{"modified": "2015-04-17T00:00:00", "id": "ASA-201504-17", "edition": 1, "title": "jre7-openjdk-headless: multiple issues", "viewCount": 0, "objectVersion": "1.2", "description": "- CVE-2005-1080 CVE-2015-0480 (directory traversal)\n\nA directory traversal flaw was found in the way the jar tool extracted\nJAR archive files. A specially crafted JAR archive could cause jar to\noverwrite arbitrary files writable by the user running jar when the\narchive was extracted.\n\n- CVE-2015-0460 (arbitrary code execution)\n\nA flaw was found in the way the Hotspot component in OpenJDK handled\nphantom references. An untrusted Java application or applet could use\nthis flaw to corrupt the Java Virtual Machine memory and, possibly,\nexecute arbitrary code, bypassing Java sandbox restrictions.\n\n- CVE-2015-0469 (arbitrary code execution)\n\nAn off-by-one flaw, leading to a buffer overflow, was found in the font\nparsing code in the 2D component in OpenJDK. A specially crafted font\nfile could possibly cause the Java Virtual Machine to execute arbitrary\ncode, allowing an untrusted Java application or applet to bypass Java\nsandbox restrictions.\n\n- CVE-2015-0477 (sandbox restriction bypass)\n\nA flaw was discovered in the Beans component in OpenJDK. An untrusted\nJava application or applet could use these flaws to bypass certain Java\nsandbox restrictions.\n\n- CVE-2015-0478 (weak implementation)\n\nIt was found that the RSA implementation in the JCE component in OpenJDK\ndid not follow recommended practices for implementing RSA signatures.\n\n- CVE-2015-0488 (denial of service)\n\nA flaw was found in the way the JSSE component in OpenJDK parsed X.509\ncertificate options. A specially crafted certificate could cause JSSE to\nraise an exception, possibly causing an application using JSSE to exit\nunexpectedly.", "type": "archlinux", "lastseen": "2016-09-02T18:44:37", "affectedPackage": [{"packageVersion": "7.u79_2.5.5-1", "packageFilename": "UNKNOWN", "OS": "any", "arch": "any", "OSVersion": "any", "operator": "lt", "packageName": "jre7-openjdk-headless"}], "history": [], "href": "https://lists.archlinux.org/pipermail/arch-security/2015-April/000296.html", "hash": "9375d3194b52905b06bb4e731aa9a8ca02be75bd4323c17df9211c9855ad5a8c", "published": "2015-04-17T00:00:00", "reporter": "Arch Linux", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "references": ["https://access.redhat.com/security/cve/CVE-2015-0469", "https://access.redhat.com/security/cve/CVE-2015-0478", "https://access.redhat.com/security/cve/CVE-2015-0460", "https://access.redhat.com/security/cve/CVE-2015-0480", "https://access.redhat.com/security/cve/CVE-2015-0488", "https://access.redhat.com/security/cve/CVE-2015-0477", "https://access.redhat.com/security/cve/CVE-2005-1080"], "bulletinFamily": "unix", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2005-1080", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0480"], "enchantments": {"vulnersScore": 9.3}}

{"result": {"cve": [{"id": "CVE-2015-0477", "type": "cve", "title": "CVE-2015-0477", "description": "Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity via unknown vectors related to Beans.", "published": "2015-04-16T12:59:31", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0477", "cvelist": ["CVE-2015-0477"], "lastseen": "2017-11-04T10:52:42"}, {"id": "CVE-2015-0469", "type": "cve", "title": "CVE-2015-0469", "description": "Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.", "published": "2015-04-16T12:59:23", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0469", "cvelist": ["CVE-2015-0469"], "lastseen": "2017-11-04T10:52:42"}, {"id": "CVE-2005-1080", "type": "cve", "title": "CVE-2005-1080", "description": "Directory traversal vulnerability in the Java Archive Tool (Jar) utility in J2SE SDK 1.4.2 and 1.5, and OpenJDK, allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in filenames in a .jar file.", "published": "2005-05-02T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1080", "cvelist": ["CVE-2005-1080"], "lastseen": "2017-04-18T15:51:05"}, {"id": "CVE-2015-0478", "type": "cve", "title": "CVE-2015-0478", "description": "Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40, and JRockit R28.3.5, allows remote attackers to affect confidentiality via vectors related to JCE.", "published": "2015-04-16T12:59:32", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0478", "cvelist": ["CVE-2015-0478"], "lastseen": "2017-11-04T10:52:42"}, {"id": "CVE-2015-0460", "type": "cve", "title": "CVE-2015-0460", "description": "Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.", "published": "2015-04-16T12:59:17", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0460", "cvelist": ["CVE-2015-0460"], "lastseen": "2017-11-04T10:52:42"}, {"id": "CVE-2015-0488", "type": "cve", "title": "CVE-2015-0488", "description": "Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40, and JRockit R28.3.5, allows remote attackers to affect availability via vectors related to JSSE.", "published": "2015-04-16T12:59:39", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0488", "cvelist": ["CVE-2015-0488"], "lastseen": "2017-11-04T10:52:42"}, {"id": "CVE-2015-0480", "type": "cve", "title": "CVE-2015-0480", "description": "Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.", "published": "2015-04-16T12:59:33", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0480", "cvelist": ["CVE-2015-0480"], "lastseen": "2017-11-04T10:52:42"}], "ubuntu": [{"id": "USN-2573-1", "type": "ubuntu", "title": "OpenJDK 6 vulnerabilities", "description": "Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. (CVE-2015-0460, CVE-2015-0469)\n\nAlexander Cherepanov discovered that OpenJDK JRE was vulnerable to directory traversal issues with respect to handling jar files. An attacker could use this to expose sensitive data. (CVE-2015-0480)\n\nFlorian Weimer discovered that the RSA implementation in the JCE component in OpenJDK JRE did not follow recommended practices for implementing RSA signatures. An attacker could use this to expose sensitive data. (CVE-2015-0478)\n\nA vulnerability was discovered in the OpenJDK JRE related to data integrity. An attacker could exploit this expose sensitive data over the network. (CVE-2015-0477)\n\nA vulnerability was discovered in the OpenJDK JRE related to availability. An attacker could exploit these to cause a denial of service. (CVE-2015-0488)", "published": "2015-04-21T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/2573-1/", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0480"], "lastseen": "2018-03-29T18:20:55"}, {"id": "USN-2574-1", "type": "ubuntu", "title": "OpenJDK 7 vulnerabilities", "description": "Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. (CVE-2015-0460, CVE-2015-0469)\n\nAlexander Cherepanov discovered that OpenJDK JRE was vulnerable to directory traversal issues with respect to handling jar files. An attacker could use this to expose sensitive data. (CVE-2015-0480)\n\nFlorian Weimer discovered that the RSA implementation in the JCE component in OpenJDK JRE did not follow recommended practices for implementing RSA signatures. An attacker could use this to expose sensitive data. (CVE-2015-0478)\n\nA vulnerability was discovered in the OpenJDK JRE related to data integrity. An attacker could exploit this expose sensitive data over the network. (CVE-2015-0477)\n\nA vulnerability was discovered in the OpenJDK JRE related to availability. An attacker could exploit these to cause a denial of service. (CVE-2015-0488)", "published": "2015-04-21T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/2574-1/", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0480"], "lastseen": "2018-03-29T18:17:37"}], "openvas": [{"id": "OPENVAS:1361412562310842174", "type": "openvas", "title": "Ubuntu Update for openjdk-6 USN-2573-1", "description": "Check the version of openjdk-6", "published": "2015-04-22T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842174", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0480"], "lastseen": "2017-12-04T11:24:23"}, {"id": "OPENVAS:1361412562310842172", "type": "openvas", "title": "Ubuntu Update for openjdk-7 USN-2574-1", "description": "Check the version of openjdk-7", "published": "2015-04-22T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842172", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0480"], "lastseen": "2017-12-04T11:22:29"}, {"id": "OPENVAS:1361412562310882169", "type": "openvas", "title": "CentOS Update for java CESA-2015:0806 centos7 ", "description": "Check the version of java", "published": "2015-04-16T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882169", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2005-1080", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0480"], "lastseen": "2017-07-25T10:53:54"}, {"id": "OPENVAS:1361412562310805536", "type": "openvas", "title": "Oracle Java SE JRE Multiple Unspecified Vulnerabilities-02 Apr 2015 (Windows)", "description": "The host is installed with Oracle Java SE\n JRE and is prone to multiple unspecified vulnerabilities.", "published": "2015-04-21T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805536", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2015-0459", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0480", "CVE-2015-0491"], "lastseen": "2017-11-13T12:55:21"}, {"id": "OPENVAS:1361412562310123131", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2015-0807", "description": "Oracle Linux Local Security Checks ELSA-2015-0807", "published": "2015-10-06T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123131", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2005-1080", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0480"], "lastseen": "2017-07-24T12:53:03"}, {"id": "OPENVAS:1361412562310123132", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2015-0809", "description": "Oracle Linux Local Security Checks