1:1.8.0.5-4.b13]\r\n- Initial import from fedora\r\n- Used bundled lcms2\r\n - added java-1.8.0-openjdk-disable-system-lcms.patch\r\n - --with-lcms changed to bundled\r\n - removed build requirement\r\n - excluded removal of lcms from remove-intree-libraries.sh\r\n- removed --with-extra-cflags=\"-fno-devirtualize\" and --with-extra-cxxflags=\"-fn\r\no-devirtualize\"---\r\n- added patch998, rhel6-built.patch to\r\n - fool autotools\r\n - replace all ++ chars in autoconfig files by pp\r\n- --with-stdc++lib=dynamic replaced by --with-stdcpplib=dynamic\r\n- Bumped release\r\n- Set epoch to 0\r\n- removed patch6, disable-doclint-by-default.patch\r\n- Resolves: rhbz#1081073\r", "edition": 4, "modified": "2014-10-22T00:00:00", "published": "2014-10-22T00:00:00", "id": "ELSA-2014-1636", "href": "http://linux.oracle.com/errata/ELSA-2014-1636.html", "title": "java-1.8.0-openjdk security update", "type": "oraclelinux", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "centos": [{"lastseen": "2019-12-20T18:27:05", "bulletinFamily": "unix", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6512"], "description": "**CentOS Errata and Security Advisory** CESA-2014:1633\n\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the Libraries, 2D, and Hotspot components\nin OpenJDK. An untrusted Java application or applet could use these flaws\nto bypass certain Java sandbox restrictions. (CVE-2014-6506, CVE-2014-6531,\nCVE-2014-6502, CVE-2014-6511, CVE-2014-6504, CVE-2014-6519)\n\nIt was discovered that the StAX XML parser in the JAXP component in OpenJDK\nperformed expansion of external parameter entities even when external\nentity substitution was disabled. A remote attacker could use this flaw to\nperform XML eXternal Entity (XXE) attack against applications using the\nStAX parser to parse untrusted XML documents. (CVE-2014-6517)\n\nIt was discovered that the DatagramSocket implementation in OpenJDK failed\nto perform source address checks for packets received on a connected\nsocket. A remote attacker could use this flaw to have their packets\nprocessed as if they were received from the expected source.\n(CVE-2014-6512)\n\nIt was discovered that the TLS/SSL implementation in the JSSE component in\nOpenJDK failed to properly verify the server identity during the\nrenegotiation following session resumption, making it possible for\nmalicious TLS/SSL servers to perform a Triple Handshake attack against\nclients using JSSE and client certificate authentication. (CVE-2014-6457)\n\nIt was discovered that the CipherInputStream class implementation in\nOpenJDK did not properly handle certain exceptions. This could possibly\nallow an attacker to affect the integrity of an encrypted stream handled by\nthis class. (CVE-2014-6558)\n\nThe CVE-2014-6512 was discovered by Florian Weimer of Red Hat Product\nSecurity.\n\nThis update also fixes the following bug:\n\n* The TLS/SSL implementation in OpenJDK previously failed to handle\nDiffie-Hellman (DH) keys with more than 1024 bits. This caused client\napplications using JSSE to fail to establish TLS/SSL connections to servers\nusing larger DH keys during the connection handshake. This update adds\nsupport for DH keys with size up to 2048 bits. (BZ#1148309)\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2014-October/032721.html\n\n**Affected packages:**\njava-1.7.0-openjdk\njava-1.7.0-openjdk-demo\njava-1.7.0-openjdk-devel\njava-1.7.0-openjdk-javadoc\njava-1.7.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2014-1633.html", "edition": 3, "modified": "2014-10-15T11:42:17", "published": "2014-10-15T11:42:17", "href": "http://lists.centos.org/pipermail/centos-announce/2014-October/032721.html", "id": "CESA-2014:1633", "title": "java security update", "type": "centos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-30T13:21:49", "bulletinFamily": "unix", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6512"], "description": "**CentOS Errata and Security Advisory** CESA-2014:1620\n\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the Libraries, 2D, and Hotspot components\nin OpenJDK. An untrusted Java application or applet could use these flaws\nto bypass certain Java sandbox restrictions. (CVE-2014-6506, CVE-2014-6531,\nCVE-2014-6502, CVE-2014-6511, CVE-2014-6504, CVE-2014-6519)\n\nIt was discovered that the StAX XML parser in the JAXP component in OpenJDK\nperformed expansion of external parameter entities even when external\nentity substitution was disabled. A remote attacker could use this flaw to\nperform XML eXternal Entity (XXE) attack against applications using the\nStAX parser to parse untrusted XML documents. (CVE-2014-6517)\n\nIt was discovered that the DatagramSocket implementation in OpenJDK failed\nto perform source address checks for packets received on a connected\nsocket. A remote attacker could use this flaw to have their packets\nprocessed as if they were received from the expected source.\n(CVE-2014-6512)\n\nIt was discovered that the TLS/SSL implementation in the JSSE component in\nOpenJDK failed to properly verify the server identity during the\nrenegotiation following session resumption, making it possible for\nmalicious TLS/SSL servers to perform a Triple Handshake attack against\nclients using JSSE and client certificate authentication. (CVE-2014-6457)\n\nIt was discovered that the CipherInputStream class implementation in\nOpenJDK did not properly handle certain exceptions. This could possibly\nallow an attacker to affect the integrity of an encrypted stream handled by\nthis class. (CVE-2014-6558)\n\nThe CVE-2014-6512 was discovered by Florian Weimer of Red Hat Product\nSecurity.\n\nNote: If the web browser plug-in provided by the icedtea-web package was\ninstalled, the issues exposed via Java applets could have been exploited\nwithout user interaction if a user visited a malicious website.\n\nThis update also fixes the following bug:\n\n* The TLS/SSL implementation in OpenJDK previously failed to handle\nDiffie-Hellman (DH) keys with more than 1024 bits. This caused client\napplications using JSSE to fail to establish TLS/SSL connections to servers\nusing larger DH keys during the connection handshake. This update adds\nsupport for DH keys with size up to 2048 bits. (BZ#1148309)\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2014-October/032728.html\nhttp://lists.centos.org/pipermail/centos-cr-announce/2014-October/007670.html\n\n**Affected packages:**\njava-1.7.0-openjdk\njava-1.7.0-openjdk-accessibility\njava-1.7.0-openjdk-demo\njava-1.7.0-openjdk-devel\njava-1.7.0-openjdk-headless\njava-1.7.0-openjdk-javadoc\njava-1.7.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2014-1620.html", "edition": 7, "modified": "2014-10-20T18:15:04", "published": "2014-10-15T12:22:05", "href": "http://lists.centos.org/pipermail/centos-announce/2014-October/032728.html", "id": "CESA-2014:1620", "title": "java security update", "type": "centos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-30T13:20:14", "bulletinFamily": "unix", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6512"], "description": "**CentOS Errata and Security Advisory** CESA-2014:1634\n\n\nThe java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime\nEnvironment and the OpenJDK 6 Java Software Development Kit.\n\nMultiple flaws were discovered in the Libraries, 2D, and Hotspot components\nin OpenJDK. An untrusted Java application or applet could use these flaws\nto bypass certain Java sandbox restrictions. (CVE-2014-6506, CVE-2014-6531,\nCVE-2014-6502, CVE-2014-6511, CVE-2014-6504, CVE-2014-6519)\n\nIt was discovered that the StAX XML parser in the JAXP component in OpenJDK\nperformed expansion of external parameter entities even when external\nentity substitution was disabled. A remote attacker could use this flaw to\nperform XML eXternal Entity (XXE) attack against applications using the\nStAX parser to parse untrusted XML documents. (CVE-2014-6517)\n\nIt was discovered that the DatagramSocket implementation in OpenJDK failed\nto perform source address checks for packets received on a connected\nsocket. A remote attacker could use this flaw to have their packets\nprocessed as if they were received from the expected source.\n(CVE-2014-6512)\n\nIt was discovered that the TLS/SSL implementation in the JSSE component in\nOpenJDK failed to properly verify the server identity during the\nrenegotiation following session resumption, making it possible for\nmalicious TLS/SSL servers to perform a Triple Handshake attack against\nclients using JSSE and client certificate authentication. (CVE-2014-6457)\n\nIt was discovered that the CipherInputStream class implementation in\nOpenJDK did not properly handle certain exceptions. This could possibly\nallow an attacker to affect the integrity of an encrypted stream handled by\nthis class. (CVE-2014-6558)\n\nThe CVE-2014-6512 was discovered by Florian Weimer of Red Hat Product\nSecurity.\n\nThis update also fixes the following bug:\n\n* The TLS/SSL implementation in OpenJDK previously failed to handle\nDiffie-Hellman (DH) keys with more than 1024 bits. This caused client\napplications using JSSE to fail to establish TLS/SSL connections to servers\nusing larger DH keys during the connection handshake. This update adds\nsupport for DH keys with size up to 2048 bits. (BZ#1148309)\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2014-October/032722.html\nhttp://lists.centos.org/pipermail/centos-announce/2014-October/032727.html\nhttp://lists.centos.org/pipermail/centos-cr-announce/2014-October/007669.html\n\n**Affected packages:**\njava-1.6.0-openjdk\njava-1.6.0-openjdk-demo\njava-1.6.0-openjdk-devel\njava-1.6.0-openjdk-javadoc\njava-1.6.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2014-1634.html", "edition": 7, "modified": "2014-10-20T18:15:01", "published": "2014-10-15T11:48:47", "href": "http://lists.centos.org/pipermail/centos-announce/2014-October/032722.html", "id": "CESA-2014:1634", "title": "java security update", "type": "centos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-20T18:28:51", "bulletinFamily": "unix", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6562", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6468", "CVE-2014-6512"], "description": "**CentOS Errata and Security Advisory** CESA-2014:1636\n\n\nThe java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime\nEnvironment and the OpenJDK 8 Java Software Development Kit.\n\nIt was discovered that the Libraries component in OpenJDK failed to\nproperly handle ZIP archives that contain entries with a NUL byte used in\nthe file names. An untrusted Java application or applet could use this flaw\nto bypass Java sandbox restrictions. (CVE-2014-6562)\n\nMultiple flaws were discovered in the Libraries, 2D, and Hotspot components\nin OpenJDK. An untrusted Java application or applet could use these flaws\nto bypass certain Java sandbox restrictions. (CVE-2014-6506, CVE-2014-6531,\nCVE-2014-6502, CVE-2014-6511, CVE-2014-6504, CVE-2014-6519)\n\nIt was discovered that the StAX XML parser in the JAXP component in OpenJDK\nperformed expansion of external parameter entities even when external\nentity substitution was disabled. A remote attacker could use this flaw to\nperform XML eXternal Entity (XXE) attack against applications using the\nStAX parser to parse untrusted XML documents. (CVE-2014-6517)\n\nIt was discovered that the Hotspot component in OpenJDK failed to properly\nhandle malformed Shared Archive files. A local attacker able to modify a\nShared Archive file used by a virtual machine of a different user could\npossibly use this flaw to escalate their privileges. (CVE-2014-6468)\n\nIt was discovered that the DatagramSocket implementation in OpenJDK failed\nto perform source address checks for packets received on a connected\nsocket. A remote attacker could use this flaw to have their packets\nprocessed as if they were received from the expected source.\n(CVE-2014-6512)\n\nIt was discovered that the TLS/SSL implementation in the JSSE component in\nOpenJDK failed to properly verify the server identity during the\nrenegotiation following session resumption, making it possible for\nmalicious TLS/SSL servers to perform a Triple Handshake attack against\nclients using JSSE and client certificate authentication. (CVE-2014-6457)\n\nIt was discovered that the CipherInputStream class implementation in\nOpenJDK did not properly handle certain exceptions. This could possibly\nallow an attacker to affect the integrity of an encrypted stream handled by\nthis class. (CVE-2014-6558)\n\nThe CVE-2014-6512 was discovered by Florian Weimer of Red Hat Product\nSecurity.\n\nAll users of java-1.8.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-cr-announce/2014-October/007671.html\n\n**Affected packages:**\njava-1.8.0-openjdk\njava-1.8.0-openjdk-demo\njava-1.8.0-openjdk-devel\njava-1.8.0-openjdk-headless\njava-1.8.0-openjdk-javadoc\njava-1.8.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2014-1636.html", "edition": 3, "modified": "2014-10-20T18:15:08", "published": "2014-10-20T18:15:08", "href": "http://lists.centos.org/pipermail/centos-cr-announce/2014-October/007671.html", "id": "CESA-2014:1636", "title": "java security update", "type": "centos", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-12T09:48:51", "description": "Several vulnerabilities have been discovered in OpenJDK, an\nimplementation of the Oracle Java platform, resulting in the execution\nof arbitrary code, information disclosure or denial of service.", "edition": 15, "published": "2014-12-01T00:00:00", "title": "Debian DSA-3080-1 : openjdk-7 - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6512"], "modified": "2014-12-01T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:openjdk-7", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DSA-3080.NASL", "href": "https://www.tenable.com/plugins/nessus/79628", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3080. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(79628);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-6457\", \"CVE-2014-6502\", \"CVE-2014-6504\", \"CVE-2014-6506\", \"CVE-2014-6511\", \"CVE-2014-6512\", \"CVE-2014-6517\", \"CVE-2014-6519\", \"CVE-2014-6531\", \"CVE-2014-6558\");\n script_bugtraq_id(70533, 70538, 70544, 70548, 70552, 70556, 70564, 70567, 70570, 70572);\n script_xref(name:\"DSA\", value:\"3080\");\n\n script_name(english:\"Debian DSA-3080-1 : openjdk-7 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities have been discovered in OpenJDK, an\nimplementation of the Oracle Java platform, resulting in the execution\nof arbitrary code, information disclosure or denial of service.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/openjdk-7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2014/dsa-3080\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the openjdk-7 packages.\n\nFor the stable distribution (wheezy), these problems have been fixed\nin version 7u71-2.5.3-2~deb7u1.\n\nFor the upcoming stable distribution (jessie), these problems have\nbeen fixed in version 7u71-2.5.3-1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openjdk-7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/11/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/12/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"icedtea-7-jre-cacao\", reference:\"7u71-2.5.3-2~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"icedtea-7-jre-jamvm\", reference:\"7u71-2.5.3-2~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"openjdk-7-dbg\", reference:\"7u71-2.5.3-2~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"openjdk-7-demo\", reference:\"7u71-2.5.3-2~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"openjdk-7-doc\", reference:\"7u71-2.5.3-2~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"openjdk-7-jdk\", reference:\"7u71-2.5.3-2~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"openjdk-7-jre\", reference:\"7u71-2.5.3-2~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"openjdk-7-jre-headless\", reference:\"7u71-2.5.3-2~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"openjdk-7-jre-lib\", reference:\"7u71-2.5.3-2~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"openjdk-7-jre-zero\", reference:\"7u71-2.5.3-2~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"openjdk-7-source\", reference:\"7u71-2.5.3-2~deb7u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T01:18:56", "description": "Multiple flaws were discovered in the Libraries, 2D, and Hotspot\ncomponents in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass certain Java sandbox restrictions.\n(CVE-2014-6506 , CVE-2014-6531 , CVE-2014-6502 , CVE-2014-6511 ,\nCVE-2014-6504 , CVE-2014-6519)\n\nIt was discovered that the StAX XML parser in the JAXP component in\nOpenJDK performed expansion of external parameter entities even when\nexternal entity substitution was disabled. A remote attacker could use\nthis flaw to perform XML eXternal Entity (XXE) attack against\napplications using the StAX parser to parse untrusted XML documents.