ELSA-2015-0809", "published": "2015-10-06T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123132", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2005-1080", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0470", "CVE-2015-0480"], "lastseen": "2017-07-24T12:52:36"}, {"id": "OPENVAS:1361412562310120532", "type": "openvas", "title": "Amazon Linux Local Check: alas-2015-515", "description": "Amazon Linux Local Security Checks", "published": "2015-09-08T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120532", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2005-1080", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0480"], "lastseen": "2017-07-24T12:52:57"}, {"id": "OPENVAS:1361412562310120533", "type": "openvas", "title": "Amazon Linux Local Check: alas-2015-516", "description": "Amazon Linux Local Security Checks", "published": "2015-09-08T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120533", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2005-1080", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0480"], "lastseen": "2017-07-24T12:53:31"}, {"id": "OPENVAS:1361412562310882170", "type": "openvas", "title": "CentOS Update for java CESA-2015:0808 centos6 ", "description": "Check the version of java", "published": "2015-04-16T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882170", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2005-1080", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0480"], "lastseen": "2017-07-25T10:53:05"}, {"id": "OPENVAS:1361412562310882166", "type": "openvas", "title": "CentOS Update for java CESA-2015:0807 centos5 ", "description": "Check the version of java", "published": "2015-04-16T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882166", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2005-1080", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0480"], "lastseen": "2017-07-25T10:53:40"}], "nessus": [{"id": "UBUNTU_USN-2573-1.NASL", "type": "nessus", "title": "Ubuntu 10.04 LTS / 12.04 LTS : openjdk-6 vulnerabilities (USN-2573-1)", "description": "Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. (CVE-2015-0460, CVE-2015-0469)\n\nAlexander Cherepanov discovered that OpenJDK JRE was vulnerable to directory traversal issues with respect to handling jar files. An attacker could use this to expose sensitive data. (CVE-2015-0480)\n\nFlorian Weimer discovered that the RSA implementation in the JCE component in OpenJDK JRE did not follow recommended practices for implementing RSA signatures. An attacker could use this to expose sensitive data. (CVE-2015-0478)\n\nA vulnerability was discovered in the OpenJDK JRE related to data integrity. An attacker could exploit this expose sensitive data over the network. (CVE-2015-0477)\n\nA vulnerability was discovered in the OpenJDK JRE related to availability. An attacker could exploit these to cause a denial of service. (CVE-2015-0488).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-04-22T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=82991", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0480"], "lastseen": "2017-10-29T13:35:33"}, {"id": "UBUNTU_USN-2574-1.NASL", "type": "nessus", "title": "Ubuntu 14.04 LTS / 14.10 : openjdk-7 vulnerabilities (USN-2574-1)", "description": "Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. (CVE-2015-0460, CVE-2015-0469)\n\nAlexander Cherepanov discovered that OpenJDK JRE was vulnerable to directory traversal issues with respect to handling jar files. An attacker could use this to expose sensitive data. (CVE-2015-0480)\n\nFlorian Weimer discovered that the RSA implementation in the JCE component in OpenJDK JRE did not follow recommended practices for implementing RSA signatures. An attacker could use this to expose sensitive data. (CVE-2015-0478)\n\nA vulnerability was discovered in the OpenJDK JRE related to data integrity. An attacker could exploit this expose sensitive data over the network. (CVE-2015-0477)\n\nA vulnerability was discovered in the OpenJDK JRE related to availability. An attacker could exploit these to cause a denial of service. (CVE-2015-0488).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-04-22T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=82992", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0480"], "lastseen": "2017-10-29T13:36:44"}, {"id": "DEBIAN_DSA-3235.NASL", "type": "nessus", "title": "Debian DSA-3235-1 : openjdk-7 - security update", "description": "Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the execution of arbitrary code, breakouts of the Java sandbox, information disclosure or denial of service.", "published": "2015-04-27T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=83063", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0470", "CVE-2015-0480"], "lastseen": "2017-10-29T13:42:48"}, {"id": "ORACLELINUX_ELSA-2015-0809.NASL", "type": "nessus", "title": "Oracle Linux 6 / 7 : java-1.8.0-openjdk (ELSA-2015-0809)", "description": "From Red Hat Security Advisory 2015:0809 :\n\nUpdated java-1.8.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.\n\nAn off-by-one flaw, leading to a buffer overflow, was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. (CVE-2015-0469)\n\nA flaw was found in the way the Hotspot component in OpenJDK handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions.\n(CVE-2015-0460)\n\nA flaw was found in the way the JSSE component in OpenJDK parsed X.509 certificate options. A specially crafted certificate could cause JSSE to raise an exception, possibly causing an application using JSSE to exit unexpectedly. (CVE-2015-0488)\n\nMultiple flaws were discovered in the Beans and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2015-0477, CVE-2015-0470)\n\nA directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted. (CVE-2005-1080, CVE-2015-0480)\n\nIt was found that the RSA implementation in the JCE component in OpenJDK did not follow recommended practices for implementing RSA signatures. (CVE-2015-0478)\n\nThe CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat Product Security.\n\nAll users of java-1.8.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "published": "2015-04-15T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=82789", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2005-1080", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0470", "CVE-2015-0480"], "lastseen": "2017-10-29T13:41:06"}, {"id": "CENTOS_RHSA-2015-0808.NASL", "type": "nessus", "title": "CentOS 5 / 6 / 7 : java-1.6.0-openjdk (CESA-2015:0808)", "description": "Updated java-1.6.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5, 6, and 7.\n\nRed Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit.\n\nAn off-by-one flaw, leading to a buffer overflow, was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. (CVE-2015-0469)\n\nA flaw was found in the way the Hotspot component in OpenJDK handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions.\n(CVE-2015-0460)\n\nA flaw was found in the way the JSSE component in OpenJDK parsed X.509 certificate options. A specially crafted certificate could cause JSSE to raise an exception, possibly causing an application using JSSE to exit unexpectedly. (CVE-2015-0488)\n\nA flaw was discovered in the Beans component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-0477)\n\nA directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted. (CVE-2005-1080, CVE-2015-0480)\n\nIt was found that the RSA implementation in the JCE component in OpenJDK did not follow recommended practices for implementing RSA signatures. (CVE-2015-0478)\n\nThe CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat Product Security.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "published": "2015-04-16T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=82803", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2005-1080", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0480"], "lastseen": "2017-10-29T13:43:34"}, {"id": "CENTOS_RHSA-2015-0806.NASL", "type": "nessus", "title": "CentOS 6 / 7 : java-1.7.0-openjdk (CESA-2015:0806)", "description": "Updated java-1.7.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit.\n\nAn off-by-one flaw, leading to a buffer overflow, was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. (CVE-2015-0469)\n\nA flaw was found in the way the Hotspot component in OpenJDK handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions.\n(CVE-2015-0460)\n\nA flaw was found in the way the JSSE component in OpenJDK parsed X.509 certificate options. A specially crafted certificate could cause JSSE to raise an exception, possibly causing an application using JSSE to exit unexpectedly. (CVE-2015-0488)\n\nA flaw was discovered in the Beans component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-0477)\n\nA directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted. (CVE-2005-1080, CVE-2015-0480)\n\nIt was found that the RSA implementation in the JCE component in OpenJDK did not follow recommended practices for implementing RSA signatures. (CVE-2015-0478)\n\nThe CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat Product Security.\n\nNote: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "published": "2015-04-16T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=82801", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2005-1080", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0480"], "lastseen": "2017-10-29T13:42:20"}, {"id": "DEBIAN_DSA-3234.NASL", "type": "nessus", "title": "Debian DSA-3234-1 : openjdk-6 - security update", "description": "Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the execution of arbitrary code, breakouts of the Java sandbox, information disclosure or denial of service.", "published": "2015-04-27T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=83062", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0470", "CVE-2015-0480"], "lastseen": "2017-10-29T13:37:39"}, {"id": "MANDRIVA_MDVSA-2015-212.NASL", "type": "nessus", "title": "Mandriva Linux Security Advisory : java-1.7.0-openjdk (MDVSA-2015:212)", "description": "Updated java-1.7.0 packages fix security vulnerabilities :\n\nAn off-by-one flaw, leading to a buffer overflow, was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions (CVE-2015-0469).\n\nA flaw was found in the way the Hotspot component in OpenJDK handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions (CVE-2015-0460).\n\nA flaw was found in the way the JSSE component in OpenJDK parsed X.509 certificate options. A specially crafted certificate could cause JSSE to raise an exception, possibly causing an application using JSSE to exit unexpectedly (CVE-2015-0488).\n\nA flaw was discovered in the Beans component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions (CVE-2015-0477).\n\nA directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted (CVE-2005-1080, CVE-2015-0480).\n\nIt was found that the RSA implementation in the JCE component in OpenJDK did not follow recommended practices for implementing RSA signatures (CVE-2015-0478).", "published": "2015-04-28T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=83104", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2005-1080", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0480"], "lastseen": "2017-10-29T13:42:51"}, {"id": "REDHAT-RHSA-2015-0809.NASL", "type": "nessus", "title": "RHEL 6 / 7 : java-1.8.0-openjdk (RHSA-2015:0809)", "description": "Updated java-1.8.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.\n\nAn off-by-one flaw, leading to a buffer overflow, was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. (CVE-2015-0469)\n\nA flaw was found in the way the Hotspot component in OpenJDK handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions.\n(CVE-2015-0460)\n\nA flaw was found in the way the JSSE component in OpenJDK parsed X.509 certificate options. A specially crafted certificate could cause JSSE to raise an exception, possibly causing an application using JSSE to exit unexpectedly. (CVE-2015-0488)\n\nMultiple flaws were discovered in the Beans and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2015-0477, CVE-2015-0470)\n\nA directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted. (CVE-2005-1080, CVE-2015-0480)\n\nIt was found that the RSA implementation in the JCE component in OpenJDK did not follow recommended practices for implementing RSA signatures. (CVE-2015-0478)\n\nThe CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat Product Security.\n\nAll users of java-1.8.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "published": "2015-04-16T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=82811", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2005-1080", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0470", "CVE-2015-0480"], "lastseen": "2017-10-29T13:44:45"}, {"id": "DEBIAN_DLA-213.NASL", "type": "nessus", "title": "Debian DLA-213-1 : openjdk-6 security update", "description": "Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the execution of arbitrary code, breakouts of the Java sandbox, information disclosure or denial of service.\n\nFor Debian 6 'Squeeze', these problems have been fixed in version 6b35-1.13.7-1~deb6u1.\n\nWe recommend that you upgrade your openjdk-6 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-05-01T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=83165", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0470", "CVE-2015-0480"], "lastseen": "2017-10-29T13:38:31"}], "oraclelinux": [{"id": "ELSA-2015-0809", "type": "oraclelinux", "title": "java-1.8.0-openjdk security update", "description": "[1:1.8.0.45-30.b13]\n- repacked sources\n- Resolves: RHBZ#1209076\n[1:1.8.0.45-7.b13]\n- Re-add %{name} prefix to patches to avoid conflicts with OpenJDK 7 versions.\n- Remove ppc64le test case now fix has been verified.\n- Resolves: rhbz#1194378\n[1:1.8.0.45-27.b13]\n- updated to security u45\n- minor sync with 7.2\n - generate_source_tarball.sh\n - adapted java-1.8.0-openjdk-s390-java-opts.patch and java-1.8.0-openjdk-size_t.patch\n - reworked (synced) zero patches (removed 103,11 added 204, 400-403)\n - family of 5XX patches renamed to 6XX\n - added upstreamed patch 501 and 505\n - included removeSunEcProvider-RH1154143.patch\n- returned java (jre only) provides\n- repacked policies (source20)\n- removed duplicated NVR provides\n- added automated test for priority (length7)\n- Resolves: RHBZ#1209076", "published": "2015-04-15T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2015-0809.html", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2005-1080", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0470", "CVE-2015-0480"], "lastseen": "2016-09-04T11:16:45"}, {"id": "ELSA-2015-0808", "type": "oraclelinux", "title": "java-1.6.0-openjdk security update", "description": "[1:1.6.0.35-1.13.7.1]\n- Repackaged source files\n- Resolves: rhbz#1209067\n[1:1.6.0.35-1.13.7.0]\n- Update to IcedTea 1.13.7\n- Regenerate add-final-location-rpaths patch so as to be less disruptive.\n- Resolves: rhbz#1209067", "published": "2015-04-15T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2015-0808.html", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2005-1080", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0480"], "lastseen": "2016-09-04T11:17:01"}, {"id": "ELSA-2015-0806", "type": "oraclelinux", "title": "java-1.7.0-openjdk security update", "description": "[1:1.7.0.75-2.5.5.1.0.1.el7_1]\n- Update DISTRO_NAME in specfile\n[1:1.7.0.75-2.5.5.1]\n- repacked sources\n- Resolves: rhbz#1209072\n[1:1.7.0.75-2.5.5.0]\n- Bump to 2.5.5 using OpenJDK 7u79 b14.\n- Update OpenJDK tarball creation comments\n- Remove test case for RH1191652 now fix has been verified.\n- Drop AArch64 version of RH1191652 HotSpot patch as included upstream.\n- Resolves: rhbz#1209072", "published": "2015-04-15T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2015-0806.html", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2005-1080", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0480"], "lastseen": "2016-09-04T11:16:34"}, {"id": "ELSA-2015-0807", "type": "oraclelinux", "title": "java-1.7.0-openjdk security update", "description": "[1:1.7.0.75-2.5.5.1.0.1.el5_11]\n- Add oracle-enterprise.patch\n- Fix DISTRO_NAME to 'Oracle Linux'\n[1:1.7.0.75-2.5.5.1]\n- Repacked sources\n- Resolves: rhbz#1209069\n[1:1.7.0.79-2.5.5.0]\n- Bump to 2.5.5 using OpenJDK 7u79 b14.\n- Resolves: rhbz#1209069", "published": "2015-04-15T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2015-0807.html", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2005-1080", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0480"], "lastseen": "2016-09-04T11:16:45"}], "archlinux": [{"id": "ASA-201504-22", "type": "archlinux", "title": "jre8-openjdk: multiple issues", "description": "- CVE-2005-1080 CVE-2015-0480 (directory traversal)\n\nA directory traversal flaw was found in the way the jar tool extracted\nJAR archive files. A specially crafted JAR archive could cause jar to\noverwrite arbitrary files writable by the user running jar when the\narchive was extracted.\n\n- CVE-2015-0460 (arbitrary code execution)\n\nA flaw was found in the way the Hotspot component in OpenJDK handled\nphantom references. An untrusted Java application or applet could use\nthis flaw to corrupt the Java Virtual Machine memory and, possibly,\nexecute arbitrary code, bypassing Java sandbox restrictions.\n\n- CVE-2015-0469 (arbitrary code execution)\n\nAn off-by-one flaw, leading to a buffer overflow, was found in the font\nparsing code in the 2D component in OpenJDK. A specially crafted font\nfile could possibly cause the Java Virtual Machine to execute arbitrary\ncode, allowing an untrusted Java application or applet to bypass Java\nsandbox restrictions.\n\n- CVE-2015-0470 (sandbox restriction bypass)\n\nA flaw was discovered in the Hotspot component in OpenJDK. An untrusted\nJava application or applet could use these flaws to bypass certain Java\nsandbox restrictions.\n\n- CVE-2015-0477 (sandbox restriction bypass)\n\nA flaw was discovered in the Beans component in OpenJDK. An untrusted\nJava application or applet could use these flaws to bypass certain Java\nsandbox restrictions.\n\n- CVE-2015-0478 (weak implementation)\n\nIt was found that the RSA implementation in the JCE component in OpenJDK\ndid not follow recommended practices for implementing RSA signatures.\n\n- CVE-2015-0488 (denial of service)\n\nA flaw was found in the way the JSSE component in OpenJDK parsed X.509\ncertificate options. A specially crafted certificate could cause JSSE to\nraise an exception, possibly causing an application using JSSE to exit\nunexpectedly.", "published": "2015-04-17T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://lists.archlinux.org/pipermail/arch-security/2015-April/000301.html", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2005-1080", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0470", "CVE-2015-0480"], "lastseen": "2016-09-02T18:44:43"}, {"id": "ASA-201504-21", "type": "archlinux", "title": "jdk8-openjdk: multiple issues", "description": "- CVE-2005-1080 CVE-2015-0480 (directory traversal)\n\nA directory traversal flaw was found in the way the jar tool extracted\nJAR archive files. A specially crafted JAR archive could cause jar to\noverwrite arbitrary files writable by the user running jar when the\narchive was extracted.\n\n- CVE-2015-0460 (arbitrary code execution)\n\nA flaw was found in the way the Hotspot component in OpenJDK handled\nphantom references. An untrusted Java application or applet could use\nthis flaw to corrupt the Java Virtual Machine memory and, possibly,\nexecute arbitrary code, bypassing Java sandbox restrictions.\n\n- CVE-2015-0469 (arbitrary code execution)\n\nAn off-by-one flaw, leading to a buffer overflow, was found in the font\nparsing code in the 2D component in OpenJDK. A specially crafted font\nfile could possibly cause the Java Virtual Machine to execute arbitrary\ncode, allowing an untrusted Java application or applet to bypass Java\nsandbox restrictions.