\n(CVE-2014-6517)\n\nIt was discovered that the DatagramSocket implementation in OpenJDK\nfailed to perform source address checks for packets received on a\nconnected socket. A remote attacker could use this flaw to have their\npackets processed as if they were received from the expected source.\n(CVE-2014-6512)\n\nIt was discovered that the TLS/SSL implementation in the JSSE\ncomponent in OpenJDK failed to properly verify the server identity\nduring the renegotiation following session resumption, making it\npossible for malicious TLS/SSL servers to perform a Triple Handshake\nattack against clients using JSSE and client certificate\nauthentication. (CVE-2014-6457)\n\nIt was discovered that the CipherInputStream class implementation in\nOpenJDK did not properly handle certain exceptions. This could\npossibly allow an attacker to affect the integrity of an encrypted\nstream handled by this class. (CVE-2014-6558)", "edition": 23, "published": "2014-10-20T00:00:00", "title": "Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2014-431)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6512"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:java-1.7.0-openjdk", "p-cpe:/a:amazon:linux:java-1.7.0-openjdk-javadoc", "p-cpe:/a:amazon:linux:java-1.7.0-openjdk-debuginfo", "p-cpe:/a:amazon:linux:java-1.7.0-openjdk-demo", "p-cpe:/a:amazon:linux:java-1.7.0-openjdk-src", "p-cpe:/a:amazon:linux:java-1.7.0-openjdk-devel", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2014-431.NASL", "href": "https://www.tenable.com/plugins/nessus/78561", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2014-431.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(78561);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2018/04/18 15:09:35\");\n\n script_cve_id(\"CVE-2014-6457\", \"CVE-2014-6502\", \"CVE-2014-6504\", \"CVE-2014-6506\", \"CVE-2014-6511\", \"CVE-2014-6512\", \"CVE-2014-6517\", \"CVE-2014-6519\", \"CVE-2014-6531\", \"CVE-2014-6558\");\n script_xref(name:\"ALAS\", value:\"2014-431\");\n script_xref(name:\"RHSA\", value:\"2014:1620\");\n\n script_name(english:\"Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2014-431)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple flaws were discovered in the Libraries, 2D, and Hotspot\ncomponents in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass certain Java sandbox restrictions.\n(CVE-2014-6506 , CVE-2014-6531 , CVE-2014-6502 , CVE-2014-6511 ,\nCVE-2014-6504 , CVE-2014-6519)\n\nIt was discovered that the StAX XML parser in the JAXP component in\nOpenJDK performed expansion of external parameter entities even when\nexternal entity substitution was disabled. A remote attacker could use\nthis flaw to perform XML eXternal Entity (XXE) attack against\napplications using the StAX parser to parse untrusted XML documents.\n(CVE-2014-6517)\n\nIt was discovered that the DatagramSocket implementation in OpenJDK\nfailed to perform source address checks for packets received on a\nconnected socket. A remote attacker could use this flaw to have their\npackets processed as if they were received from the expected source.\n(CVE-2014-6512)\n\nIt was discovered that the TLS/SSL implementation in the JSSE\ncomponent in OpenJDK failed to properly verify the server identity\nduring the renegotiation following session resumption, making it\npossible for malicious TLS/SSL servers to perform a Triple Handshake\nattack against clients using JSSE and client certificate\nauthentication. (CVE-2014-6457)\n\nIt was discovered that the CipherInputStream class implementation in\nOpenJDK did not properly handle certain exceptions. This could\npossibly allow an attacker to affect the integrity of an encrypted\nstream handled by this class. (CVE-2014-6558)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2014-431.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update java-1.7.0-openjdk' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-1.7.0.71-2.5.3.1.49.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.71-2.5.3.1.49.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-demo-1.7.0.71-2.5.3.1.49.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-devel-1.7.0.71-2.5.3.1.49.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.71-2.5.3.1.49.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-src-1.7.0.71-2.5.3.1.49.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-debuginfo / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T11:54:46", "description": "Multiple vulnerabilities has been discovered and corrected in\njava-1.7.0-openjdk :\n\nMultiple flaws were discovered in the Libraries, 2D, and Hotspot\ncomponents in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass certain Java sandbox restrictions\n(CVE-2014-6506, CVE-2014-6531, CVE-2014-6502, CVE-2014-6511,\nCVE-2014-6504, CVE-2014-6519).\n\nIt was discovered that the StAX XML parser in the JAXP component in\nOpenJDK performed expansion of external parameter entities even when\nexternal entity substitution was disabled. A remote attacker could use\nthis flaw to perform XML eXternal Entity (XXE) attack against\napplications using the StAX parser to parse untrusted XML documents\n(CVE-2014-6517).\n\nIt was discovered that the DatagramSocket implementation in OpenJDK\nfailed to perform source address checks for packets received on a\nconnected socket. A remote attacker could use this flaw to have their\npackets processed as if they were received from the expected source\n(CVE-2014-6512).\n\nIt was discovered that the TLS/SSL implementation in the JSSE\ncomponent in OpenJDK failed to properly verify the server identity\nduring the renegotiation following session resumption, making it\npossible for malicious TLS/SSL servers to perform a Triple Handshake\nattack against clients using JSSE and client certificate\nauthentication (CVE-2014-6457).\n\nIt was discovered that the CipherInputStream class implementation in\nOpenJDK did not properly handle certain exceptions. This could\npossibly allow an attacker to affect the integrity of an encrypted\nstream handled by this class (CVE-2014-6558).\n\nThe updated packages provides a solution for these security issues.", "edition": 25, "published": "2014-10-27T00:00:00", "title": "Mandriva Linux Security Advisory : java-1.7.0-openjdk (MDVSA-2014:209)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6512"], "modified": "2014-10-27T00:00:00", "cpe": ["cpe:/o:mandriva:business_server:1", "p-cpe:/a:mandriva:linux:java-1.7.0-openjdk", "p-cpe:/a:mandriva:linux:java-1.7.0-openjdk-accessibility", "p-cpe:/a:mandriva:linux:java-1.7.0-openjdk-demo", "p-cpe:/a:mandriva:linux:java-1.7.0-openjdk-headless", "p-cpe:/a:mandriva:linux:java-1.7.0-openjdk-src", "p-cpe:/a:mandriva:linux:java-1.7.0-openjdk-devel", "p-cpe:/a:mandriva:linux:java-1.7.0-openjdk-javadoc"], "id": "MANDRIVA_MDVSA-2014-209.NASL", "href": "https://www.tenable.com/plugins/nessus/78688", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2014:209. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78688);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2014-6457\", \"CVE-2014-6502\", \"CVE-2014-6504\", \"CVE-2014-6506\", \"CVE-2014-6511\", \"CVE-2014-6512\", \"CVE-2014-6517\", \"CVE-2014-6519\", \"CVE-2014-6531\", \"CVE-2014-6558\");\n script_bugtraq_id(70533, 70538, 70544, 70548, 70552, 70556, 70564, 70567, 70570, 70572);\n script_xref(name:\"MDVSA\", value:\"2014:209\");\n\n script_name(english:\"Mandriva Linux Security Advisory : java-1.7.0-openjdk (MDVSA-2014:209)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple vulnerabilities has been discovered and corrected in\njava-1.7.0-openjdk :\n\nMultiple flaws were discovered in the Libraries, 2D, and Hotspot\ncomponents in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass certain Java sandbox restrictions\n(CVE-2014-6506, CVE-2014-6531, CVE-2014-6502, CVE-2014-6511,\nCVE-2014-6504, CVE-2014-6519).\n\nIt was discovered that the StAX XML parser in the JAXP component in\nOpenJDK performed expansion of external parameter entities even when\nexternal entity substitution was disabled. A remote attacker could use\nthis flaw to perform XML eXternal Entity (XXE) attack against\napplications using the StAX parser to parse untrusted XML documents\n(CVE-2014-6517).\n\nIt was discovered that the DatagramSocket implementation in OpenJDK\nfailed to perform source address checks for packets received on a\nconnected socket. A remote attacker could use this flaw to have their\npackets processed as if they were received from the expected source\n(CVE-2014-6512).\n\nIt was discovered that the TLS/SSL implementation in the JSSE\ncomponent in OpenJDK failed to properly verify the server identity\nduring the renegotiation following session resumption, making it\npossible for malicious TLS/SSL servers to perform a Triple Handshake\nattack against clients using JSSE and client certificate\nauthentication (CVE-2014-6457).\n\nIt was discovered that the CipherInputStream class implementation in\nOpenJDK did not properly handle certain exceptions. This could\npossibly allow an attacker to affect the integrity of an encrypted\nstream handled by this class (CVE-2014-6558).\n\nThe updated packages provides a solution for these security issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2014:1620\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:java-1.7.0-openjdk-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:java-1.7.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-1.7.0.65-2.5.3.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-accessibility-1.7.0.65-2.5.3.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-demo-1.7.0.65-2.5.3.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-devel-1.7.0.65-2.5.3.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-headless-1.7.0.65-2.5.3.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.65-2.5.3.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-src-1.7.0.65-2.5.3.1.mbs1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T01:18:56", "description": "Multiple flaws were discovered in the Libraries, 2D, and Hotspot\ncomponents in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass certain Java sandbox restrictions.\n(CVE-2014-6506 , CVE-2014-6531 , CVE-2014-6502 , CVE-2014-6511 ,\nCVE-2014-6504 , CVE-2014-6519)\n\nIt was discovered that the StAX XML parser in the JAXP component in\nOpenJDK performed expansion of external parameter entities even when\nexternal entity substitution was disabled. A remote attacker could use\nthis flaw to perform XML eXternal Entity (XXE) attack against\napplications using the StAX parser to parse untrusted XML documents.\n(CVE-2014-6517)\n\nIt was discovered that the DatagramSocket implementation in OpenJDK\nfailed to perform source address checks for packets received on a\nconnected socket. A remote attacker could use this flaw to have their\npackets processed as if they were received from the expected source.\n(CVE-2014-6512)\n\nIt was discovered that the TLS/SSL implementation in the JSSE\ncomponent in OpenJDK failed to properly verify the server identity\nduring the renegotiation following session resumption, making it\npossible for malicious TLS/SSL servers to perform a Triple Handshake\nattack against clients using JSSE and client certificate\nauthentication. (CVE-2014-6457)\n\nIt was discovered that the CipherInputStream class implementation in\nOpenJDK did not properly handle certain exceptions. This could\npossibly allow an attacker to affect the integrity of an encrypted\nstream handled by this class. (CVE-2014-6558)", "edition": 23, "published": "2014-10-20T00:00:00", "title": "Amazon Linux AMI : java-1.6.0-openjdk (ALAS-2014-430)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6512"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:java-1.6.0-openjdk-src", "p-cpe:/a:amazon:linux:java-1.6.0-openjdk-devel", "p-cpe:/a:amazon:linux:java-1.6.0-openjdk", "p-cpe:/a:amazon:linux:java-1.6.0-openjdk-demo", "p-cpe:/a:amazon:linux:java-1.6.0-openjdk-javadoc", "cpe:/o:amazon:linux", "p-cpe:/a:amazon:linux:java-1.6.0-openjdk-debuginfo"], "id": "ALA_ALAS-2014-430.NASL", "href": "https://www.tenable.com/plugins/nessus/78560", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2014-430.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(78560);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2018/04/18 15:09:35\");\n\n script_cve_id(\"CVE-2014-6457\", \"CVE-2014-6502\", \"CVE-2014-6504\", \"CVE-2014-6506\", \"CVE-2014-6511\", \"CVE-2014-6512\", \"CVE-2014-6517\", \"CVE-2014-6519\", \"CVE-2014-6531\", \"CVE-2014-6558\");\n script_xref(name:\"ALAS\", value:\"2014-430\");\n script_xref(name:\"RHSA\", value:\"2014:1634\");\n\n script_name(english:\"Amazon Linux AMI : java-1.6.0-openjdk (ALAS-2014-430)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple flaws were discovered in the Libraries, 2D, and Hotspot\ncomponents in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass certain Java sandbox restrictions.\n(CVE-2014-6506 , CVE-2014-6531 , CVE-2014-6502 , CVE-2014-6511 ,\nCVE-2014-6504 , CVE-2014-6519)\n\nIt was discovered that the StAX XML parser in the JAXP component in\nOpenJDK performed expansion of external parameter entities even when\nexternal entity substitution was disabled. A remote attacker could use\nthis flaw to perform XML eXternal Entity (XXE) attack against\napplications using the StAX parser to parse untrusted XML documents.\n(CVE-2014-6517)\n\nIt was discovered that the DatagramSocket implementation in OpenJDK\nfailed to perform source address checks for packets received on a\nconnected socket. A remote attacker could use this flaw to have their\npackets processed as if they were received from the expected source.\n(CVE-2014-6512)\n\nIt was discovered that the TLS/SSL implementation in the JSSE\ncomponent in OpenJDK failed to properly verify the server identity\nduring the renegotiation following session resumption, making it\npossible for malicious TLS/SSL servers to perform a Triple Handshake\nattack against clients using JSSE and client certificate\nauthentication. (CVE-2014-6457)\n\nIt was discovered that the CipherInputStream class implementation in\nOpenJDK did not properly handle certain exceptions. This could\npossibly allow an attacker to affect the integrity of an encrypted\nstream handled by this class. (CVE-2014-6558)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2014-430.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update java-1.6.0-openjdk' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.6.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.6.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.6.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.6.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.6.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.6.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"java-1.6.0-openjdk-1.6.0.33-67.1.13.5.0.67.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.6.0-openjdk-debuginfo-1.6.0.33-67.1.13.5.0.67.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.6.0-openjdk-demo-1.6.0.33-67.1.13.5.0.67.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.6.0-openjdk-devel-1.6.0.33-67.1.13.5.0.67.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.33-67.1.13.5.0.67.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.6.0-openjdk-src-1.6.0.33-67.1.13.5.0.67.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.6.0-openjdk / java-1.6.0-openjdk-debuginfo / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T09:48:51", "description": "Several vulnerabilities have been discovered in OpenJDK, an\nimplementation of the Oracle Java platform, resulting in the execution\nof arbitrary code, information disclosure or denial of service.", "edition": 15, "published": "2014-11-27T00:00:00", "title": "Debian DSA-3077-1 : openjdk-6 - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6512"], "modified": "2014-11-27T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:openjdk-6", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DSA-3077.NASL", "href": "https://www.tenable.com/plugins/nessus/79586", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3077. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(79586);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-6457\", \"CVE-2014-6502\", \"CVE-2014-6504\", \"CVE-2014-6506\", \"CVE-2014-6511\", \"CVE-2014-6512\", \"CVE-2014-6517\", \"CVE-2014-6519\", \"CVE-2014-6531\", \"CVE-2014-6558\");\n script_bugtraq_id(70533, 70538, 70544, 70548, 70552, 70556, 70564, 70567, 70570, 70572);\n script_xref(name:\"DSA\", value:\"3077\");\n\n script_name(english:\"Debian DSA-3077-1 : openjdk-6 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities have been discovered in OpenJDK, an\nimplementation of the Oracle Java platform, resulting in the execution\nof arbitrary code, information disclosure or denial of service.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/openjdk-6\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2014/dsa-3077\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the openjdk-6 packages.