\n\n- CVE-2015-0470 (sandbox restriction bypass)\n\nA flaw was discovered in the Hotspot component in OpenJDK. An untrusted\nJava application or applet could use these flaws to bypass certain Java\nsandbox restrictions.\n\n- CVE-2015-0477 (sandbox restriction bypass)\n\nA flaw was discovered in the Beans component in OpenJDK. An untrusted\nJava application or applet could use these flaws to bypass certain Java\nsandbox restrictions.\n\n- CVE-2015-0478 (weak implementation)\n\nIt was found that the RSA implementation in the JCE component in OpenJDK\ndid not follow recommended practices for implementing RSA signatures.\n\n- CVE-2015-0488 (denial of service)\n\nA flaw was found in the way the JSSE component in OpenJDK parsed X.509\ncertificate options. A specially crafted certificate could cause JSSE to\nraise an exception, possibly causing an application using JSSE to exit\nunexpectedly.", "published": "2015-04-17T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://lists.archlinux.org/pipermail/arch-security/2015-April/000300.html", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2005-1080", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0470", "CVE-2015-0480"], "lastseen": "2016-09-02T18:44:35"}, {"id": "ASA-201504-23", "type": "archlinux", "title": "jre8-openjdk-headless: multiple issues", "description": "- CVE-2005-1080 CVE-2015-0480 (directory traversal)\n\nA directory traversal flaw was found in the way the jar tool extracted\nJAR archive files. A specially crafted JAR archive could cause jar to\noverwrite arbitrary files writable by the user running jar when the\narchive was extracted.\n\n- CVE-2015-0460 (arbitrary code execution)\n\nA flaw was found in the way the Hotspot component in OpenJDK handled\nphantom references. An untrusted Java application or applet could use\nthis flaw to corrupt the Java Virtual Machine memory and, possibly,\nexecute arbitrary code, bypassing Java sandbox restrictions.\n\n- CVE-2015-0469 (arbitrary code execution)\n\nAn off-by-one flaw, leading to a buffer overflow, was found in the font\nparsing code in the 2D component in OpenJDK. A specially crafted font\nfile could possibly cause the Java Virtual Machine to execute arbitrary\ncode, allowing an untrusted Java application or applet to bypass Java\nsandbox restrictions.\n\n- CVE-2015-0470 (sandbox restriction bypass)\n\nA flaw was discovered in the Hotspot component in OpenJDK. An untrusted\nJava application or applet could use these flaws to bypass certain Java\nsandbox restrictions.\n\n- CVE-2015-0477 (sandbox restriction bypass)\n\nA flaw was discovered in the Beans component in OpenJDK. An untrusted\nJava application or applet could use these flaws to bypass certain Java\nsandbox restrictions.\n\n- CVE-2015-0478 (weak implementation)\n\nIt was found that the RSA implementation in the JCE component in OpenJDK\ndid not follow recommended practices for implementing RSA signatures.\n\n- CVE-2015-0488 (denial of service)\n\nA flaw was found in the way the JSSE component in OpenJDK parsed X.509\ncertificate options. A specially crafted certificate could cause JSSE to\nraise an exception, possibly causing an application using JSSE to exit\nunexpectedly.", "published": "2015-04-17T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://lists.archlinux.org/pipermail/arch-security/2015-April/000302.html", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2005-1080", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0470", "CVE-2015-0480"], "lastseen": "2016-09-02T18:44:37"}, {"id": "ASA-201504-15", "type": "archlinux", "title": "jdk7-openjdk: multiple issues", "description": "- CVE-2005-1080 CVE-2015-0480 (directory traversal)\n\nA directory traversal flaw was found in the way the jar tool extracted\nJAR archive files. A specially crafted JAR archive could cause jar to\noverwrite arbitrary files writable by the user running jar when the\narchive was extracted.\n\n- CVE-2015-0460 (arbitrary code execution)\n\nA flaw was found in the way the Hotspot component in OpenJDK handled\nphantom references. An untrusted Java application or applet could use\nthis flaw to corrupt the Java Virtual Machine memory and, possibly,\nexecute arbitrary code, bypassing Java sandbox restrictions.\n\n- CVE-2015-0469 (arbitrary code execution)\n\nAn off-by-one flaw, leading to a buffer overflow, was found in the font\nparsing code in the 2D component in OpenJDK. A specially crafted font\nfile could possibly cause the Java Virtual Machine to execute arbitrary\ncode, allowing an untrusted Java application or applet to bypass Java\nsandbox restrictions.\n\n- CVE-2015-0477 (sandbox restriction bypass)\n\nA flaw was discovered in the Beans component in OpenJDK. An untrusted\nJava application or applet could use these flaws to bypass certain Java\nsandbox restrictions.\n\n- CVE-2015-0478 (weak implementation)\n\nIt was found that the RSA implementation in the JCE component in OpenJDK\ndid not follow recommended practices for implementing RSA signatures.\n\n- CVE-2015-0488 (denial of service)\n\nA flaw was found in the way the JSSE component in OpenJDK parsed X.509\ncertificate options. A specially crafted certificate could cause JSSE to\nraise an exception, possibly causing an application using JSSE to exit\nunexpectedly.", "published": "2015-04-17T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://lists.archlinux.org/pipermail/arch-security/2015-April/000294.html", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2005-1080", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0480"], "lastseen": "2016-09-02T18:44:42"}, {"id": "ASA-201504-16", "type": "archlinux", "title": "jre7-openjdk: multiple issues", "description": "- CVE-2005-1080 CVE-2015-0480 (directory traversal)\n\nA directory traversal flaw was found in the way the jar tool extracted\nJAR archive files. A specially crafted JAR archive could cause jar to\noverwrite arbitrary files writable by the user running jar when the\narchive was extracted.\n\n- CVE-2015-0460 (arbitrary code execution)\n\nA flaw was found in the way the Hotspot component in OpenJDK handled\nphantom references. An untrusted Java application or applet could use\nthis flaw to corrupt the Java Virtual Machine memory and, possibly,\nexecute arbitrary code, bypassing Java sandbox restrictions.\n\n- CVE-2015-0469 (arbitrary code execution)\n\nAn off-by-one flaw, leading to a buffer overflow, was found in the font\nparsing code in the 2D component in OpenJDK. A specially crafted font\nfile could possibly cause the Java Virtual Machine to execute arbitrary\ncode, allowing an untrusted Java application or applet to bypass Java\nsandbox restrictions.\n\n- CVE-2015-0477 (sandbox restriction bypass)\n\nA flaw was discovered in the Beans component in OpenJDK. An untrusted\nJava application or applet could use these flaws to bypass certain Java\nsandbox restrictions.\n\n- CVE-2015-0478 (weak implementation)\n\nIt was found that the RSA implementation in the JCE component in OpenJDK\ndid not follow recommended practices for implementing RSA signatures.\n\n- CVE-2015-0488 (denial of service)\n\nA flaw was found in the way the JSSE component in OpenJDK parsed X.509\ncertificate options. A specially crafted certificate could cause JSSE to\nraise an exception, possibly causing an application using JSSE to exit\nunexpectedly.", "published": "2015-04-17T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://lists.archlinux.org/pipermail/arch-security/2015-April/000295.html", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2005-1080", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0480"], "lastseen": "2016-09-02T18:44:37"}], "redhat": [{"id": "RHSA-2015:0807", "type": "redhat", "title": "(RHSA-2015:0807) Important: java-1.7.0-openjdk security update", "description": "The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nAn off-by-one flaw, leading to a buffer overflow, was found in the font\nparsing code in the 2D component in OpenJDK. A specially crafted font file\ncould possibly cause the Java Virtual Machine to execute arbitrary code,\nallowing an untrusted Java application or applet to bypass Java sandbox\nrestrictions. (CVE-2015-0469)\n\nA flaw was found in the way the Hotspot component in OpenJDK handled\nphantom references. An untrusted Java application or applet could use this\nflaw to corrupt the Java Virtual Machine memory and, possibly, execute\narbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0460)\n\nA flaw was found in the way the JSSE component in OpenJDK parsed X.509\ncertificate options. A specially crafted certificate could cause JSSE to\nraise an exception, possibly causing an application using JSSE to exit\nunexpectedly. (CVE-2015-0488)\n\nA flaw was discovered in the Beans component in OpenJDK. An untrusted Java\napplication or applet could use this flaw to bypass certain Java sandbox\nrestrictions. (CVE-2015-0477)\n\nA directory traversal flaw was found in the way the jar tool extracted JAR\narchive files. A specially crafted JAR archive could cause jar to overwrite\narbitrary files writable by the user running jar when the archive was\nextracted. (CVE-2005-1080, CVE-2015-0480)\n\nIt was found that the RSA implementation in the JCE component in OpenJDK\ndid not follow recommended practices for implementing RSA signatures.\n(CVE-2015-0478)\n\nThe CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat\nProduct Security.