\n\nFor the stable distribution (wheezy), these problems have been fixed\nin version 6b33-1.13.5-2~deb7u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openjdk-6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/11/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/11/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"icedtea-6-jre-cacao\", reference:\"6b33-1.13.5-2~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"icedtea-6-jre-jamvm\", reference:\"6b33-1.13.5-2~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"openjdk-6-dbg\", reference:\"6b33-1.13.5-2~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"openjdk-6-demo\", reference:\"6b33-1.13.5-2~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"openjdk-6-doc\", reference:\"6b33-1.13.5-2~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"openjdk-6-jdk\", reference:\"6b33-1.13.5-2~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"openjdk-6-jre\", reference:\"6b33-1.13.5-2~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"openjdk-6-jre-headless\", reference:\"6b33-1.13.5-2~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"openjdk-6-jre-lib\", reference:\"6b33-1.13.5-2~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"openjdk-6-jre-zero\", reference:\"6b33-1.13.5-2~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"openjdk-6-source\", reference:\"6b33-1.13.5-2~deb7u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-06T09:29:48", "description": "Updated java-1.6.0-openjdk packages that fix multiple security issues\nand one bug are now available for Red Hat Enterprise Linux 5, 6, and\n7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime\nEnvironment and the OpenJDK 6 Java Software Development Kit.\n\nMultiple flaws were discovered in the Libraries, 2D, and Hotspot\ncomponents in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass certain Java sandbox restrictions.\n(CVE-2014-6506, CVE-2014-6531, CVE-2014-6502, CVE-2014-6511,\nCVE-2014-6504, CVE-2014-6519)\n\nIt was discovered that the StAX XML parser in the JAXP component in\nOpenJDK performed expansion of external parameter entities even when\nexternal entity substitution was disabled. A remote attacker could use\nthis flaw to perform XML eXternal Entity (XXE) attack against\napplications using the StAX parser to parse untrusted XML documents.\n(CVE-2014-6517)\n\nIt was discovered that the DatagramSocket implementation in OpenJDK\nfailed to perform source address checks for packets received on a\nconnected socket. A remote attacker could use this flaw to have their\npackets processed as if they were received from the expected source.\n(CVE-2014-6512)\n\nIt was discovered that the TLS/SSL implementation in the JSSE\ncomponent in OpenJDK failed to properly verify the server identity\nduring the renegotiation following session resumption, making it\npossible for malicious TLS/SSL servers to perform a Triple Handshake\nattack against clients using JSSE and client certificate\nauthentication. (CVE-2014-6457)\n\nIt was discovered that the CipherInputStream class implementation in\nOpenJDK did not properly handle certain exceptions. This could\npossibly allow an attacker to affect the integrity of an encrypted\nstream handled by this class. (CVE-2014-6558)\n\nThe CVE-2014-6512 was discovered by Florian Weimer of Red Hat Product\nSecurity.\n\nThis update also fixes the following bug :\n\n* The TLS/SSL implementation in OpenJDK previously failed to handle\nDiffie-Hellman (DH) keys with more than 1024 bits. This caused client\napplications using JSSE to fail to establish TLS/SSL connections to\nservers using larger DH keys during the connection handshake. This\nupdate adds support for DH keys with size up to 2048 bits.\n(BZ#1148309)\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.", "edition": 24, "published": "2014-10-16T00:00:00", "title": "CentOS 5 / 6 / 7 : java-1.6.0-openjdk (CESA-2014:1634)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6512"], "modified": "2014-10-16T00:00:00", "cpe": ["cpe:/o:centos:centos:6", "cpe:/o:centos:centos:7", "p-cpe:/a:centos:centos:java-1.6.0-openjdk", "p-cpe:/a:centos:centos:java-1.6.0-openjdk-src", "p-cpe:/a:centos:centos:java-1.6.0-openjdk-javadoc", "p-cpe:/a:centos:centos:java-1.6.0-openjdk-demo", "p-cpe:/a:centos:centos:java-1.6.0-openjdk-devel", "cpe:/o:centos:centos:5"], "id": "CENTOS_RHSA-2014-1634.NASL", "href": "https://www.tenable.com/plugins/nessus/78488", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2014:1634 and \n# CentOS Errata and Security Advisory 2014:1634 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78488);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2014-6457\", \"CVE-2014-6502\", \"CVE-2014-6504\", \"CVE-2014-6506\", \"CVE-2014-6511\", \"CVE-2014-6512\", \"CVE-2014-6517\", \"CVE-2014-6519\", \"CVE-2014-6531\", \"CVE-2014-6558\");\n script_xref(name:\"RHSA\", value:\"2014:1634\");\n\n script_name(english:\"CentOS 5 / 6 / 7 : java-1.6.0-openjdk (CESA-2014:1634)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.6.0-openjdk packages that fix multiple security issues\nand one bug are now available for Red Hat Enterprise Linux 5, 6, and\n7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime\nEnvironment and the OpenJDK 6 Java Software Development Kit.\n\nMultiple flaws were discovered in the Libraries, 2D, and Hotspot\ncomponents in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass certain Java sandbox restrictions.\n(CVE-2014-6506, CVE-2014-6531, CVE-2014-6502, CVE-2014-6511,\nCVE-2014-6504, CVE-2014-6519)\n\nIt was discovered that the StAX XML parser in the JAXP component in\nOpenJDK performed expansion of external parameter entities even when\nexternal entity substitution was disabled. A remote attacker could use\nthis flaw to perform XML eXternal Entity (XXE) attack against\napplications using the StAX parser to parse untrusted XML documents.\n(CVE-2014-6517)\n\nIt was discovered that the DatagramSocket implementation in OpenJDK\nfailed to perform source address checks for packets received on a\nconnected socket. A remote attacker could use this flaw to have their\npackets processed as if they were received from the expected source.\n(CVE-2014-6512)\n\nIt was discovered that the TLS/SSL implementation in the JSSE\ncomponent in OpenJDK failed to properly verify the server identity\nduring the renegotiation following session resumption, making it\npossible for malicious TLS/SSL servers to perform a Triple Handshake\nattack against clients using JSSE and client certificate\nauthentication. (CVE-2014-6457)\n\nIt was discovered that the CipherInputStream class implementation in\nOpenJDK did not properly handle certain exceptions. This could\npossibly allow an attacker to affect the integrity of an encrypted\nstream handled by this class. (CVE-2014-6558)\n\nThe CVE-2014-6512 was discovered by Florian Weimer of Red Hat Product\nSecurity.\n\nThis update also fixes the following bug :\n\n* The TLS/SSL implementation in OpenJDK previously failed to handle\nDiffie-Hellman (DH) keys with more than 1024 bits. This caused client\napplications using JSSE to fail to establish TLS/SSL connections to\nservers using larger DH keys during the connection handshake. This\nupdate adds support for DH keys with size up to 2048 bits.\n(BZ#1148309)\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2014-October/020684.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e595be18\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2014-October/020689.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1de1e93d\"\n );\n # https://lists.centos.org/pipermail/centos-cr-announce/2014-October/001469.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ece68ba5\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1.6.0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-6506\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.6.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.6.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.6.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.6.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.6.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/10/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/16\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5|6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 5.x / 6.x / 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.6.0-openjdk-1.6.0.33-1.13.5.0.el5_11\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.6.0-openjdk-demo-1.6.0.33-1.13.5.0.el5_11\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.6.0-openjdk-devel-1.6.0.33-1.13.5.0.el5_11\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.33-1.13.5.0.el5_11\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.6.0-openjdk-src-1.6.0.33-1.13.5.0.el5_11\")) flag++;\n\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.6.0-openjdk-1.6.0.33-1.13.5.0.el6_6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.6.0-openjdk-demo-1.6.0.33-1.13.5.0.el6_6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.6.0-openjdk-devel-1.6.0.33-1.13.5.0.el6_6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.33-1.13.5.0.el6_6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.6.0-openjdk-src-1.6.0.33-1.13.5.0.el6_6\")) flag++;\n\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-1.6.0.33-1.13.5.0.el7_0\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-demo-1.6.0.33-1.13.5.0.el7_0\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-devel-1.6.0.33-1.13.5.0.el7_0\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.33-1.13.5.0.el7_0\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-src-1.6.0.33-1.13.5.0.el7_0\")) flag++;\n\n\nif (flag)\n{\n cr_plugin_caveat = '\\n' +\n 'NOTE: The security advisory associated with this vulnerability has a\\n' +\n 'fixed package version that may only be available in the continuous\\n' +\n 'release (CR) repository for CentOS, until it is present in the next\\n' +\n 'point release of CentOS.\\n\\n' +\n\n 'If an equal or higher package level does not exist in the baseline\\n' +\n 'repository for your major version of CentOS, then updates from the CR\\n' +\n 'repository will need to be applied in order to address the\\n' +\n 'vulnerability.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + cr_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.6.0-openjdk / java-1.6.0-openjdk-demo / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-18T02:47:18", "description": "Multiple flaws were discovered in the Libraries, 2D, and Hotspot\ncomponents in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass certain Java sandbox restrictions.\n(CVE-2014-6506, CVE-2014-6531, CVE-2014-6502, CVE-2014-6511,\nCVE-2014-6504, CVE-2014-6519)\n\nIt was discovered that the StAX XML parser in the JAXP component in\nOpenJDK performed expansion of external parameter entities even when\nexternal entity substitution was disabled. A remote attacker could use\nthis flaw to perform XML eXternal Entity (XXE) attack against\napplications using the StAX parser to parse untrusted XML documents.\n(CVE-2014-6517)\n\nIt was discovered that the DatagramSocket implementation in OpenJDK\nfailed to perform source address checks for packets received on a\nconnected socket. A remote attacker could use this flaw to have their\npackets processed as if they were received from the expected source.\n(CVE-2014-6512)\n\nIt was discovered that the TLS/SSL implementation in the JSSE\ncomponent in OpenJDK failed to properly verify the server identity\nduring the renegotiation following session resumption, making it\npossible for malicious TLS/SSL servers to perform a Triple Handshake\nattack against clients using JSSE and client certificate\nauthentication. (CVE-2014-6457)\n\nIt was discovered that the CipherInputStream class implementation in\nOpenJDK did not properly handle certain exceptions. This could\npossibly allow an attacker to affect the integrity of an encrypted\nstream handled by this class. (CVE-2014-6558)\n\nThis update also fixes the following bug :\n\n - The TLS/SSL implementation in OpenJDK previously failed\n to handle Diffie-Hellman (DH) keys with more than 1024\n bits. This caused client applications using JSSE to fail\n to establish TLS/SSL connections to servers using larger\n DH keys during the connection handshake. This update\n adds support for DH keys with size up to 2048 bits.\n\nAll running instances of OpenJDK Java must be restarted for the update\nto take effect.", "edition": 13, "published": "2014-10-23T00:00:00", "title": "Scientific Linux Security Update : java-1.7.0-openjdk on SL5.x i386/x86_64 (20141015)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6512"], "modified": "2014-10-23T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-src", "p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-devel", "p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk", "p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-demo", "p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-javadoc", "x-cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-debuginfo"], "id": "SL_20141015_JAVA_1_7_0_OPENJDK_ON_SL5_X.NASL", "href": "https://www.tenable.com/plugins/nessus/78644", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(78644);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/12\");\n\n script_cve_id(\"CVE-2014-6457\", \"CVE-2014-6502\", \"CVE-2014-6504\", \"CVE-2014-6506\", \"CVE-2014-6511\", \"CVE-2014-6512\", \"CVE-2014-6517\", \"CVE-2014-6519\", \"CVE-2014-6531\", \"CVE-2014-6558\");\n\n script_name(english:\"Scientific Linux Security Update : java-1.7.0-openjdk on SL5.x i386/x86_64 (20141015)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple flaws were discovered in the Libraries, 2D, and Hotspot\ncomponents in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass certain Java sandbox restrictions.\n(CVE-2014-6506, CVE-2014-6531, CVE-2014-6502, CVE-2014-6511,\nCVE-2014-6504, CVE-2014-6519)\n\nIt was discovered that the StAX XML parser in the JAXP component in\nOpenJDK performed expansion of external parameter entities even when\nexternal entity substitution was disabled. A remote attacker could use\nthis flaw to perform XML eXternal Entity (XXE) attack against\napplications using the StAX parser to parse untrusted XML documents.\n(CVE-2014-6517)\n\nIt was discovered that the DatagramSocket implementation in OpenJDK\nfailed to perform source address checks for packets received on a\nconnected socket. A remote attacker could use this flaw to have their\npackets processed as if they were received from the expected source.\n(CVE-2014-6512)\n\nIt was discovered that the TLS/SSL implementation in the JSSE\ncomponent in OpenJDK failed to properly verify the server identity\nduring the renegotiation following session resumption, making it\npossible for malicious TLS/SSL servers to perform a Triple Handshake\nattack against clients using JSSE and client certificate\nauthentication. (CVE-2014-6457)\n\nIt was discovered that the CipherInputStream class implementation in\nOpenJDK did not properly handle certain exceptions. This could\npossibly allow an attacker to affect the integrity of an encrypted\nstream handled by this class. (CVE-2014-6558)\n\nThis update also fixes the following bug :\n\n - The TLS/SSL implementation in OpenJDK previously failed\n to handle Diffie-Hellman (DH) keys with more than 1024\n bits. This caused client applications using JSSE to fail\n to establish TLS/SSL connections to servers using larger\n DH keys during the connection handshake. This update\n adds support for DH keys with size up to 2048 bits.\n\nAll running instances of OpenJDK Java must be restarted for the update\nto take effect.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1410&L=scientific-linux-errata&T=0&P=1306\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1d26c78c\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/10/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/23\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 5.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL5\", reference:\"java-1.7.0-openjdk-1.7.0.71-2.5.3.1.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.71-2.5.3.1.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"java-1.7.0-openjdk-demo-1.7.0.71-2.5.3.1.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"java-1.7.0-openjdk-devel-1.7.0.71-2.5.3.1.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.71-2.5.3.1.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"java-1.7.0-openjdk-src-1.7.0.71-2.5.3.1.el5_11\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-debuginfo / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-06T09:29:48", "description": "Updated java-1.7.0-openjdk packages that fix multiple security issues\nand one bug are now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the Libraries, 2D, and Hotspot\ncomponents in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass certain Java sandbox restrictions.\n(CVE-2014-6506, CVE-2014-6531, CVE-2014-6502, CVE-2014-6511,\nCVE-2014-6504, CVE-2014-6519)\n\nIt was discovered that the StAX XML parser in the JAXP component in\nOpenJDK performed expansion of external parameter entities even when\nexternal entity substitution was disabled. A remote attacker could use\nthis flaw to perform XML eXternal Entity (XXE) attack against\napplications using the StAX parser to parse untrusted XML documents.\n(CVE-2014-6517)\n\nIt was discovered that the DatagramSocket implementation in OpenJDK\nfailed to perform source address checks for packets received on a\nconnected socket. A remote attacker could use this flaw to have their\npackets processed as if they were received from the expected source.\n(CVE-2014-6512)\n\nIt was discovered that the TLS/SSL implementation in the JSSE\ncomponent in OpenJDK failed to properly verify the server identity\nduring the renegotiation following session resumption, making it\npossible for malicious TLS/SSL servers to perform a Triple Handshake\nattack against clients using JSSE and client certificate\nauthentication. (CVE-2014-6457)\n\nIt was discovered that the CipherInputStream class implementation in\nOpenJDK did not properly handle certain exceptions. This could\npossibly allow an attacker to affect the integrity of an encrypted\nstream handled by this class. (CVE-2014-6558)\n\nThe CVE-2014-6512 was discovered by Florian Weimer of Red Hat Product\nSecurity.\n\nNote: If the web browser plug-in provided by the icedtea-web package\nwas installed, the issues exposed via Java applets could have been\nexploited without user interaction if a user visited a malicious\nwebsite.\n\nThis update also fixes the following bug :\n\n* The TLS/SSL implementation in OpenJDK previously failed to handle\nDiffie-Hellman (DH) keys with more than 1024 bits. This caused client\napplications using JSSE to fail to establish TLS/SSL connections to\nservers using larger DH keys during the connection handshake. This\nupdate adds support for DH keys with size up to 2048 bits.\n(BZ#1148309)\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.", "edition": 24, "published": "2014-10-16T00:00:00", "title": "CentOS 6 / 7 : java-1.7.0-openjdk (CESA-2014:1620)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6512"], "modified": "2014-10-16T00:00:00", "cpe": ["cpe:/o:centos:centos:6", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-devel", "p-cpe:/a:centos:centos:java-1.7.0-openjdk", "cpe:/o:centos:centos:7", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-demo", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-src", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-accessibility", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-javadoc", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-headless"], "id": "CENTOS_RHSA-2014-1620.NASL", "href": "https://www.tenable.com/plugins/nessus/78486", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2014:1620 and \n# CentOS Errata and Security Advisory 2014:1620 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78486);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2014-6457\", \"CVE-2014-6502\", \"CVE-2014-6504\", \"CVE-2014-6506\", \"CVE-2014-6511\", \"CVE-2014-6512\", \"CVE-2014-6517\", \"CVE-2014-6519\", \"CVE-2014-6531\", \"CVE-2014-6558\");\n script_xref(name:\"RHSA\", value:\"2014:1620\");\n\n script_name(english:\"CentOS 6 / 7 : java-1.7.0-openjdk (CESA-2014:1620)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.7.0-openjdk packages that fix multiple security issues\nand one bug are now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the Libraries, 2D, and Hotspot\ncomponents in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass certain Java sandbox restrictions.\n(CVE-2014-6506, CVE-2014-6531, CVE-2014-6502, CVE-2014-6511,\nCVE-2014-6504, CVE-2014-6519)\n\nIt was discovered that the StAX XML parser in the JAXP component in\nOpenJDK performed expansion of external parameter entities even when\nexternal entity substitution was disabled. A remote attacker could use\nthis flaw to perform XML eXternal Entity (XXE) attack against\napplications using the StAX parser to parse untrusted XML documents.\n(CVE-2014-6517)\n\nIt was discovered that the DatagramSocket implementation in OpenJDK\nfailed to perform source address checks for packets received on a\nconnected socket. A remote attacker could use this flaw to have their\npackets processed as if they were received from the expected source.\n(CVE-2014-6512)\n\nIt was discovered that the TLS/SSL implementation in the JSSE\ncomponent in OpenJDK failed to properly verify the server identity\nduring the renegotiation following session resumption, making it\npossible for malicious TLS/SSL servers to perform a Triple Handshake\nattack against clients using JSSE and client certificate\nauthentication. (CVE-2014-6457)\n\nIt was discovered that the CipherInputStream class implementation in\nOpenJDK did not properly handle certain exceptions. This could\npossibly allow an attacker to affect the integrity of an encrypted\nstream handled by this class. (CVE-2014-6558)\n\nThe CVE-2014-6512 was discovered by Florian Weimer of Red Hat Product\nSecurity.\n\nNote: If the web browser plug-in provided by the icedtea-web package\nwas installed, the issues exposed via Java applets could have been\nexploited without user interaction if a user visited a malicious\nwebsite.\n\nThis update also fixes the following bug :\n\n* The TLS/SSL implementation in OpenJDK previously failed to handle\nDiffie-Hellman (DH) keys with more than 1024 bits. This caused client\napplications using JSSE to fail to establish TLS/SSL connections to\nservers using larger DH keys during the connection handshake. This\nupdate adds support for DH keys with size up to 2048 bits.\n(BZ#1148309)\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2014-October/020690.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8402fc1e\"\n );\n # https://lists.centos.org/pipermail/centos-cr-announce/2014-October/001470.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0ab3ee60\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1.7.0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-6506\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/10/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/16\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 6.x / 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-1.7.0.71-2.5.3.1.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-demo-1.7.0.71-2.5.3.1.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-devel-1.7.0.71-2.5.3.1.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.71-2.5.3.1.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-src-1.7.0.71-2.5.3.1.el6\")) flag++;\n\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-1.7.0.71-2.5.3.1.el7_0\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-accessibility-1.7.0.71-2.5.3.1.el7_0\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-demo-1.7.0.71-2.5.3.1.el7_0\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-devel-1.7.0.71-2.5.3.1.el7_0\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-headless-1.7.0.71-2.5.3.1.el7_0\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.71-2.5.3.1.el7_0\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-src-1.7.0.71-2.5.3.1.el7_0\")) flag++;\n\n\nif (flag)\n{\n cr_plugin_caveat = '\\n' +\n 'NOTE: The security advisory associated with this vulnerability has a\\n' +\n 'fixed package version that may only be available in the continuous\\n' +\n 'release (CR) repository for CentOS, until it is present in the next\\n' +\n 'point release of CentOS.\\n\\n' +\n\n 'If an equal or higher package level does not exist in the baseline\\n' +\n 'repository for your major version of CentOS, then updates from the CR\\n' +\n 'repository will need to be applied in order to address the\\n' +\n 'vulnerability.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + cr_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-accessibility / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-25T09:50:19", "description": "Multiple flaws were discovered in the Libraries, 2D, and Hotspot\ncomponents in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass certain Java sandbox restrictions.\n(CVE-2014-6506, CVE-2014-6531, CVE-2014-6502, CVE-2014-6511,\nCVE-2014-6504, CVE-2014-6519)\n\nIt was discovered that the StAX XML parser in the JAXP component in\nOpenJDK performed expansion of external parameter entities even when\nexternal entity substitution was disabled. A remote attacker could use\nthis flaw to perform XML eXternal Entity (XXE) attack against\napplications using the StAX parser to parse untrusted XML documents.\n(CVE-2014-6517)\n\nIt was discovered that the DatagramSocket implementation in OpenJDK\nfailed to perform source address checks for packets received on a\nconnected socket. A remote attacker could use this flaw to have their\npackets processed as if they were received from the expected source.\n(CVE-2014-6512)\n\nIt was discovered that the TLS/SSL implementation in the JSSE\ncomponent in OpenJDK failed to properly verify the server identity\nduring the renegotiation following session resumption, making it\npossible for malicious TLS/SSL servers to perform a Triple Handshake\nattack against clients using JSSE and client certificate\nauthentication. (CVE-2014-6457)\n\nIt was discovered that the CipherInputStream class implementation in\nOpenJDK did not properly handle certain exceptions. This could\npossibly allow an attacker to affect the integrity of an encrypted\nstream handled by this class. (CVE-2014-6558)\n\nNote: If the web browser plug-in provided by the icedtea-web package\nwas installed, the issues exposed via Java applets could have been\nexploited without user interaction if a user visited a malicious\nwebsite.\n\nThis update also fixes the following bug :\n\n - The TLS/SSL implementation in OpenJDK previously failed\n to handle Diffie-Hellman (DH) keys with more than 1024\n bits. This caused client applications using JSSE to fail\n to establish TLS/SSL connections to servers using larger\n DH keys during the connection handshake. This update\n adds support for DH keys with size up to 2048 bits.\n\nAll running instances of OpenJDK Java must be restarted for the update\nto take effect.", "edition": 14, "published": "2014-10-23T00:00:00", "title": "Scientific Linux Security Update : java-1.7.0-openjdk on SL6.x, SL7.x i386/x86_64 (20141015)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6512"], "modified": "2014-10-23T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-src", "p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-devel", "p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-headless", "p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk", "p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-demo", "p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-javadoc", "x-cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-debuginfo", "p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-accessibility"], "id": "SL_20141015_JAVA_1_7_0_OPENJDK_ON_SL6_X.NASL", "href": "https://www.tenable.com/plugins/nessus/78645", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(78645);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/24\");\n\n script_cve_id(\"CVE-2014-6457\", \"CVE-2014-6502\", \"CVE-2014-6504\", \"CVE-2014-6506\", \"CVE-2014-6511\", \"CVE-2014-6512\", \"CVE-2014-6517\", \"CVE-2014-6519\", \"CVE-2014-6531\", \"CVE-2014-6558\");\n\n script_name(english:\"Scientific Linux Security Update : java-1.7.0-openjdk on SL6.x, SL7.x i386/x86_64 (20141015)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple flaws were discovered in the Libraries, 2D, and Hotspot\ncomponents in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass certain Java sandbox restrictions.\n(CVE-2014-6506, CVE-2014-6531, CVE-2014-6502, CVE-2014-6511,\nCVE-2014-6504, CVE-2014-6519)\n\nIt was discovered that the StAX XML parser in the JAXP component in\nOpenJDK performed expansion of external parameter entities even when\nexternal entity substitution was disabled. A remote attacker could use\nthis flaw to perform XML eXternal Entity (XXE) attack against\napplications using the StAX parser to parse untrusted XML documents.\n(CVE-2014-6517)\n\nIt was discovered that the DatagramSocket implementation in OpenJDK\nfailed to perform source address checks for packets received on a\nconnected socket. A remote attacker could use this flaw to have their\npackets processed as if they were received from the expected source.\n(CVE-2014-6512)\n\nIt was discovered that the TLS/SSL implementation in the JSSE\ncomponent in OpenJDK failed to properly verify the server identity\nduring the renegotiation following session resumption, making it\npossible for malicious TLS/SSL servers to perform a Triple Handshake\nattack against clients using JSSE and client certificate\nauthentication. (CVE-2014-6457)\n\nIt was discovered that the CipherInputStream class implementation in\nOpenJDK did not properly handle certain exceptions. This could\npossibly allow an attacker to affect the integrity of an encrypted\nstream handled by this class. (CVE-2014-6558)\n\nNote: If the web browser plug-in provided by the icedtea-web package\nwas installed, the issues exposed via Java applets could have been\nexploited without user interaction if a user visited a malicious\nwebsite.\n\nThis update also fixes the following bug :\n\n - The TLS/SSL implementation in OpenJDK previously failed\n to handle Diffie-Hellman (DH) keys with more than 1024\n bits. This caused client applications using JSSE to fail\n to establish TLS/SSL connections to servers using larger\n DH keys during the connection handshake. This update\n adds support for DH keys with size up to 2048 bits.\n\nAll running instances of OpenJDK Java must be restarted for the update\nto take effect.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1410&L=scientific-linux-errata&T=0&P=1973\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?167534fe\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/10/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/23\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL6\", reference:\"java-1.7.0-openjdk-1.7.0.71-2.5.3.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.71-2.5.3.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.7.0-openjdk-demo-1.7.0.71-2.5.3.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.7.0-openjdk-devel-1.7.0.71-2.5.3.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.71-2.5.3.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.7.0-openjdk-src-1.7.0.71-2.5.3.1.el6\")) flag++;\n\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-1.7.0.71-2.5.3.1.el7_0\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-accessibility-1.7.0.71-2.5.3.1.el7_0\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.71-2.5.3.1.el7_0\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-demo-1.7.0.71-2.5.3.1.el7_0\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-devel-1.7.0.71-2.5.3.1.el7_0\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-headless-1.7.0.71-2.5.3.1.el7_0\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.71-2.5.3.1.el7_0\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-src-1.7.0.71-2.5.3.1.el7_0\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-accessibility / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-25T09:15:34", "description": "Updated java-1.6.0-openjdk packages that fix multiple security issues\nand one bug are now available for Red Hat Enterprise Linux 5, 6, and\n7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime\nEnvironment and the OpenJDK 6 Java Software Development Kit.\n\nMultiple flaws were discovered in the Libraries, 2D, and Hotspot\ncomponents in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass certain Java sandbox restrictions.\n(CVE-2014-6506, CVE-2014-6531, CVE-2014-6502, CVE-2014-6511,\nCVE-2014-6504, CVE-2014-6519)\n\nIt was discovered that the StAX XML parser in the JAXP component in\nOpenJDK performed expansion of external parameter entities even when\nexternal entity substitution was disabled. A remote attacker could use\nthis flaw to perform XML eXternal Entity (XXE) attack against\napplications using the StAX parser to parse untrusted XML documents.\n(CVE-2014-6517)\n\nIt was discovered that the DatagramSocket implementation in OpenJDK\nfailed to perform source address checks for packets received on a\nconnected socket. A remote attacker could use this flaw to have their\npackets processed as if they were received from the expected source.\n(CVE-2014-6512)\n\nIt was discovered that the TLS/SSL implementation in the JSSE\ncomponent in OpenJDK failed to properly verify the server identity\nduring the renegotiation following session resumption, making it\npossible for malicious TLS/SSL servers to perform a Triple Handshake\nattack against clients using JSSE and client certificate\nauthentication. (CVE-2014-6457)\n\nIt was discovered that the CipherInputStream class implementation in\nOpenJDK did not properly handle certain exceptions. This could\npossibly allow an attacker to affect the integrity of an encrypted\nstream handled by this class. (CVE-2014-6558)\n\nThe CVE-2014-6512 was discovered by Florian Weimer of Red Hat Product\nSecurity.