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "published": "2015-04-14T04:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2015:0807", "cvelist": ["CVE-2005-1080", "CVE-2015-0460", "CVE-2015-0469", "CVE-2015-0477", "CVE-2015-0478", "CVE-2015-0480", "CVE-2015-0488"], "lastseen": "2017-09-09T07:20:39"}, {"id": "RHSA-2015:0806", "type": "redhat", "title": "(RHSA-2015:0806) Critical: java-1.7.0-openjdk security update", "description": "The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nAn off-by-one flaw, leading to a buffer overflow, was found in the font\nparsing code in the 2D component in OpenJDK. A specially crafted font file\ncould possibly cause the Java Virtual Machine to execute arbitrary code,\nallowing an untrusted Java application or applet to bypass Java sandbox\nrestrictions. (CVE-2015-0469)\n\nA flaw was found in the way the Hotspot component in OpenJDK handled\nphantom references. An untrusted Java application or applet could use this\nflaw to corrupt the Java Virtual Machine memory and, possibly, execute\narbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0460)\n\nA flaw was found in the way the JSSE component in OpenJDK parsed X.509\ncertificate options. A specially crafted certificate could cause JSSE to\nraise an exception, possibly causing an application using JSSE to exit\nunexpectedly. (CVE-2015-0488)\n\nA flaw was discovered in the Beans component in OpenJDK. An untrusted Java\napplication or applet could use this flaw to bypass certain Java sandbox\nrestrictions. (CVE-2015-0477)\n\nA directory traversal flaw was found in the way the jar tool extracted JAR\narchive files. A specially crafted JAR archive could cause jar to overwrite\narbitrary files writable by the user running jar when the archive was\nextracted. (CVE-2005-1080, CVE-2015-0480)\n\nIt was found that the RSA implementation in the JCE component in OpenJDK\ndid not follow recommended practices for implementing RSA signatures.\n(CVE-2015-0478)\n\nThe CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat\nProduct Security.\n\nNote: If the web browser plug-in provided by the icedtea-web package was\ninstalled, the issues exposed via Java applets could have been exploited\nwithout user interaction if a user visited a malicious website.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "published": "2015-04-14T04:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2015:0806", "cvelist": ["CVE-2005-1080", "CVE-2015-0460", "CVE-2015-0469", "CVE-2015-0477", "CVE-2015-0478", "CVE-2015-0480", "CVE-2015-0488"], "lastseen": "2018-04-15T14:24:55"}, {"id": "RHSA-2015:0809", "type": "redhat", "title": "(RHSA-2015:0809) Important: java-1.8.0-openjdk security update", "description": "The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime\nEnvironment and the OpenJDK 8 Java Software Development Kit.\n\nAn off-by-one flaw, leading to a buffer overflow, was found in the font\nparsing code in the 2D component in OpenJDK. A specially crafted font file\ncould possibly cause the Java Virtual Machine to execute arbitrary code,\nallowing an untrusted Java application or applet to bypass Java sandbox\nrestrictions. (CVE-2015-0469)\n\nA flaw was found in the way the Hotspot component in OpenJDK handled\nphantom references. An untrusted Java application or applet could use this\nflaw to corrupt the Java Virtual Machine memory and, possibly, execute\narbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0460)\n\nA flaw was found in the way the JSSE component in OpenJDK parsed X.509\ncertificate options. A specially crafted certificate could cause JSSE to\nraise an exception, possibly causing an application using JSSE to exit\nunexpectedly. (CVE-2015-0488)\n\nMultiple flaws were discovered in the Beans and Hotspot components in\nOpenJDK. An untrusted Java application or applet could use these flaws to\nbypass certain Java sandbox restrictions. (CVE-2015-0477, CVE-2015-0470)\n\nA directory traversal flaw was found in the way the jar tool extracted JAR\narchive files. A specially crafted JAR archive could cause jar to overwrite\narbitrary files writable by the user running jar when the archive was\nextracted. (CVE-2005-1080, CVE-2015-0480)\n\nIt was found that the RSA implementation in the JCE component in OpenJDK\ndid not follow recommended practices for implementing RSA signatures.\n(CVE-2015-0478)\n\nThe CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat\nProduct Security.\n\nAll users of java-1.8.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "published": "2015-04-14T04:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2015:0809", "cvelist": ["CVE-2005-1080", "CVE-2015-0460", "CVE-2015-0469", "CVE-2015-0470", "CVE-2015-0477", "CVE-2015-0478", "CVE-2015-0480", "CVE-2015-0488"], "lastseen": "2018-04-15T18:30:03"}, {"id": "RHSA-2015:0808", "type": "redhat", "title": "(RHSA-2015:0808) Important: java-1.6.0-openjdk security update", "description": "The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime\nEnvironment and the OpenJDK 6 Java Software Development Kit.\n\nAn off-by-one flaw, leading to a buffer overflow, was found in the font\nparsing code in the 2D component in OpenJDK. A specially crafted font file\ncould possibly cause the Java Virtual Machine to execute arbitrary code,\nallowing an untrusted Java application or applet to bypass Java sandbox\nrestrictions. (CVE-2015-0469)\n\nA flaw was found in the way the Hotspot component in OpenJDK handled\nphantom references. An untrusted Java application or applet could use this\nflaw to corrupt the Java Virtual Machine memory and, possibly, execute\narbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0460)\n\nA flaw was found in the way the JSSE component in OpenJDK parsed X.509\ncertificate options. A specially crafted certificate could cause JSSE to\nraise an exception, possibly causing an application using JSSE to exit\nunexpectedly. (CVE-2015-0488)\n\nA flaw was discovered in the Beans component in OpenJDK. An untrusted Java\napplication or applet could use this flaw to bypass certain Java sandbox\nrestrictions. (CVE-2015-0477)\n\nA directory traversal flaw was found in the way the jar tool extracted JAR\narchive files. A specially crafted JAR archive could cause jar to overwrite\narbitrary files writable by the user running jar when the archive was\nextracted. (CVE-2005-1080, CVE-2015-0480)\n\nIt was found that the RSA implementation in the JCE component in OpenJDK\ndid not follow recommended practices for implementing RSA signatures.\n(CVE-2015-0478)\n\nThe CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat\nProduct Security.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "published": "2015-04-14T04:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2015:0808", "cvelist": ["CVE-2005-1080", "CVE-2015-0460", "CVE-2015-0469", "CVE-2015-0477", "CVE-2015-0478", "CVE-2015-0480", "CVE-2015-0488"], "lastseen": "2018-04-15T16:22:13"}, {"id": "RHSA-2015:1091", "type": "redhat", "title": "(RHSA-2015:1091) Low: Red Hat Satellite IBM Java Runtime security update", "description": "IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM\nJava Software Development Kit.\n\nThis update corrects several security vulnerabilities in the IBM Java\nRuntime Environment shipped as part of Red Hat Satellite 5. In a typical\noperating environment, these are of low security risk as the runtime is not\nused on untrusted applets. Further information about these flaws can be\nfound on the IBM Java Security alerts page, listed in the References\nsection. (CVE-2005-1080, CVE-2015-0138, CVE-2015-0192, CVE-2015-0458,\nCVE-2015-0459, CVE-2015-0469, CVE-2015-0477, CVE-2015-0478, CVE-2015-0480,\nCVE-2015-0488, CVE-2015-0491, CVE-2015-1914, CVE-2015-2808)\n\nThe CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat\nProduct Security.\n\nNote: With this update, the IBM JDK now disables RC4 SSL/TLS cipher suites\nby default to address the CVE-2015-2808 issue. Refer to Red Hat Bugzilla\nbug 1207101, linked to from the References section, for additional details\nabout this change.\n\nUsers of Red Hat Satellite 5.6 and 5.7 are advised to upgrade to these\nupdated packages, which contain the IBM Java SE 6 SR16-FP4 release. For\nthis update to take effect, Red Hat Satellite must be restarted\n(\"/usr/sbin/rhn-satellite restart\"), as well as all running instances of\nIBM Java.\n", "published": "2015-06-11T04:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2015:1091", "cvelist": ["CVE-2015-0138", "CVE-2015-0192", "CVE-2015-0477", "CVE-2015-0469", "CVE-2015-0458", "CVE-2015-1914", "CVE-2015-0459", "CVE-2005-1080", "CVE-2015-2808", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-0480", "CVE-2015-0491"], "lastseen": "2017-03-04T13:18:41"}, {"id": "RHSA-2015:1020", "type": "redhat", "title": "(RHSA-2015:1020) Critical: java-1.7.1-ibm security update", "description": "IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment\nand the IBM Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Further information\nabout these flaws can be found on the IBM Java Security alerts page, listed\nin the References section. (CVE-2005-1080, CVE-2015-0138, CVE-2015-0192,\nCVE-2015-0458, CVE-2015-0459, CVE-2015-0469, CVE-2015-0477, CVE-2015-0478,\nCVE-2015-0480, CVE-2015-0488, CVE-2015-0491, CVE-2015-1914, CVE-2015-2808)\n\nThe CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat\nProduct Security.\n\nNote: With this update, the IBM JDK now disables RC4 SSL/TLS cipher suites\nby default to address the CVE-2015-2808 issue. Refer to Red Hat Bugzilla\nbug 1207101, linked to in the References section, for additional details\nabout this change.\n\nAll users of java-1.7.1-ibm are advised to upgrade to these updated\npackages, containing the IBM Java SE 7R1 SR3 release. All running instances\nof IBM Java must be restarted for the update to take effect.\n", "published": "2015-05-20T04:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2015:1020", "cvelist": ["CVE-2005-1080", "CVE-2015-0138", "CVE-2015-0192", "CVE-2015-0458", "CVE-2015-0459", "CVE-2015-0469", "CVE-2015-0477", "CVE-2015-0478", "CVE-2015-0480", "CVE-2015-0488", "CVE-2015-0491", "CVE-2015-1914", "CVE-2015-2808"], "lastseen": "2018-03-20T18:40:07"}, {"id": "RHSA-2015:1006", "type": "redhat", "title": "(RHSA-2015:1006) Critical: java-1.6.0-ibm security update", "description": "IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM\nJava Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Further information\nabout these flaws can be found on the IBM Java Security alerts page, listed\nin the References section. (CVE-2005-1080, CVE-2015-0138, CVE-2015-0192,\nCVE-2015-0458, CVE-2015-0459, CVE-2015-0469, CVE-2015-0477, CVE-2015-0478,\nCVE-2015-0480, CVE-2015-0488, CVE-2015-0491, CVE-2015-1914, CVE-2015-2808)\n\nThe CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat\nProduct Security.