\n\nThis update also fixes the following bug :\n\n* The TLS/SSL implementation in OpenJDK previously failed to handle\nDiffie-Hellman (DH) keys with more than 1024 bits. This caused client\napplications using JSSE to fail to establish TLS/SSL connections to\nservers using larger DH keys during the connection handshake. This\nupdate adds support for DH keys with size up to 2048 bits.\n(BZ#1148309)\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.", "edition": 25, "published": "2014-10-15T00:00:00", "title": "RHEL 5 / 6 / 7 : java-1.6.0-openjdk (RHSA-2014:1634)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6512"], "modified": "2014-10-15T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-devel", "cpe:/o:redhat:enterprise_linux:5", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-src", "cpe:/o:redhat:enterprise_linux:7.4", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-demo", "cpe:/o:redhat:enterprise_linux:7.7", "cpe:/o:redhat:enterprise_linux:7.5", "cpe:/o:redhat:enterprise_linux:6.6", "cpe:/o:redhat:enterprise_linux:7", "cpe:/o:redhat:enterprise_linux:7.3", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-javadoc", "cpe:/o:redhat:enterprise_linux:7.6", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-debuginfo"], "id": "REDHAT-RHSA-2014-1634.NASL", "href": "https://www.tenable.com/plugins/nessus/78457", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2014:1634. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(78457);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/24\");\n\n script_cve_id(\"CVE-2014-6457\", \"CVE-2014-6502\", \"CVE-2014-6504\", \"CVE-2014-6506\", \"CVE-2014-6511\", \"CVE-2014-6512\", \"CVE-2014-6517\", \"CVE-2014-6519\", \"CVE-2014-6531\", \"CVE-2014-6558\");\n script_xref(name:\"RHSA\", value:\"2014:1634\");\n\n script_name(english:\"RHEL 5 / 6 / 7 : java-1.6.0-openjdk (RHSA-2014:1634)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.6.0-openjdk packages that fix multiple security issues\nand one bug are now available for Red Hat Enterprise Linux 5, 6, and\n7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime\nEnvironment and the OpenJDK 6 Java Software Development Kit.\n\nMultiple flaws were discovered in the Libraries, 2D, and Hotspot\ncomponents in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass certain Java sandbox restrictions.\n(CVE-2014-6506, CVE-2014-6531, CVE-2014-6502, CVE-2014-6511,\nCVE-2014-6504, CVE-2014-6519)\n\nIt was discovered that the StAX XML parser in the JAXP component in\nOpenJDK performed expansion of external parameter entities even when\nexternal entity substitution was disabled. A remote attacker could use\nthis flaw to perform XML eXternal Entity (XXE) attack against\napplications using the StAX parser to parse untrusted XML documents.\n(CVE-2014-6517)\n\nIt was discovered that the DatagramSocket implementation in OpenJDK\nfailed to perform source address checks for packets received on a\nconnected socket. A remote attacker could use this flaw to have their\npackets processed as if they were received from the expected source.\n(CVE-2014-6512)\n\nIt was discovered that the TLS/SSL implementation in the JSSE\ncomponent in OpenJDK failed to properly verify the server identity\nduring the renegotiation following session resumption, making it\npossible for malicious TLS/SSL servers to perform a Triple Handshake\nattack against clients using JSSE and client certificate\nauthentication. (CVE-2014-6457)\n\nIt was discovered that the CipherInputStream class implementation in\nOpenJDK did not properly handle certain exceptions. This could\npossibly allow an attacker to affect the integrity of an encrypted\nstream handled by this class. (CVE-2014-6558)\n\nThe CVE-2014-6512 was discovered by Florian Weimer of Red Hat Product\nSecurity.\n\nThis update also fixes the following bug :\n\n* The TLS/SSL implementation in OpenJDK previously failed to handle\nDiffie-Hellman (DH) keys with more than 1024 bits. This caused client\napplications using JSSE to fail to establish TLS/SSL connections to\nservers using larger DH keys during the connection handshake. This\nupdate adds support for DH keys with size up to 2048 bits.\n(BZ#1148309)\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2014:1634\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-6502\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-6457\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-6506\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-6504\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-6531\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-6519\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-6558\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-6517\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-6511\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-6512\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/10/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5|6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x / 6.x / 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2014:1634\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.6.0-openjdk-1.6.0.33-1.13.5.0.el5_11\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-1.6.0.33-1.13.5.0.el5_11\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.6.0-openjdk-debuginfo-1.6.0.33-1.13.5.0.el5_11\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-debuginfo-1.6.0.33-1.13.5.0.el5_11\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.6.0-openjdk-demo-1.6.0.33-1.13.5.0.el5_11\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-demo-1.6.0.33-1.13.5.0.el5_11\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.6.0-openjdk-devel-1.6.0.33-1.13.5.0.el5_11\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-devel-1.6.0.33-1.13.5.0.el5_11\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.33-1.13.5.0.el5_11\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.33-1.13.5.0.el5_11\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.6.0-openjdk-src-1.6.0.33-1.13.5.0.el5_11\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-src-1.6.0.33-1.13.5.0.el5_11\")) flag++;\n\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-openjdk-1.6.0.33-1.13.5.0.el6_6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-1.6.0.33-1.13.5.0.el6_6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-openjdk-debuginfo-1.6.0.33-1.13.5.0.el6_6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-debuginfo-1.6.0.33-1.13.5.0.el6_6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-openjdk-demo-1.6.0.33-1.13.5.0.el6_6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-demo-1.6.0.33-1.13.5.0.el6_6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-openjdk-devel-1.6.0.33-1.13.5.0.el6_6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-devel-1.6.0.33-1.13.5.0.el6_6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.33-1.13.5.0.el6_6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.33-1.13.5.0.el6_6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-openjdk-src-1.6.0.33-1.13.5.0.el6_6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-src-1.6.0.33-1.13.5.0.el6_6\")) flag++;\n\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.6.0-openjdk-1.6.0.33-1.13.5.0.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-1.6.0.33-1.13.5.0.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.6.0-openjdk-debuginfo-1.6.0.33-1.13.5.0.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-debuginfo-1.6.0.33-1.13.5.0.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.6.0-openjdk-demo-1.6.0.33-1.13.5.0.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-demo-1.6.0.33-1.13.5.0.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.6.0-openjdk-devel-1.6.0.33-1.13.5.0.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-devel-1.6.0.33-1.13.5.0.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.33-1.13.5.0.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.33-1.13.5.0.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.6.0-openjdk-src-1.6.0.33-1.13.5.0.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-src-1.6.0.33-1.13.5.0.el7_0\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.6.0-openjdk / java-1.6.0-openjdk-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:37:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6512"], "description": "Several vulnerabilities have been\ndiscovered in OpenJDK, an implementation of the Oracle Java platform, resulting\nin the execution of arbitrary code, information disclosure or denial of service.", "modified": "2019-03-18T00:00:00", "published": "2014-11-29T00:00:00", "id": "OPENVAS:1361412562310703080", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703080", "type": "openvas", "title": "Debian Security Advisory DSA 3080-1 (openjdk-7 - security update)", "sourceData": "###########################################################################\n# OpenVAS Vulnerability Test\n# $Id: deb_3080.nasl 14277 2019-03-18 14:45:38Z cfischer $\n# Auto-generated from advisory DSA 3080-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n#############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703080\");\n script_version(\"$Revision: 14277 $\");\n script_cve_id(\"CVE-2014-6457\", \"CVE-2014-6502\", \"CVE-2014-6504\", \"CVE-2014-6506\",\n \"CVE-2014-6511\", \"CVE-2014-6512\", \"CVE-2014-6517\", \"CVE-2014-6519\",\n \"CVE-2014-6531\", \"CVE-2014-6558\");\n script_name(\"Debian Security Advisory DSA 3080-1 (openjdk-7 - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:45:38 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-11-29 00:00:00 +0100 (Sat, 29 Nov 2014)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2014/dsa-3080.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n script_tag(name:\"affected\", value:\"openjdk-7 on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (wheezy),\nthese problems have been fixed in version 7u71-2.5.3-2~deb7u1.\n\nFor the upcoming stable distribution (jessie), these problems have been\nfixed in version 7u71-2.5.3-1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 7u71-2.5.3-1.\n\nWe recommend that you upgrade your openjdk-7 packages.\");\n script_tag(name:\"summary\", value:\"Several vulnerabilities have been\ndiscovered in OpenJDK, an implementation of the Oracle Java platform, resulting\nin the execution of arbitrary code, information disclosure or denial of service.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software\nversion using the apt package manager.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"icedtea-7-jre-cacao\", ver:\"7u71-2.5.3-2~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"icedtea-7-jre-jamvm\", ver:\"7u71-2.5.3-2~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-dbg\", ver:\"7u71-2.5.3-2~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-demo\", ver:\"7u71-2.5.3-2~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-doc\", ver:\"7u71-2.5.3-2~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-jdk\", ver:\"7u71-2.5.3-2~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-jre\", ver:\"7u71-2.5.3-2~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-jre-headless\", ver:\"7u71-2.5.3-2~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-jre-lib\", ver:\"7u71-2.5.3-2~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-jre-zero\", ver:\"7u71-2.5.3-2~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-source\", ver:\"7u71-2.5.3-2~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:12", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6512"], "description": "Check the version of java", "modified": "2019-03-08T00:00:00", "published": "2014-10-16T00:00:00", "id": "OPENVAS:1361412562310882058", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882058", "type": "openvas", "title": "CentOS Update for java CESA-2014:1633 centos5", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for java CESA-2014:1633 centos5\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882058\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-10-16 05:59:38 +0200 (Thu, 16 Oct 2014)\");\n script_cve_id(\"CVE-2014-6457\", \"CVE-2014-6502\", \"CVE-2014-6504\", \"CVE-2014-6506\",\n \"CVE-2014-6511\", \"CVE-2014-6512\", \"CVE-2014-6517\", \"CVE-2014-6519\",\n \"CVE-2014-6531\", \"CVE-2014-6558\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"CentOS Update for java CESA-2014:1633 centos5\");\n\n script_tag(name:\"summary\", value:\"Check the version of java\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The java-1.7.0-openjdk packages provide the\nOpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the Libraries, 2D, and Hotspot components\nin OpenJDK. An untrusted Java application or applet could use these flaws\nto bypass certain Java sandbox restrictions. (CVE-2014-6506, CVE-2014-6531,\nCVE-2014-6502, CVE-2014-6511, CVE-2014-6504, CVE-2014-6519)\n\nIt was discovered that the StAX XML parser in the JAXP component in OpenJDK\nperformed expansion of external parameter entities even when external\nentity substitution was disabled. A remote attacker could use this flaw to\nperform XML eXternal Entity (XXE) attack against applications using the\nStAX parser to parse untrusted XML documents. (CVE-2014-6517)\n\nIt was discovered that the DatagramSocket implementation in OpenJDK failed\nto perform source address checks for packets received on a connected\nsocket. A remote attacker could use this flaw to have their packets\nprocessed as if they were received from the expected source.\n(CVE-2014-6512)\n\nIt was discovered that the TLS/SSL implementation in the JSSE component in\nOpenJDK failed to properly verify the server identity during the\nrenegotiation following session resumption, making it possible for\nmalicious TLS/SSL servers to perform a Triple Handshake attack against\nclients using JSSE and client certificate authentication. (CVE-2014-6457)\n\nIt was discovered that the CipherInputStream class implementation in\nOpenJDK did not properly handle certain exceptions. This could possibly\nallow an attacker to affect the integrity of an encrypted stream handled by\nthis class. (CVE-2014-6558)\n\nThe CVE-2014-6512 was discovered by Florian Weimer of Red Hat Product\nSecurity.\n\nThis update also fixes the following bug:\n\n * The TLS/SSL implementation in OpenJDK previously failed to handle\nDiffie-Hellman (DH) keys with more than 1024 bits. This caused client\napplications using JSSE to fail to establish TLS/SSL connections to servers\nusing larger DH keys during the connection handshake. This update adds\nsupport for DH keys with size up to 2048 bits. (BZ#1148309)\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\");\n script_tag(name:\"affected\", value:\"java on CentOS 5\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"CESA\", value:\"2014:1633\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2014-October/020683.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS5\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.71~2.5.3.1.el5_11\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.71~2.5.3.1.el5_11\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.71~2.5.3.1.el5_11\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.71~2.5.3.1.el5_11\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.71~2.5.3.1.el5_11\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6512"], "description": "Check the version of java", "modified": "2019-03-08T00:00:00", "published": "2014-10-16T00:00:00", "id": "OPENVAS:1361412562310882057", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882057", "type": "openvas", "title": "CentOS Update for java CESA-2014:1634 centos7", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for java CESA-2014:1634 centos7\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882057\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-10-16 05:59:29 +0200 (Thu, 16 Oct 2014)\");\n script_cve_id(\"CVE-2014-6457\", \"CVE-2014-6502\", \"CVE-2014-6504\", \"CVE-2014-6506\",\n \"CVE-2014-6511\", \"CVE-2014-6512\", \"CVE-2014-6517\", \"CVE-2014-6519\",\n \"CVE-2014-6531\", \"CVE-2014-6558\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"CentOS Update for java CESA-2014:1634 centos7\");\n\n script_tag(name:\"summary\", value:\"Check the version of java\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The java-1.6.0-openjdk packages provide the\nOpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit.\n\nMultiple flaws were discovered in the Libraries, 2D, and Hotspot components\nin OpenJDK. An untrusted Java application or applet could use these flaws\nto bypass certain Java sandbox restrictions. (CVE-2014-6506, CVE-2014-6531,\nCVE-2014-6502, CVE-2014-6511, CVE-2014-6504, CVE-2014-6519)\n\nIt was discovered that the StAX XML parser in the JAXP component in OpenJDK\nperformed expansion of external parameter entities even when external\nentity substitution was disabled. A remote attacker could use this flaw to\nperform XML eXternal Entity (XXE) attack against applications using the\nStAX parser to parse untrusted XML documents. (CVE-2014-6517)\n\nIt was discovered that the DatagramSocket implementation in OpenJDK failed\nto perform source address checks for packets received on a connected\nsocket. A remote attacker could use this flaw to have their packets\nprocessed as if they were received from the expected source.\n(CVE-2014-6512)\n\nIt was discovered that the TLS/SSL implementation in the JSSE component in\nOpenJDK failed to properly verify the server identity during the\nrenegotiation following session resumption, making it possible for\nmalicious TLS/SSL servers to perform a Triple Handshake attack against\nclients using JSSE and client certificate authentication. (CVE-2014-6457)\n\nIt was discovered that the CipherInputStream class implementation in\nOpenJDK did not properly handle certain exceptions. This could possibly\nallow an attacker to affect the integrity of an encrypted stream handled by\nthis class. (CVE-2014-6558)\n\nThe CVE-2014-6512 was discovered by Florian Weimer of Red Hat Product\nSecurity.\n\nThis update also fixes the following bug:\n\n * The TLS/SSL implementation in OpenJDK previously failed to handle\nDiffie-Hellman (DH) keys with more than 1024 bits. This caused client\napplications using JSSE to fail to establish TLS/SSL connections to servers\nusing larger DH keys during the connection handshake. This update adds\nsupport for DH keys with size up to 2048 bits. (BZ#1148309)\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\");\n script_tag(name:\"affected\", value:\"java on CentOS 7\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"CESA\", value:\"2014:1634\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2014-October/020689.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS7\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk\", rpm:\"java-1.6.0-openjdk~1.6.0.33~1.13.5.0.el7_0\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-demo\", rpm:\"java-1.6.0-openjdk-demo~1.6.0.33~1.13.5.0.el7_0\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-devel\", rpm:\"java-1.6.0-openjdk-devel~1.6.0.33~1.13.5.0.el7_0\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-javadoc\", rpm:\"java-1.6.0-openjdk-javadoc~1.6.0.33~1.13.5.0.el7_0\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-src\", rpm:\"java-1.6.0-openjdk-src~1.6.0.33~1.13.5.0.el7_0\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-17T23:01:01", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6512"], "description": "The remote host is missing an update announced via the referenced Security Advisory.", "modified": "2020-03-13T00:00:00", "published": "2015-09-08T00:00:00", "id": "OPENVAS:1361412562310120344", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120344", "type": "openvas", "title": "Amazon Linux: Security Advisory (ALAS-2014-431)", "sourceData": "# Copyright (C) 2015 Eero Volotinen\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120344\");\n script_version(\"2020-03-13T13:19:50+0000\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 13:24:12 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 13:19:50 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Amazon Linux: Security Advisory (ALAS-2014-431)\");\n script_tag(name:\"insight\", value:\"Multiple flaws were found in OpenJDK. Please see the references for more information.\");\n script_tag(name:\"solution\", value:\"Run yum update java-1.7.0-openjdk to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2014-431.html\");\n script_cve_id(\"CVE-2014-6502\", \"CVE-2014-6457\", \"CVE-2014-6506\", \"CVE-2014-6504\", \"CVE-2014-6531\", \"CVE-2014-6519\", \"CVE-2014-6558\", \"CVE-2014-6517\", \"CVE-2014-6511\", \"CVE-2014-6512\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"The remote host is missing an update announced via the referenced Security Advisory.\");\n script_copyright(\"Copyright (C) 2015 Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"AMAZON\") {\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.71~2.5.3.1.49.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.71~2.5.3.1.49.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.71~2.5.3.1.49.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-debuginfo\", rpm:\"java-1.7.0-openjdk-debuginfo~1.7.0.71~2.5.3.1.49.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.71~2.5.3.1.49.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.71~2.5.3.1.49.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:36:43", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6512"], "description": "Oracle Linux Local Security Checks ELSA-2014-1633", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123287", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123287", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2014-1633", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2014-1633.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123287\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:01:46 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2014-1633\");\n script_tag(name:\"insight\", value:\"ELSA-2014-1633 - java-1.7.0-openjdk security and bug fix update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2014-1633\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2014-1633.html\");\n script_cve_id(\"CVE-2014-6457\", \"CVE-2014-6502\", \"CVE-2014-6504\", \"CVE-2014-6506\", \"CVE-2014-6511\", \"CVE-2014-6512\", \"CVE-2014-6517\", \"CVE-2014-6519\", \"CVE-2014-6531\", \"CVE-2014-6558\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux5\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.71~2.5.3.1.0.1.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.71~2.5.3.1.0.1.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.71~2.5.3.1.0.1.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.71~2.5.3.1.0.1.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.71~2.5.3.1.0.1.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6512"], "description": "Several vulnerabilities have been discovered in OpenJDK, an\nimplementation of the Oracle Java platform, resulting in the execution\nof arbitrary code, information disclosure or denial of service.", "modified": "2019-03-19T00:00:00", "published": "2014-11-26T00:00:00", "id": "OPENVAS:1361412562310703077", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703077", "type": "openvas", "title": "Debian Security Advisory DSA 3077-1 (openjdk-6 - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3077.nasl 14302 2019-03-19 08:28:48Z cfischer $\n# Auto-generated from advisory DSA 3077-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703077\");\n script_version(\"$Revision: 14302 $\");\n script_cve_id(\"CVE-2014-6457\", \"CVE-2014-6502\", \"CVE-2014-6504\", \"CVE-2014-6506\", \"CVE-2014-6511\", \"CVE-2014-6512\", \"CVE-2014-6517\", \"CVE-2014-6519\", \"CVE-2014-6531\", \"CVE-2014-6558\");\n script_name(\"Debian Security Advisory DSA 3077-1 (openjdk-6 - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-19 09:28:48 +0100 (Tue, 19 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-11-26 00:00:00 +0100 (Wed, 26 Nov 2014)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2014/dsa-3077.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n script_tag(name:\"affected\", value:\"openjdk-6 on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (wheezy), these problems have been fixed in\nversion 6b33-1.13.5-2~deb7u1.\n\nWe recommend that you upgrade your openjdk-6 packages.\");\n script_tag(name:\"summary\", value:\"Several vulnerabilities have been discovered in OpenJDK, an\nimplementation of the Oracle Java platform, resulting in the execution\nof arbitrary code, information disclosure or denial of service.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"icedtea-6-jre-cacao\", ver:\"6b33-1.13.5-2~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"icedtea-6-jre-jamvm\", ver:\"6b33-1.13.5-2~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-6-dbg\", ver:\"6b33-1.13.5-2~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-6-demo\", ver:\"6b33-1.13.5-2~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-6-doc\", ver:\"6b33-1.13.5-2~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-6-jdk\", ver:\"6b33-1.13.5-2~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-6-jre\", ver:\"6b33-1.13.5-2~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-6-jre-headless\", ver:\"6b33-1.13.5-2~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-6-jre-lib\", ver:\"6b33-1.13.5-2~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-6-jre-zero\", ver:\"6b33-1.13.5-2~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-6-source\", ver:\"6b33-1.13.5-2~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6512"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2014-10-15T00:00:00", "id": "OPENVAS:1361412562310871260", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871260", "type": "openvas", "title": "RedHat Update for java-1.7.0-openjdk RHSA-2014:1633-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for java-1.7.0-openjdk RHSA-2014:1633-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871260\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-10-15 06:03:42 +0200 (Wed, 15 Oct 2014)\");\n script_cve_id(\"CVE-2014-6457\", \"CVE-2014-6502\", \"CVE-2014-6504\", \"CVE-2014-6506\",\n \"CVE-2014-6511\", \"CVE-2014-6512\", \"CVE-2014-6517\", \"CVE-2014-6519\",\n \"CVE-2014-6531\", \"CVE-2014-6558\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"RedHat Update for java-1.7.0-openjdk RHSA-2014:1633-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java-1.7.0-openjdk'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the Libraries, 2D, and Hotspot components\nin OpenJDK. An untrusted Java application or applet could use these flaws\nto bypass certain Java sandbox restrictions. (CVE-2014-6506, CVE-2014-6531,\nCVE-2014-6502, CVE-2014-6511, CVE-2014-6504, CVE-2014-6519)\n\nIt was discovered that the StAX XML parser in the JAXP component in OpenJDK\nperformed expansion of external parameter entities even when external\nentity substitution was disabled. A remote attacker could use this flaw to\nperform XML eXternal Entity (XXE) attack against applications using the\nStAX parser to parse untrusted XML documents. (CVE-2014-6517)\n\nIt was discovered that the DatagramSocket implementation in OpenJDK failed\nto perform source address checks for packets received on a connected\nsocket. A remote attacker could use this flaw to have their packets\nprocessed as if they were received from the expected source.\n(CVE-2014-6512)\n\nIt was discovered that the TLS/SSL implementation in the JSSE component in\nOpenJDK failed to properly verify the server identity during the\nrenegotiation following session resumption, making it possible for\nmalicious TLS/SSL servers to perform a Triple Handshake attack against\nclients using JSSE and client certificate authentication. (CVE-2014-6457)\n\nIt was discovered that the CipherInputStream class implementation in\nOpenJDK did not properly handle certain exceptions. This could possibly\nallow an attacker to affect the integrity of an encrypted stream handled by\nthis class. (CVE-2014-6558)\n\nThe CVE-2014-6512 was discovered by Florian Weimer of Red Hat Product\nSecurity.\n\nThis update also fixes the following bug:\n\n * The TLS/SSL implementation in OpenJDK previously failed to handle\nDiffie-Hellman (DH) keys with more than 1024 bits. This caused client\napplications using JSSE to fail to establish TLS/SSL connections to servers\nusing larger DH keys during the connection handshake. This update adds\nsupport for DH keys with size up to 2048 bits. (BZ#1148309)\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\");\n script_tag(name:\"affected\", value:\"java-1.7.0-openjdk on Red Hat Enterprise Linux (v. 5 server)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"RHSA\", value:\"2014:1633-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2014-October/msg00024.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_5\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.71~2.5.3.1.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-debuginfo\", rpm:\"java-1.7.0-openjdk-debuginfo~1.7.0.71~2.5.3.1.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.71~2.5.3.1.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.71~2.5.3.1.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.71~2.5.3.1.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.71~2.5.3.1.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6512"], "description": "Oracle Linux Local Security Checks ELSA-2014-1620", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123286", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123286", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2014-1620", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2014-1620.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123286\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:01:45 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2014-1620\");\n script_tag(name:\"insight\", value:\"ELSA-2014-1620 - java-1.7.0-openjdk security and bug fix update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2014-1620\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2014-1620.html\");\n script_cve_id(\"CVE-2014-6457\", \"CVE-2014-6502\", \"CVE-2014-6504\", \"CVE-2014-6506\", \"CVE-2014-6511\", \"CVE-2014-6512\", \"CVE-2014-6517\", \"CVE-2014-6519\", \"CVE-2014-6531\", \"CVE-2014-6558\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux(7|6)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux7\")\n{\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.71~2.5.3.1.0.1.el7_0\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-accessibility\", rpm:\"java-1.7.0-openjdk-accessibility~1.7.0.71~2.5.3.1.0.1.el7_0\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.71~2.5.3.1.0.1.el7_0\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.71~2.5.3.1.0.1.el7_0\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-headless\", rpm:\"java-1.7.0-openjdk-headless~1.7.0.71~2.5.3.1.0.1.el7_0\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.71~2.5.3.1.0.1.el7_0\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.71~2.5.3.1.0.1.el7_0\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.71~2.5.3.1.0.1.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.71~2.5.3.1.0.1.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.71~2.5.3.1.0.1.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.71~2.5.3.1.0.1.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.71~2.5.3.1.0.1.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-08-04T10:48:35", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6512"], "description": "Several vulnerabilities have been\ndiscovered in OpenJDK, an implementation of the Oracle Java platform, resulting\nin the execution of arbitrary code, information disclosure or denial of service.", "modified": "2017-07-20T00:00:00", "published": "2014-11-29T00:00:00", "id": "OPENVAS:703080", "href": "http://plugins.openvas.org/nasl.php?oid=703080", "type": "openvas", "title": "Debian Security Advisory DSA 3080-1 (openjdk-7 - security update)", "sourceData": "###########################################################################\n# OpenVAS Vulnerability Test\n# $Id: deb_3080.nasl 6769 2017-07-20 09:56:33Z teissa $\n# Auto-generated from advisory DSA 3080-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n#############################################################################\n\nif(description)\n{\n script_id(703080);\n script_version(\"$Revision: 6769 $\");\n script_cve_id(\"CVE-2014-6457\", \"CVE-2014-6502\", \"CVE-2014-6504\", \"CVE-2014-6506\",\n \"CVE-2014-6511\", \"CVE-2014-6512\", \"CVE-2014-6517\", \"CVE-2014-6519\",\n \"CVE-2014-6531\", \"CVE-2014-6558\");\n script_name(\"Debian Security Advisory DSA 3080-1 (openjdk-7 - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-20 11:56:33 +0200 (Thu, 20 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2014-11-29 00:00:00 +0100 (Sat, 29 Nov 2014)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2014/dsa-3080.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"openjdk-7 on Debian Linux\");\n script_tag(name: \"insight\", value: \"OpenJDK is a development environment for\nbuilding applications, applets, and components using the Java programming\nlanguage.\");\n script_tag(name: \"solution\", value: \"For the stable distribution (wheezy),\nthese problems have been fixed in version 7u71-2.5.3-2~deb7u1.\n\nFor the upcoming stable distribution (jessie), these problems have been\nfixed in version 7u71-2.5.3-1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 7u71-2.5.3-1.\n\nWe recommend that you upgrade your openjdk-7 packages.\");\n script_tag(name: \"summary\", value: \"Several vulnerabilities have been\ndiscovered in OpenJDK, an implementation of the Oracle Java platform, resulting\nin the execution of arbitrary code, information disclosure or denial of service.