\n\nNote: With this update, the IBM JDK now disables RC4 SSL/TLS cipher suites\nby default to address the CVE-2015-2808 issue. Refer to Red Hat Bugzilla\nbug 1207101, linked to from the References section, for additional details\nabout this change.\n\nAll users of java-1.6.0-ibm are advised to upgrade to these updated\npackages, containing the IBM Java SE 6 SR16-FP4 release. All running\ninstances of IBM Java must be restarted for the update to take effect.\n", "published": "2015-05-13T04:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2015:1006", "cvelist": ["CVE-2005-1080", "CVE-2015-0138", "CVE-2015-0192", "CVE-2015-0458", "CVE-2015-0459", "CVE-2015-0469", "CVE-2015-0477", "CVE-2015-0478", "CVE-2015-0480", "CVE-2015-0488", "CVE-2015-0491", "CVE-2015-1914", "CVE-2015-2808"], "lastseen": "2017-09-09T07:20:33"}, {"id": "RHSA-2015:1021", "type": "redhat", "title": "(RHSA-2015:1021) Important: java-1.5.0-ibm security update", "description": "IBM J2SE version 5.0 includes the IBM Java Runtime Environment and the IBM\nJava Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Further information\nabout these flaws can be found on the IBM Java Security alerts page, listed\nin the References section. (CVE-2005-1080, CVE-2015-0138, CVE-2015-0192,\nCVE-2015-0459, CVE-2015-0469, CVE-2015-0477, CVE-2015-0478, CVE-2015-0480,\nCVE-2015-0488, CVE-2015-0491, CVE-2015-1914, CVE-2015-2808)\n\nThe CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat\nProduct Security.\n\nNote: With this update, the IBM JDK now disables RC4 SSL/TLS cipher suites\nby default to address the CVE-2015-2808 issue. Refer to Red Hat Bugzilla\nbug 1207101, linked to in the References section, for additional details\nabout this change.\n\nIBM Java SDK and JRE 5.0 will not receive software updates after September\n2015. This date is referred to as the End of Service (EOS) date. Customers\nare advised to migrate to current versions of IBM Java at this time. IBM\nJava SDK and JRE versions 6 and 7 are available via the Red Hat Enterprise\nLinux 5 and 6 Supplementary content sets and will continue to receive\nupdates based on IBM's lifecycle policy, linked to in the References\nsection.\n\nCustomers can also consider OpenJDK, an open source implementation of\nthe Java SE specification. OpenJDK is available by default on supported\nhardware architectures.\n\nAll users of java-1.5.0-ibm are advised to upgrade to these updated\npackages, containing the IBM J2SE 5.0 SR16-FP10 release. All running\ninstances of IBM Java must be restarted for this update to take effect.\n", "published": "2015-05-20T04:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2015:1021", "cvelist": ["CVE-2005-1080", "CVE-2015-0138", "CVE-2015-0192", "CVE-2015-0459", "CVE-2015-0469", "CVE-2015-0477", "CVE-2015-0478", "CVE-2015-0480", "CVE-2015-0488", "CVE-2015-0491", "CVE-2015-1914", "CVE-2015-2808"], "lastseen": "2017-09-09T07:19:49"}, {"id": "RHSA-2015:0858", "type": "redhat", "title": "(RHSA-2015:0858) Important: java-1.6.0-sun security update", "description": "Oracle Java SE version 6 includes the Oracle Java Runtime Environment and\nthe Oracle Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the Oracle Java Runtime\nEnvironment and the Oracle Java Software Development Kit. Further\ninformation about these flaws can be found on the Oracle Java SE Critical\nPatch Update Advisory page, listed in the References section.\n(CVE-2005-1080, CVE-2015-0458, CVE-2015-0459, CVE-2015-0460, CVE-2015-0469,\nCVE-2015-0477, CVE-2015-0478, CVE-2015-0480, CVE-2015-0488, CVE-2015-0491)\n\nThe CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat\nProduct Security.\n\nAll users of java-1.6.0-sun are advised to upgrade to these updated\npackages, which provide Oracle Java 6 Update 95 and resolve these issues.\nAll running instances of Oracle Java must be restarted for the update to\ntake effect.", "published": "2015-04-20T18:05:19", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2015:0858", "cvelist": ["CVE-2005-1080", "CVE-2015-0458", "CVE-2015-0459", "CVE-2015-0460", "CVE-2015-0469", "CVE-2015-0477", "CVE-2015-0478", "CVE-2015-0480", "CVE-2015-0488", "CVE-2015-0491"], "lastseen": "2018-03-20T08:31:22"}, {"id": "RHSA-2015:0857", "type": "redhat", "title": "(RHSA-2015:0857) Critical: java-1.7.0-oracle security update", "description": "Oracle Java SE version 7 includes the Oracle Java Runtime Environment and\nthe Oracle Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the Oracle Java Runtime\nEnvironment and the Oracle Java Software Development Kit. Further\ninformation about these flaws can be found on the Oracle Java SE Critical\nPatch Update Advisory page, listed in the References section.\n(CVE-2005-1080, CVE-2015-0458, CVE-2015-0459, CVE-2015-0460, CVE-2015-0469,\nCVE-2015-0477, CVE-2015-0478, CVE-2015-0480, CVE-2015-0484, CVE-2015-0488,\nCVE-2015-0491, CVE-2015-0492)\n\nThe CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat\nProduct Security.\n\nAll users of java-1.7.0-oracle are advised to upgrade to these updated\npackages, which provide Oracle Java 7 Update 79 and resolve these issues.\nAll running instances of Oracle Java must be restarted for the update to\ntake effect.", "published": "2015-04-20T17:52:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2015:0857", "cvelist": ["CVE-2005-1080", "CVE-2015-0458", "CVE-2015-0459", "CVE-2015-0460", "CVE-2015-0469", "CVE-2015-0477", "CVE-2015-0478", "CVE-2015-0480", "CVE-2015-0484", "CVE-2015-0488", "CVE-2015-0491", "CVE-2015-0492"], "lastseen": "2018-03-20T08:31:43"}], "centos": [{"id": "CESA-2015:0807", "type": "centos", "title": "java security update", "description": "**CentOS Errata and Security Advisory** CESA-2015:0807\n\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nAn off-by-one flaw, leading to a buffer overflow, was found in the font\nparsing code in the 2D component in OpenJDK. A specially crafted font file\ncould possibly cause the Java Virtual Machine to execute arbitrary code,\nallowing an untrusted Java application or applet to bypass Java sandbox\nrestrictions. (CVE-2015-0469)\n\nA flaw was found in the way the Hotspot component in OpenJDK handled\nphantom references. An untrusted Java application or applet could use this\nflaw to corrupt the Java Virtual Machine memory and, possibly, execute\narbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0460)\n\nA flaw was found in the way the JSSE component in OpenJDK parsed X.509\ncertificate options. A specially crafted certificate could cause JSSE to\nraise an exception, possibly causing an application using JSSE to exit\nunexpectedly. (CVE-2015-0488)\n\nA flaw was discovered in the Beans component in OpenJDK. An untrusted Java\napplication or applet could use this flaw to bypass certain Java sandbox\nrestrictions. (CVE-2015-0477)\n\nA directory traversal flaw was found in the way the jar tool extracted JAR\narchive files. A specially crafted JAR archive could cause jar to overwrite\narbitrary files writable by the user running jar when the archive was\nextracted. (CVE-2005-1080, CVE-2015-0480)\n\nIt was found that the RSA implementation in the JCE component in OpenJDK\ndid not follow recommended practices for implementing RSA signatures.\n(CVE-2015-0478)\n\nThe CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat\nProduct Security.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-April/021075.html\n\n**Affected packages:**\njava-1.7.0-openjdk\njava-1.7.0-openjdk-demo\njava-1.7.0-openjdk-devel\njava-1.7.0-openjdk-javadoc\njava-1.7.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-0807.html", "published": "2015-04-15T11:47:27", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2015-April/021075.html", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2005-1080", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0480"], "lastseen": "2017-10-03T18:26:56"}, {"id": "CESA-2015:0806", "type": "centos", "title": "java security update", "description": "**CentOS Errata and Security Advisory** CESA-2015:0806\n\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nAn off-by-one flaw, leading to a buffer overflow, was found in the font\nparsing code in the 2D component in OpenJDK. A specially crafted font file\ncould possibly cause the Java Virtual Machine to execute arbitrary code,\nallowing an untrusted Java application or applet to bypass Java sandbox\nrestrictions. (CVE-2015-0469)\n\nA flaw was found in the way the Hotspot component in OpenJDK handled\nphantom references. An untrusted Java application or applet could use this\nflaw to corrupt the Java Virtual Machine memory and, possibly, execute\narbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0460)\n\nA flaw was found in the way the JSSE component in OpenJDK parsed X.509\ncertificate options. A specially crafted certificate could cause JSSE to\nraise an exception, possibly causing an application using JSSE to exit\nunexpectedly. (CVE-2015-0488)\n\nA flaw was discovered in the Beans component in OpenJDK. An untrusted Java\napplication or applet could use this flaw to bypass certain Java sandbox\nrestrictions. (CVE-2015-0477)\n\nA directory traversal flaw was found in the way the jar tool extracted JAR\narchive files. A specially crafted JAR archive could cause jar to overwrite\narbitrary files writable by the user running jar when the archive was\nextracted. (CVE-2005-1080, CVE-2015-0480)\n\nIt was found that the RSA implementation in the JCE component in OpenJDK\ndid not follow recommended practices for implementing RSA signatures.\n(CVE-2015-0478)\n\nThe CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat\nProduct Security.