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"icedtea-7-jre-cacao\", ver:\"7u71-2.5.3-2~deb7u1\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"icedtea-7-jre-jamvm\", ver:\"7u71-2.5.3-2~deb7u1\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"openjdk-7-dbg\", ver:\"7u71-2.5.3-2~deb7u1\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"openjdk-7-demo\", ver:\"7u71-2.5.3-2~deb7u1\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"openjdk-7-doc\", ver:\"7u71-2.5.3-2~deb7u1\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"openjdk-7-jdk\", ver:\"7u71-2.5.3-2~deb7u1\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"openjdk-7-jre\", ver:\"7u71-2.5.3-2~deb7u1\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"openjdk-7-jre-headless\", ver:\"7u71-2.5.3-2~deb7u1\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"openjdk-7-jre-lib\", ver:\"7u71-2.5.3-2~deb7u1\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"openjdk-7-jre-zero\", ver:\"7u71-2.5.3-2~deb7u1\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"openjdk-7-source\", ver:\"7u71-2.5.3-2~deb7u1\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:37:09", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6512"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2014-10-15T00:00:00", "id": "OPENVAS:1361412562310871258", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871258", "type": "openvas", "title": "RedHat Update for java-1.6.0-openjdk RHSA-2014:1634-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for java-1.6.0-openjdk RHSA-2014:1634-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871258\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-10-15 06:03:12 +0200 (Wed, 15 Oct 2014)\");\n script_cve_id(\"CVE-2014-6457\", \"CVE-2014-6502\", \"CVE-2014-6504\", \"CVE-2014-6506\",\n \"CVE-2014-6511\", \"CVE-2014-6512\", \"CVE-2014-6517\", \"CVE-2014-6519\",\n \"CVE-2014-6531\", \"CVE-2014-6558\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"RedHat Update for java-1.6.0-openjdk RHSA-2014:1634-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java-1.6.0-openjdk'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime\nEnvironment and the OpenJDK 6 Java Software Development Kit.\n\nMultiple flaws were discovered in the Libraries, 2D, and Hotspot components\nin OpenJDK. An untrusted Java application or applet could use these flaws\nto bypass certain Java sandbox restrictions. (CVE-2014-6506, CVE-2014-6531,\nCVE-2014-6502, CVE-2014-6511, CVE-2014-6504, CVE-2014-6519)\n\nIt was discovered that the StAX XML parser in the JAXP component in OpenJDK\nperformed expansion of external parameter entities even when external\nentity substitution was disabled. A remote attacker could use this flaw to\nperform XML eXternal Entity (XXE) attack against applications using the\nStAX parser to parse untrusted XML documents. (CVE-2014-6517)\n\nIt was discovered that the DatagramSocket implementation in OpenJDK failed\nto perform source address checks for packets received on a connected\nsocket. A remote attacker could use this flaw to have their packets\nprocessed as if they were received from the expected source.\n(CVE-2014-6512)\n\nIt was discovered that the TLS/SSL implementation in the JSSE component in\nOpenJDK failed to properly verify the server identity during the\nrenegotiation following session resumption, making it possible for\nmalicious TLS/SSL servers to perform a Triple Handshake attack against\nclients using JSSE and client certificate authentication. (CVE-2014-6457)\n\nIt was discovered that the CipherInputStream class implementation in\nOpenJDK did not properly handle certain exceptions. This could possibly\nallow an attacker to affect the integrity of an encrypted stream handled by\nthis class. (CVE-2014-6558)\n\nThe CVE-2014-6512 was discovered by Florian Weimer of Red Hat Product\nSecurity.\n\nThis update also fixes the following bug:\n\n * The TLS/SSL implementation in OpenJDK previously failed to handle\nDiffie-Hellman (DH) keys with more than 1024 bits. This caused client\napplications using JSSE to fail to establish TLS/SSL connections to servers\nusing larger DH keys during the connection handshake. This update adds\nsupport for DH keys with size up to 2048 bits. (BZ#1148309)\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\");\n script_tag(name:\"affected\", value:\"java-1.6.0-openjdk on Red Hat Enterprise Linux (v. 5 server),\n Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Server (v. 7),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"RHSA\", value:\"2014:1634-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2014-October/msg00025.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_(7|6|5)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk\", rpm:\"java-1.6.0-openjdk~1.6.0.33~1.13.5.0.el7_0\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-debuginfo\", rpm:\"java-1.6.0-openjdk-debuginfo~1.6.0.33~1.13.5.0.el7_0\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-devel\", rpm:\"java-1.6.0-openjdk-devel~1.6.0.33~1.13.5.0.el7_0\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk\", rpm:\"java-1.6.0-openjdk~1.6.0.33~1.13.5.0.el6_6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-debuginfo\", rpm:\"java-1.6.0-openjdk-debuginfo~1.6.0.33~1.13.5.0.el6_6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-devel\", rpm:\"java-1.6.0-openjdk-devel~1.6.0.33~1.13.5.0.el6_6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-javadoc\", rpm:\"java-1.6.0-openjdk-javadoc~1.6.0.33~1.13.5.0.el6_6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk\", rpm:\"java-1.6.0-openjdk~1.6.0.33~1.13.5.0.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-debuginfo\", rpm:\"java-1.6.0-openjdk-debuginfo~1.6.0.33~1.13.5.0.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-demo\", rpm:\"java-1.6.0-openjdk-demo~1.6.0.33~1.13.5.0.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-devel\", rpm:\"java-1.6.0-openjdk-devel~1.6.0.33~1.13.5.0.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-javadoc\", rpm:\"java-1.6.0-openjdk-javadoc~1.6.0.33~1.13.5.0.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-src\", rpm:\"java-1.6.0-openjdk-src~1.6.0.33~1.13.5.0.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "suse": [{"lastseen": "2016-09-04T11:42:33", "bulletinFamily": "unix", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6513", "CVE-2014-6512"], "description": "OpenJDK was updated to icedtea 2.5.3 (OpenJDK 7u71) fixing security issues\n and bugs.\n\n * Security:\n - S8015256: Better class accessibility\n - S8022783, CVE-2014-6504: Optimize C2 optimizations\n - S8035162: Service printing service\n - S8035781: Improve equality for annotations\n - S8036805: Correct linker method lookup.\n - S8036810: Correct linker field lookup\n - S8036936: Use local locales\n - S8037066, CVE-2014-6457: Secure transport layer\n - S8037846, CVE-2014-6558: Ensure streaming of input cipher streams\n - S8038364: Use certificate exceptions correctly\n - S8038899: Safer safepoints\n - S8038903: More native monitor monitoring\n - S8038908: Make Signature more robust\n - S8038913: Bolster XML support\n - S8039509, CVE-2014-6512: Wrap sockets more thoroughly\n - S8039533, CVE-2014-6517: Higher resolution resolvers\n - S8041540, CVE-2014-6511: Better use of pages in font processing\n - S8041529: Better parameterization of parameter lists\n - S8041545: Better validation of generated rasters\n - S8041564, CVE-2014-6506: Improved management of logger resources\n - S8041717, CVE-2014-6519: Issue with class file parser\n - S8042609, CVE-2014-6513: Limit splashiness of splash images\n - S8042797, CVE-2014-6502: Avoid strawberries in LogRecord\n - S8044274, CVE-2014-6531: Proper property processing\n\n * Backports:\n - S4963723: Implement SHA-224\n - S7044060: Need to support NSA Suite B Cryptography algorithms\n - S7122142: (ann) Race condition between isAnnotationPresent and\n getAnnotations\n - S7160837: DigestOutputStream does not turn off digest calculation when\n "close()" is called\n - S8006935: Need to take care of long secret keys in HMAC/PRF computation\n - S8012637: Adjust CipherInputStream class to work in AEAD/GCM mode\n - S8028192: Use of PKCS11-NSS provider in FIPS mode broken\n - S8038000: java.awt.image.RasterFormatException: Incorrect scanline stride\n - S8039396: NPE when writing a class descriptor object to a custom\n ObjectOutputStream\n - S8042603: 'SafepointPollOffset' was not declared in static member\n function 'static bool Arguments::check_vm_args_consistency()'\n - S8042850: Extra unused entries in ICU ScriptCodes enum\n - S8052162: REGRESSION: sun/java2d/cmm/ColorConvertOp tests fail since\n 7u71 b01\n - S8053963: (dc) Use DatagramChannel.receive() instead of read() in\n connect()\n - S8055176: 7u71 l10n resource file translation update\n\n * Bugfixes:\n - PR1988: C++ Interpreter should no longer be used on ppc64\n - PR1989: Make jdk_generic_profile.sh handle missing programs better and\n be more verbose\n - PR1992, RH735336: Support retrieving proxy settings on GNOME 3.12.2\n - PR2000: Synchronise HEAD tarball paths with release branch paths\n - PR2002: Fix references to hotspot.map following PR2000\n - PR2003: --disable-system-gtk option broken by refactoring in PR1736\n - PR2009: Checksum of policy JAR files changes on every build\n - PR2014: Use version from hotspot.map to create tarball filename\n - PR2015: Update hotspot.map documentation in INSTALL\n - PR2025: LCMS_CFLAGS and LCMS_LIBS should not be used unless SYSTEM_LCMS\n is enabled\n - RH1015432: java-1.7.0-openjdk: Fails on PPC with StackOverflowError\n (revised comprehensive fix)\n\n * CACAO\n - PR2030, G453612, CA172: ARM hardfloat support for CACAO\n\n * AArch64 port\n - AArch64 C2 instruct for smull\n - Add frame anchor fences.\n - Add MacroAssembler::maybe_isb()\n - Add missing instruction synchronization barriers and cache flushes.\n - Add support for a few simple intrinsics\n - Add support for builtin crc32 instructions\n - Add support for Neon implementation of CRC32\n - All address constants are 48 bits in size.\n - array load must only read 32 bits\n - Define uabs(). Use it everywhere an absolute value is wanted.\n - Fast string comparison\n - Fast String.equals()\n - Fix register usage in generate_verify_oop().\n - Fix thinko in Atomic::xchg_ptr.\n - Fix typo in fsqrts\n - Improve C1 performance improvements in ic_cache checks\n - Performance improvement and ease of use changes pulled from upstream\n - Remove obsolete C1 patching code.\n - Replace hotspot jtreg test suite with tests from jdk7u\n - S8024648: 7141246 breaks Zero port\n - Save intermediate state before removing C1 patching code.\n - Unwind native AArch64 frames.\n - Use 2- and 3-instruction immediate form of movoop and mov_metadata in\n C2-generated code.\n - Various concurrency fixes.\n\n", "edition": 1, "modified": "2014-11-13T17:04:46", "published": "2014-11-13T17:04:46", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00013.html", "id": "SUSE-SU-2014:1422-1", "title": "Security update for java-1_7_0-openjdk (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntu": [{"lastseen": "2020-07-18T01:45:11", "bulletinFamily": "unix", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6513", "CVE-2014-6512"], "description": "A vulnerability was discovered in the OpenJDK JRE related to information \ndisclosure and data integrity. An attacker could exploit this to expose \nsensitive data over the network. (CVE-2014-6457)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to data \nintegrity. (CVE-2014-6502, CVE-2014-6512, CVE-2014-6519, CVE-2014-6558)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to \ninformation disclosure. An attacker could exploit these to expose sensitive \ndata over the network. (CVE-2014-6504, CVE-2014-6511, CVE-2014-6517, \nCVE-2014-6531)\n\nTwo vulnerabilities were discovered in the OpenJDK JRE related to \ninformation disclosure, data integrity and availability. An attacker could \nexploit these to cause a denial of service or expose sensitive data over \nthe network. (CVE-2014-6506, CVE-2014-6513)", "edition": 6, "modified": "2014-10-17T00:00:00", "published": "2014-10-17T00:00:00", "id": "USN-2386-1", "href": "https://ubuntu.com/security/notices/USN-2386-1", "title": "OpenJDK 6 vulnerabilities", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-09T01:33:54", "bulletinFamily": "unix", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6513", "CVE-2014-6527", "CVE-2014-6512"], "description": "USN-2388-1 fixed vulnerabilities in OpenJDK 7 for Ubuntu 14.04 LTS. This \nupdate provides the corresponding updates for Ubuntu 14.10.\n\nOriginal advisory details:\n\nA vulnerability was discovered in the OpenJDK JRE related to information \ndisclosure and data integrity. An attacker could exploit this to expose \nsensitive data over the network. (CVE-2014-6457)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to data \nintegrity. (CVE-2014-6502, CVE-2014-6512, CVE-2014-6519, CVE-2014-6527, \nCVE-2014-6558)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to \ninformation disclosure. An attacker could exploit these to expose sensitive \ndata over the network. (CVE-2014-6504, CVE-2014-6511, CVE-2014-6517, \nCVE-2014-6531)\n\nTwo vulnerabilities were discovered in the OpenJDK JRE related to \ninformation disclosure, data integrity and availability. An attacker could \nexploit these to cause a denial of service or expose sensitive data over \nthe network. (CVE-2014-6506, CVE-2014-6513)", "edition": 5, "modified": "2014-10-23T00:00:00", "published": "2014-10-23T00:00:00", "id": "USN-2388-2", "href": "https://ubuntu.com/security/notices/USN-2388-2", "title": "OpenJDK 7 vulnerabilities", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-18T01:32:47", "bulletinFamily": "unix", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6519", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6457", "CVE-2014-6511", "CVE-2014-6531", "CVE-2014-6513", "CVE-2014-6527", "CVE-2014-6512"], "description": "A vulnerability was discovered in the OpenJDK JRE related to information \ndisclosure and data integrity. An attacker could exploit this to expose \nsensitive data over the network. (CVE-2014-6457)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to data \nintegrity. (CVE-2014-6502, CVE-2014-6512, CVE-2014-6519, CVE-2014-6527, \nCVE-2014-6558)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to \ninformation disclosure. An attacker could exploit these to expose sensitive \ndata over the network. (CVE-2014-6504, CVE-2014-6511, CVE-2014-6517, \nCVE-2014-6531)\n\nTwo vulnerabilities were discovered in the OpenJDK JRE related to \ninformation disclosure, data integrity and availability. An attacker could \nexploit these to cause a denial of service or expose sensitive data over \nthe network. (CVE-2014-6506, CVE-2014-6513)", "edition": 6, "modified": "2014-10-23T00:00:00", "published": "2014-10-23T00:00:00", "id": "USN-2388-1", "href": "https://ubuntu.com/security/notices/USN-2388-1", "title": "OpenJDK 7 vulnerabilities", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2020-10-03T12:01:20", "description": "Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, and 7u67, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality via unknown vectors related to Hotspot.", "edition": 4, "cvss3": {}, "published": "2014-10-15T22:55:00", "title": "CVE-2014-6504", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6504"], "modified": "2020-09-08T13:00:00", "cpe": ["cpe:/a:oracle:jre:1.6.0", "cpe:/a:oracle:jdk:1.5.0", "cpe:/a:oracle:jdk:1.6.0", "cpe:/a:oracle:jdk:1.7.0", "cpe:/a:oracle:jre:1.7.0", "cpe:/a:oracle:jre:1.5.0"], "id": "CVE-2014-6504", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6504", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:oracle:jdk:1.6.0:update_81:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update_60:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update_81:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.5.0:update_71:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.5.0:update_71:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update60:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update_67:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:01:20", "description": "Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3, and R28.3.3 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE.", "edition": 4, "cvss3": {}, "published": "2014-10-15T15:55:00", "title": "CVE-2014-6457", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6457"], "modified": "2020-09-08T13:00:00", "cpe": ["cpe:/a:oracle:jre:1.6.0", "cpe:/a:oracle:jdk:1.5.0", "cpe:/a:oracle:jdk:1.6.0", "cpe:/a:oracle:jrockit:r27.8.3", "cpe:/a:oracle:jre:1.8.0", "cpe:/a:oracle:jdk:1.7.0", "cpe:/a:oracle:jrockit:r28.3.3", "cpe:/a:oracle:jre:1.7.0", "cpe:/a:oracle:jre:1.5.0", "cpe:/a:oracle:jdk:1.8.0"], "id": "CVE-2014-6457", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6457", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:P"}, "cpe23": ["cpe:2.3:a:oracle:jre:1.8.0:update_20:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update_81:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.8.0:update20:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update67:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update_60:*:*:*:*:*:*", "cpe:2.3:a:oracle:jrockit:r28.