\n\nNote: If the web browser plug-in provided by the icedtea-web package was\ninstalled, the issues exposed via Java applets could have been exploited\nwithout user interaction if a user visited a malicious website.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-April/021066.html\nhttp://lists.centos.org/pipermail/centos-announce/2015-April/021069.html\n\n**Affected packages:**\njava-1.7.0-openjdk\njava-1.7.0-openjdk-accessibility\njava-1.7.0-openjdk-demo\njava-1.7.0-openjdk-devel\njava-1.7.0-openjdk-headless\njava-1.7.0-openjdk-javadoc\njava-1.7.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-0806.html", "published": "2015-04-15T11:09:51", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2015-April/021066.html", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2005-1080", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0480"], "lastseen": "2017-10-03T18:24:42"}, {"id": "CESA-2015:0809", "type": "centos", "title": "java security update", "description": "**CentOS Errata and Security Advisory** CESA-2015:0809\n\n\nThe java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime\nEnvironment and the OpenJDK 8 Java Software Development Kit.\n\nAn off-by-one flaw, leading to a buffer overflow, was found in the font\nparsing code in the 2D component in OpenJDK. A specially crafted font file\ncould possibly cause the Java Virtual Machine to execute arbitrary code,\nallowing an untrusted Java application or applet to bypass Java sandbox\nrestrictions. (CVE-2015-0469)\n\nA flaw was found in the way the Hotspot component in OpenJDK handled\nphantom references. An untrusted Java application or applet could use this\nflaw to corrupt the Java Virtual Machine memory and, possibly, execute\narbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0460)\n\nA flaw was found in the way the JSSE component in OpenJDK parsed X.509\ncertificate options. A specially crafted certificate could cause JSSE to\nraise an exception, possibly causing an application using JSSE to exit\nunexpectedly. (CVE-2015-0488)\n\nMultiple flaws were discovered in the Beans and Hotspot components in\nOpenJDK. An untrusted Java application or applet could use these flaws to\nbypass certain Java sandbox restrictions. (CVE-2015-0477, CVE-2015-0470)\n\nA directory traversal flaw was found in the way the jar tool extracted JAR\narchive files. A specially crafted JAR archive could cause jar to overwrite\narbitrary files writable by the user running jar when the archive was\nextracted. (CVE-2005-1080, CVE-2015-0480)\n\nIt was found that the RSA implementation in the JCE component in OpenJDK\ndid not follow recommended practices for implementing RSA signatures.\n(CVE-2015-0478)\n\nThe CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat\nProduct Security.\n\nAll users of java-1.8.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-April/021067.html\nhttp://lists.centos.org/pipermail/centos-announce/2015-April/021070.html\n\n**Affected packages:**\njava-1.8.0-openjdk\njava-1.8.0-openjdk-accessibility\njava-1.8.0-openjdk-demo\njava-1.8.0-openjdk-devel\njava-1.8.0-openjdk-headless\njava-1.8.0-openjdk-javadoc\njava-1.8.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-0809.html", "published": "2015-04-15T11:10:56", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2015-April/021067.html", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2005-1080", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0470", "CVE-2015-0480"], "lastseen": "2017-10-03T18:24:43"}, {"id": "CESA-2015:0808", "type": "centos", "title": "java security update", "description": "**CentOS Errata and Security Advisory** CESA-2015:0808\n\n\nThe java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime\nEnvironment and the OpenJDK 6 Java Software Development Kit.\n\nAn off-by-one flaw, leading to a buffer overflow, was found in the font\nparsing code in the 2D component in OpenJDK. A specially crafted font file\ncould possibly cause the Java Virtual Machine to execute arbitrary code,\nallowing an untrusted Java application or applet to bypass Java sandbox\nrestrictions. (CVE-2015-0469)\n\nA flaw was found in the way the Hotspot component in OpenJDK handled\nphantom references. An untrusted Java application or applet could use this\nflaw to corrupt the Java Virtual Machine memory and, possibly, execute\narbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0460)\n\nA flaw was found in the way the JSSE component in OpenJDK parsed X.509\ncertificate options. A specially crafted certificate could cause JSSE to\nraise an exception, possibly causing an application using JSSE to exit\nunexpectedly. (CVE-2015-0488)\n\nA flaw was discovered in the Beans component in OpenJDK. An untrusted Java\napplication or applet could use this flaw to bypass certain Java sandbox\nrestrictions. (CVE-2015-0477)\n\nA directory traversal flaw was found in the way the jar tool extracted JAR\narchive files. A specially crafted JAR archive could cause jar to overwrite\narbitrary files writable by the user running jar when the archive was\nextracted. (CVE-2005-1080, CVE-2015-0480)\n\nIt was found that the RSA implementation in the JCE component in OpenJDK\ndid not follow recommended practices for implementing RSA signatures.\n(CVE-2015-0478)\n\nThe CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat\nProduct Security.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-April/021065.html\nhttp://lists.centos.org/pipermail/centos-announce/2015-April/021068.html\nhttp://lists.centos.org/pipermail/centos-announce/2015-April/021073.html\n\n**Affected packages:**\njava-1.6.0-openjdk\njava-1.6.0-openjdk-demo\njava-1.6.0-openjdk-devel\njava-1.6.0-openjdk-javadoc\njava-1.6.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-0808.html", "published": "2015-04-15T11:08:38", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2015-April/021065.html", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2005-1080", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0480"], "lastseen": "2017-10-03T18:26:10"}], "debian": [{"id": "DSA-3235", "type": "debian", "title": "openjdk-7 -- security update", "description": "Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the execution of arbitrary code, breakouts of the Java sandbox, information disclosure or denial of service.\n\nFor the stable distribution (wheezy), these problems have been fixed in version 7u79-2.5.5-1~deb7u1.\n\nFor the upcoming stable distribution (jessie), these problems will be fixed soon in version 7u79-2.5.5-1~deb8u1 (the update will be available shortly after the final jessie release).\n\nFor the unstable distribution (sid), these problems have been fixed in version 7u79-2.5.5-1.\n\nWe recommend that you upgrade your openjdk-7 packages.", "published": "2015-04-24T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-3235", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0470", "CVE-2015-0480"], "lastseen": "2016-09-02T18:29:25"}, {"id": "DSA-3234", "type": "debian", "title": "openjdk-6 -- security update", "description": "Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the execution of arbitrary code, breakouts of the Java sandbox, information disclosure or denial of service.\n\nFor the stable distribution (wheezy), these problems have been fixed in version 6b35-1.13.7-1~deb7u1.\n\nWe recommend that you upgrade your openjdk-6 packages.", "published": "2015-04-24T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-3234", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0470", "CVE-2015-0480"], "lastseen": "2016-09-02T18:26:54"}, {"id": "DLA-213", "type": "debian", "title": "openjdk-6 -- LTS security update", "description": "Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the execution of arbitrary code, breakouts of the Java sandbox, information disclosure or denial of service.\n\nFor Debian 6 Squeeze, these problems have been fixed in version 6b35-1.13.7-1~deb6u1.\n\nWe recommend that you upgrade your openjdk-6 packages.", "published": "2015-04-30T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/2015/dla-213", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0470", "CVE-2015-0480"], "lastseen": "2016-09-02T12:56:40"}, {"id": "DSA-3316", "type": "debian", "title": "openjdk-7 -- security update", "description": "Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the execution of arbitrary code, breakouts of the Java sandbox, information disclosure, denial of service or insecure cryptography.\n\nFor the oldstable distribution (wheezy), these problems have been fixed in version 7u79-2.5.6-1~deb7u1.\n\nFor the stable distribution (jessie), these problems have been fixed in version 7u79-2.5.6-1~deb8u1.\n\nFor the unstable distribution (sid), these problems have been fixed in version 7u79-2.5.6-1.\n\nWe recommend that you upgrade your openjdk-7 packages.", "published": "2015-07-25T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-3316", "cvelist": ["CVE-2015-4000", "CVE-2015-2601", "CVE-2015-4749", "CVE-2015-2632", "CVE-2015-2625", "CVE-2015-4732", "CVE-2015-0477", "CVE-2015-0469", "CVE-2015-2613", "CVE-2014-8873", "CVE-2015-2808", "CVE-2015-2590", "CVE-2015-2628", "CVE-2015-4733", "CVE-2015-0478", "CVE-2015-2621", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0470", "CVE-2015-4731", "CVE-2015-0480", "CVE-2015-4748", "CVE-2015-4760"], "lastseen": "2016-09-02T18:34:07"}], "amazon": [{"id": "ALAS-2015-516", "type": "amazon", "title": "Important: java-1.7.0-openjdk", "description": "**Issue Overview:**\n\nAn off-by-one flaw, leading to a buffer overflow, was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. ([CVE-2015-0469 __](<https://access.redhat.com/security/cve/CVE-2015-0469>))\n\nA flaw was found in the way the Hotspot component in OpenJDK handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. ([CVE-2015-0460 __](<https://access.redhat.com/security/cve/CVE-2015-0460>))\n\nA flaw was found in the way the JSSE component in OpenJDK parsed X.509 certificate options. A specially crafted certificate could cause JSSE to raise an exception, possibly causing an application using JSSE to exit unexpectedly. ([CVE-2015-0488 __](<https://access.redhat.com/security/cve/CVE-2015-0488>))\n\nA flaw was discovered in the Beans component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. ([CVE-2015-0477 __](<https://access.redhat.com/security/cve/CVE-2015-0477>))\n\nA directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted. ([CVE-2005-1080 __](<https://access.redhat.com/security/cve/CVE-2005-1080>), [CVE-2015-0480 __](<https://access.redhat.com/security/cve/CVE-2015-0480>))\n\nIt was found that the RSA implementation in the JCE component in OpenJDK did not follow recommended practices for implementing RSA signatures. ([CVE-2015-0478 __](<https://access.redhat.com/security/cve/CVE-2015-0478>))\n\n \n**Affected Packages:** \n\n\njava-1.7.