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update_81:*:*:*:*:*:*", "cpe:2.3:a:oracle:jrockit:r27.8.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.5.0:update_71:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.5.0:update_71:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update60:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update_67:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:01:20", "description": "Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and JRockit R28.3.3 allows remote attackers to affect integrity via unknown vectors related to Security.", "edition": 4, "cvss3": {}, "published": "2014-10-15T22:55:00", "title": "CVE-2014-6558", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6558"], "modified": "2020-09-08T13:00:00", "cpe": ["cpe:/a:oracle:jre:1.6.0", "cpe:/a:oracle:jdk:1.5.0", "cpe:/a:oracle:jdk:1.6.0", "cpe:/a:oracle:jrockit:r27.8.3", "cpe:/a:oracle:jre:1.8.0", "cpe:/a:oracle:jdk:1.7.0", "cpe:/a:oracle:jrockit:r28.3.3", "cpe:/a:oracle:jre:1.7.0", "cpe:/a:oracle:jre:1.5.0"], "id": "CVE-2014-6558", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6558", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:oracle:jre:1.8.0:update_20:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update_81:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update_60:*:*:*:*:*:*", "cpe:2.3:a:oracle:jrockit:r28.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update_81:*:*:*:*:*:*", "cpe:2.3:a:oracle:jrockit:r27.8.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.5.0:update_71:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.5.0:update_71:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update60:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update_67:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:01:20", "description": "Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and Jrockit R27.8.3 and R28.3.3 allows remote attackers to affect confidentiality via vectors related to JAXP.", "edition": 4, "cvss3": {}, "published": "2014-10-15T22:55:00", "title": "CVE-2014-6517", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6517"], "modified": "2020-09-08T13:00:00", "cpe": ["cpe:/a:oracle:jre:1.6.0", "cpe:/a:oracle:jdk:1.6.0", "cpe:/a:oracle:jrockit:r27.8.3", "cpe:/a:oracle:jre:1.8.0", "cpe:/a:oracle:jdk:1.7.0", "cpe:/a:oracle:jrockit:r28.3.3", "cpe:/a:oracle:jre:1.7.0"], "id": "CVE-2014-6517", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6517", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:oracle:jre:1.8.0:update_20:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update_81:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update_60:*:*:*:*:*:*", "cpe:2.3:a:oracle:jrockit:r28.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update_81:*:*:*:*:*:*", "cpe:2.3:a:oracle:jrockit:r27.8.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update60:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update_67:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:01:20", "description": "Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality via unknown vectors related to Libraries.", "edition": 4, "cvss3": {}, "published": "2014-10-15T22:55:00", "title": "CVE-2014-6531", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6531"], "modified": "2020-09-08T13:00:00", "cpe": ["cpe:/a:oracle:jre:1.6.0", "cpe:/a:oracle:jdk:1.5.0", "cpe:/a:oracle:jdk:1.6.0", "cpe:/a:oracle:jre:1.8.0", "cpe:/a:oracle:jdk:1.7.0", "cpe:/a:oracle:jre:1.7.0", "cpe:/a:oracle:jre:1.5.0"], "id": "CVE-2014-6531", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6531", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:oracle:jre:1.8.0:update_20:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update_81:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update_60:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update_81:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.5.0:update_71:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.5.0:update_71:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update60:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update_67:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:01:20", "description": "Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and R28.3.3 allows remote attackers to affect integrity via unknown vectors related to Libraries.", "edition": 4, "cvss3": {}, "published": "2014-10-15T22:55:00", "title": "CVE-2014-6512", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6512"], "modified": "2020-09-08T13:00:00", "cpe": ["cpe:/a:oracle:jre:1.6.0", "cpe:/a:oracle:jdk:1.5.0", "cpe:/a:oracle:jdk:1.6.0", "cpe:/a:oracle:jrockit:r27.8.3", "cpe:/a:oracle:jre:1.8.0", "cpe:/a:oracle:jdk:1.7.0", "cpe:/a:oracle:jrockit:r28.3.3", "cpe:/a:oracle:jre:1.7.0", "cpe:/a:oracle:jre:1.5.0", "cpe:/a:oracle:jdk:1.8.0"], "id": "CVE-2014-6512", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6512", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:oracle:jre:1.8.0:update_20:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update_81:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.8.0:update20:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update_60:*:*:*:*:*:*", "cpe:2.3:a:oracle:jrockit:r28.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update_81:*:*:*:*:*:*", "cpe:2.3:a:oracle:jrockit:r27.8.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.5.0:update_71:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.5.0:update_71:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update60:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update_67:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:01:20", "description": "Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality via unknown vectors related to 2D.", "edition": 4, "cvss3": {}, "published": "2014-10-15T22:55:00", "title": "CVE-2014-6511", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6511"], "modified": "2020-09-08T13:00:00", "cpe": ["cpe:/a:oracle:jre:1.6.0", "cpe:/a:oracle:jdk:1.5.0", "cpe:/a:oracle:jdk:1.6.0", "cpe:/a:oracle:jre:1.8.0", "cpe:/a:oracle:jre:1.7.0", "cpe:/a:oracle:jre:1.5.0"], "id": "CVE-2014-6511", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6511", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:oracle:jre:1.8.0:update_20:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update_81:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update_81:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.5.0:update_71:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.5.0:update_71:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update_67:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:01:20", "description": "Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.", "edition": 4, "cvss3": {}, "published": "2014-10-15T22:55:00", "title": "CVE-2014-6506", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6506"], "modified": "2020-09-08T13:00:00", "cpe": ["cpe:/a:oracle:jre:1.6.0", "cpe:/a:oracle:jdk:1.5.0", "cpe:/a:oracle:jdk:1.6.0", "cpe:/a:oracle:jre:1.8.0", "cpe:/a:oracle:jdk:1.7.0", "cpe:/a:oracle:jre:1.7.0", "cpe:/a:oracle:jre:1.5.0"], "id": "CVE-2014-6506", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6506", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:oracle:jre:1.8.0:update_20:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update_81:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update_60:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update_81:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.5.0:update_71:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.5.0:update_71:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update60:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update_67:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:01:20", "description": "Unspecified vulnerability in Oracle Java SE 7u67 and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect integrity via unknown vectors related to Hotspot.", "edition": 4, "cvss3": {}, "published": "2014-10-15T22:55:00", "title": "CVE-2014-6519", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6519"], "modified": "2020-09-08T13:00:00", "cpe": ["cpe:/a:oracle:jre:1.8.0", "cpe:/a:oracle:jdk:1.7.0", "cpe:/a:oracle:jre:1.7.0"], "id": "CVE-2014-6519", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6519", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:oracle:jre:1.8.0:update_20:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update_60:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update60:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update_67:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:01:20", "description": "Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect integrity via unknown vectors related to Libraries.", "edition": 4, "cvss3": {}, "published": "2014-10-15T22:55:00", "title": "CVE-2014-6502", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6502"], "modified": "2020-09-08T13:00:00", "cpe": ["cpe:/a:oracle:jre:1.6.0", "cpe:/a:oracle:jdk:1.5.0", "cpe:/a:oracle:jdk:1.6.0", "cpe:/a:oracle:jre:1.8.0", "cpe:/a:oracle:jdk:1.7.0", "cpe:/a:oracle:jre:1.7.0", "cpe:/a:oracle:jre:1.5.0"], "id": "CVE-2014-6502", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6502", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:oracle:jre:1.8.0:update_20:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update_81:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update_60:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update_81:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.5.0:update_71:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.5.0:update_71:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update60:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update_67:*:*:*:*:*:*"]}], "kaspersky": [{"lastseen": "2020-09-02T11:41:57", "bulletinFamily": "info", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6515", "CVE-2014-6493", "CVE-2014-6519", "CVE-2014-6466", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6492", "CVE-2014-6457", "CVE-2014-6476", "CVE-2014-6503", "CVE-2014-6562", "CVE-2014-6511", "CVE-2014-6485", "CVE-2014-6531", "CVE-2014-6456", "CVE-2014-6468", "CVE-2014-6458", "CVE-2014-6532", "CVE-2014-4288", "CVE-2014-6513", "CVE-2014-6527", "CVE-2014-6512"], "description": "### *Detect date*:\n10/15/2014\n\n### *Severity*:\nCritical\n\n### *Description*:\nAn unspecified vulnerabilities were found in Oracle products. By exploiting these vulnerabilities malicious users can affect integrity, confidentiality and vulnerability. These vulnerabilities can be exploited remotely via an unknown vectors related to JSSE, JAXP, AWT, 2D, Deployment, Libraries, Hotspot, Security and other unknown points.\n\n### *Affected products*:\nOracle Java SE 6 version 6u81 \nOracle Java SE 7 version 7u67 \nOracle Java SE 6 version 8u20 \nOracle JRockit versions R27.8.3 and R28.3.3\n\n### *Solution*:\nUpdate to the latest version.\n\n### *Original advisories*:\n[Oracle advisory](<http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html#AppendixJAVA>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Sun Java JRE 1.6.x](<https://threats.kaspersky.com/en/product/Sun-Java-JRE-1.6.x/>)\n\n### *CVE-IDS*:\n[CVE-2014-6476](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6476>)5.0Critical \n[CVE-2014-6532](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6532>)9.3Critical \n[CVE-2014-6456](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6456>)9.3Critical \n[CVE-2014-6457](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6457>)4.0Warning \n[CVE-2014-6458](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6458>)6.9High \n[CVE-2014-6531](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6531>)4.3Warning \n[CVE-2014-6519](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6519>)5.0Critical \n[CVE-2014-6558](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6558>)2.6Warning \n[CVE-2014-6485](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6485>)9.3Critical \n[CVE-2014-4288](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4288>)7.6Critical \n[CVE-2014-6511](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6511>)5.0Critical \n[CVE-2014-6512](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6512>)4.3Warning \n[CVE-2014-6515](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6515>)5.0Critical \n[CVE-2014-6517](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6517>)5.0Critical \n[CVE-2014-6513](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6513>)10.0Critical \n[CVE-2014-6493](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6493>)7.6Critical \n[CVE-2014-6492](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6492>)7.6Critical \n[CVE-2014-6468](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6468>)6.8High \n[CVE-2014-6466](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6466>)6.9High \n[CVE-2014-6562](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6562>)9.3Critical \n[CVE-2014-6503](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6503>)9.3Critical \n[CVE-2014-6502](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6502>)2.6Warning \n[CVE-2014-6527](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6527>)2.6Warning \n[CVE-2014-6506](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6506>)6.8High \n[CVE-2014-6504](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6504>)5.0Critical", "edition": 43, "modified": "2020-05-22T00:00:00", "published": "2014-10-15T00:00:00", "id": "KLA10505", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10505", "title": "\r KLA10505Multiple vulnerabilities in Oracle products ", "type": "kaspersky", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "f5": [{"lastseen": "2019-03-12T00:17:13", "bulletinFamily": "software", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6515", "CVE-2014-6493", "CVE-2014-6519", "CVE-2014-6466", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6492", "CVE-2014-6457", "CVE-2014-6476", "CVE-2014-6503", "CVE-2014-6562", "CVE-2014-6511", "CVE-2014-6485", "CVE-2014-6531", "CVE-2014-6456", "CVE-2014-6468", "CVE-2014-6458", "CVE-2014-6532", "CVE-2014-4288", "CVE-2014-6513", "CVE-2014-6527", "CVE-2014-6512"], "description": "\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerabilities, and for information about releases or hotfixes that address the vulnerabilities, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Vulnerable component or feature \n---|---|---|--- \nBIG-IP LTM | None \n| 11.0.0 - 11.6.0 \n10.0.0 - 10.2.4 \n| None \nBIG-IP AAM | None | 11.4.0 - 11.6.0 | None \nBIG-IP AFM | None | 11.3.0 - 11.6.0 \n| None \nBIG-IP Analytics | None | 11.0.0 - 11.6.0 \n| None \nBIG-IP APM | None | 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 \n| None \nBIG-IP ASM | None | 11.0.0 - 11.6.0 \n10.0.0 - 10.2.4 \n| None \nBIG-IP Edge Gateway \n| None | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 \n| None \nBIG-IP GTM | None | 11.0.0 - 11.6.0 \n10.0.0 - 10.2.4 \n| None \nBIG-IP Link Controller | None \n| 11.0.0 - 11.6.0 \n10.0.0 - 10.2.4 \n| None \nBIG-IP PEM | None \n| 11.3.0 - 11.6.0 \n| None \nBIG-IP PSM | None | 11.0.0 - 11.4.1 \n10.0.0 - 10.2.4 \n| None \nBIG-IP WebAccelerator | None | 11.0.0 - 11.3.0 \n10.0.0 - 10.2.4 \n| None \nBIG-IP WOM | None | 11.0.0 - 11.3.0 \n10.0.0 - 10.2.4 \n| None \nARX | None | 6.0.0 - 6.4.0 \n| None \nEnterprise Manager | None | 3.0.0 - 3.1.1 \n2.1.0 - 2.3.0 \n| None \nFirePass | None | 7.0.0 \n6.0.0 - 6.1.0 \n| None \nBIG-IQ Cloud | None \n| 4.0.0 - 4.4.0 \n| None \nBIG-IQ Device | None \n| 4.2.0 - 4.4.0 \n| None \nBIG-IQ Security | None \n| 4.0.0 - 4.4.0 \n| None \nLineRate | None | 2.2.0 - 2.4.1 \n1.6.0 - 1.6.4 | None\n\nNone \n\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "edition": 1, "modified": "2017-04-06T16:51:00", "published": "2014-10-28T04:08:00", "id": "F5:K15745", "href": "https://support.f5.com/csp/article/K15745", "title": "Multiple Oracle Java vulnerabilities", "type": "f5", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-26T17:23:10", "bulletinFamily": "software", "cvelist": ["CVE-2014-6506", "CVE-2014-6558", "CVE-2014-6515", "CVE-2014-6493", "CVE-2014-6519", "CVE-2014-6466", "CVE-2014-6517", "CVE-2014-6504", "CVE-2014-6502", "CVE-2014-6492", "CVE-2014-6457", "CVE-2014-6476", "CVE-2014-6503", "CVE-2014-6562", "CVE-2014-6511", "CVE-2014-6485", "CVE-2014-6531", "CVE-2014-6456", "CVE-2014-6468", "CVE-2014-6458", "CVE-2014-6532", "CVE-2014-4288", "CVE-2014-6513", "CVE-2014-6527", "CVE-2014-6512"], "edition": 1, "description": "Vulnerability Recommended Actions\n\nNone \n\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "modified": "2016-07-25T00:00:00", "published": "2014-10-27T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/15000/700/sol15745.html", "id": "SOL15745", "title": "SOL15745 - Multiple Oracle Java vulnerabilities", "type": "f5", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