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.7.0-openjdk_ to update your system. \n\n \n**New Packages:**\n \n \n i686: \n java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.1.59.amzn1.i686 \n java-1.7.0-openjdk-src-1.7.0.79-2.5.5.1.59.amzn1.i686 \n java-1.7.0-openjdk-devel-1.7.0.79-2.5.5.1.59.amzn1.i686 \n java-1.7.0-openjdk-1.7.0.79-2.5.5.1.59.amzn1.i686 \n java-1.7.0-openjdk-demo-1.7.0.79-2.5.5.1.59.amzn1.i686 \n \n noarch: \n java-1.7.0-openjdk-javadoc-1.7.0.79-2.5.5.1.59.amzn1.noarch \n \n src: \n java-1.7.0-openjdk-1.7.0.79-2.5.5.1.59.amzn1.src \n \n x86_64: \n java-1.7.0-openjdk-demo-1.7.0.79-2.5.5.1.59.amzn1.x86_64 \n java-1.7.0-openjdk-src-1.7.0.79-2.5.5.1.59.amzn1.x86_64 \n java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.1.59.amzn1.x86_64 \n java-1.7.0-openjdk-1.7.0.79-2.5.5.1.59.amzn1.x86_64 \n java-1.7.0-openjdk-devel-1.7.0.79-2.5.5.1.59.amzn1.x86_64 \n \n \n", "published": "2015-04-23T00:44:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://alas.aws.amazon.com/ALAS-2015-516.html", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2005-1080", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0480"], "lastseen": "2016-09-28T21:03:59"}, {"id": "ALAS-2015-517", "type": "amazon", "title": "Important: java-1.8.0-openjdk", "description": "**Issue Overview:**\n\nAn off-by-one flaw, leading to a buffer overflow, was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. ([CVE-2015-0469 __](<https://access.redhat.com/security/cve/CVE-2015-0469>))\n\nA flaw was found in the way the Hotspot component in OpenJDK handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. ([CVE-2015-0460 __](<https://access.redhat.com/security/cve/CVE-2015-0460>))\n\nA flaw was found in the way the JSSE component in OpenJDK parsed X.509 certificate options. A specially crafted certificate could cause JSSE to raise an exception, possibly causing an application using JSSE to exit unexpectedly. ([CVE-2015-0488 __](<https://access.redhat.com/security/cve/CVE-2015-0488>))\n\nMultiple flaws were discovered in the Beans and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. ([CVE-2015-0477 __](<https://access.redhat.com/security/cve/CVE-2015-0477>), [CVE-2015-0470 __](<https://access.redhat.com/security/cve/CVE-2015-0470>))\n\nA directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted. ([CVE-2005-1080 __](<https://access.redhat.com/security/cve/CVE-2005-1080>), [CVE-2015-0480 __](<https://access.redhat.com/security/cve/CVE-2015-0480>))\n\nIt was found that the RSA implementation in the JCE component in OpenJDK did not follow recommended practices for implementing RSA signatures. ([CVE-2015-0478 __](<https://access.redhat.com/security/cve/CVE-2015-0478>)) \n\n\n \n**Affected Packages:** \n\n\njava-1.8.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.8.0-openjdk_ to update your system. \n\n \n**New Packages:**\n \n \n i686: \n java-1.8.0-openjdk-debuginfo-1.8.0.45-30.b13.5.amzn1.i686 \n java-1.8.0-openjdk-headless-1.8.0.45-30.b13.5.amzn1.i686 \n java-1.8.0-openjdk-src-1.8.0.45-30.b13.5.amzn1.i686 \n java-1.8.0-openjdk-1.8.0.45-30.b13.5.amzn1.i686 \n java-1.8.0-openjdk-demo-1.8.0.45-30.b13.5.amzn1.i686 \n java-1.8.0-openjdk-devel-1.8.0.45-30.b13.5.amzn1.i686 \n \n noarch: \n java-1.8.0-openjdk-javadoc-1.8.0.45-30.b13.5.amzn1.noarch \n \n src: \n java-1.8.0-openjdk-1.8.0.45-30.b13.5.amzn1.src \n \n x86_64: \n java-1.8.0-openjdk-devel-1.8.0.45-30.b13.5.amzn1.x86_64 \n java-1.8.0-openjdk-demo-1.8.0.45-30.b13.5.amzn1.x86_64 \n java-1.8.0-openjdk-1.8.0.45-30.b13.5.amzn1.x86_64 \n java-1.8.0-openjdk-debuginfo-1.8.0.45-30.b13.5.amzn1.x86_64 \n java-1.8.0-openjdk-src-1.8.0.45-30.b13.5.amzn1.x86_64 \n java-1.8.0-openjdk-headless-1.8.0.45-30.b13.5.amzn1.x86_64 \n \n \n", "published": "2015-05-05T15:44:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://alas.aws.amazon.com/ALAS-2015-517.html", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2005-1080", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0470", "CVE-2015-0480"], "lastseen": "2016-09-28T21:04:03"}, {"id": "ALAS-2015-515", "type": "amazon", "title": "Important: java-1.6.0-openjdk", "description": "**Issue Overview:**\n\nAn off-by-one flaw, leading to a buffer overflow, was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. ([CVE-2015-0469 __](<https://access.redhat.com/security/cve/CVE-2015-0469>))\n\nA flaw was found in the way the Hotspot component in OpenJDK handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. ([CVE-2015-0460 __](<https://access.redhat.com/security/cve/CVE-2015-0460>))\n\nA flaw was found in the way the JSSE component in OpenJDK parsed X.509 certificate options. A specially crafted certificate could cause JSSE to raise an exception, possibly causing an application using JSSE to exit unexpectedly. ([CVE-2015-0488 __](<https://access.redhat.com/security/cve/CVE-2015-0488>))\n\nA flaw was discovered in the Beans component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. ([CVE-2015-0477 __](<https://access.redhat.com/security/cve/CVE-2015-0477>))\n\nA directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted. ([CVE-2005-1080 __](<https://access.redhat.com/security/cve/CVE-2005-1080>), [CVE-2015-0480 __](<https://access.redhat.com/security/cve/CVE-2015-0480>))\n\nIt was found that the RSA implementation in the JCE component in OpenJDK did not follow recommended practices for implementing RSA signatures. ([CVE-2015-0478 __](<https://access.redhat.com/security/cve/CVE-2015-0478>))\n\n \n**Affected Packages:** \n\n\njava-1.6.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.6.0-openjdk_ to update your system. \n\n \n**New Packages:**\n \n \n i686: \n java-1.6.0-openjdk-demo-1.6.0.35-1.13.7.1.70.amzn1.i686 \n java-1.6.0-openjdk-javadoc-1.6.0.35-1.13.7.1.70.amzn1.i686 \n java-1.6.0-openjdk-1.6.0.35-1.13.7.1.70.amzn1.i686 \n java-1.6.0-openjdk-debuginfo-1.6.0.35-1.13.7.1.70.amzn1.i686 \n java-1.6.0-openjdk-src-1.6.0.35-1.13.7.1.70.amzn1.i686 \n java-1.6.0-openjdk-devel-1.6.0.35-1.13.7.1.70.amzn1.i686 \n \n src: \n java-1.6.0-openjdk-1.6.0.35-1.13.7.1.70.amzn1.src \n \n x86_64: \n java-1.6.0-openjdk-1.6.0.35-1.13.7.1.70.amzn1.x86_64 \n java-1.6.0-openjdk-debuginfo-1.6.0.35-1.13.7.1.70.amzn1.x86_64 \n java-1.6.0-openjdk-demo-1.6.0.35-1.13.7.1.70.amzn1.x86_64 \n java-1.6.0-openjdk-devel-1.6.0.35-1.13.7.1.70.amzn1.x86_64 \n java-1.6.0-openjdk-javadoc-1.6.0.35-1.13.7.1.70.amzn1.x86_64 \n java-1.6.0-openjdk-src-1.6.0.35-1.13.7.1.70.amzn1.x86_64 \n \n \n", "published": "2015-04-23T00:44:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://alas.aws.amazon.com/ALAS-2015-515.html", "cvelist": ["CVE-2015-0477", "CVE-2015-0469", "CVE-2005-1080", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0480"], "lastseen": "2016-09-28T21:03:57"}], "suse": [{"id": "SUSE-SU-2015:1086-3", "type": "suse", "title": "Security update for Java (important)", "description": "IBM Java 1.7.0 was updated to SR9 fixing security issues and bugs.\n\n Tabulated information can be found on:\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_May_\">http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_May_</a>\n 2015\n &lt;<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_May\">http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_May</a>\n _2015&gt;\n\n CVE-2015-0192 CVE-2015-2808 CVE-2015-1914 CVE-2015-0138 CVE-2015-0491\n CVE-2015-0458 CVE-2015-0459 CVE-2015-0469 CVE-2015-0480 CVE-2015-0488\n CVE-2015-0478 CVE-2015-0477 CVE-2015-0204\n\n", "published": "2015-06-24T22:05:08", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00021.html", "cvelist": ["CVE-2015-0138", "CVE-2015-0192", "CVE-2015-0477", "CVE-2015-0469", "CVE-2015-0458", "CVE-2015-1914", "CVE-2015-0459", "CVE-2015-2808", "CVE-2015-0478", "CVE-2015-0204", "CVE-2015-0488", "CVE-2015-0480", "CVE-2015-0491"], "lastseen": "2016-09-04T12:18:27"}, {"id": "SUSE-SU-2015:1086-1", "type": "suse", "title": "Security update for IBM Java (important)", "description": "IBM Java 1.6.0 was updated to SR16-FP4 fixing security issues and bugs.\n\n Tabulated information can be found on:\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_May_\">http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_May_</a>\n 2015\n &lt;<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_May\">http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_May</a>\n _2015&gt;\n\n CVE-2015-0192 CVE-2015-2808 CVE-2015-1914 CVE-2015-0138 CVE-2015-0491\n CVE-2015-0458 CVE-2015-0459 CVE-2015-0469 CVE-2015-0480 CVE-2015-0488\n CVE-2015-0478 CVE-2015-0477 CVE-2015-0204\n\n", "published": "2015-06-18T16:05:48", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00015.html", "cvelist": ["CVE-2015-0138", "CVE-2015-0192", "CVE-2015-0477", "CVE-2015-0469", "CVE-2015-0458", "CVE-2015-1914", "CVE-2015-0459", "CVE-2015-2808", "CVE-2015-0478", "CVE-2015-0204", "CVE-2015-0488", "CVE-2015-0480", "CVE-2015-0491"], "lastseen": "2016-09-04T11:57:19"}, {"id": "OPENSUSE-SU-2015:0774-1", "type": "suse", "title": "Security update for java-1_7_0-openjdk (important)", "description": "OpenJDK was updated to 2.5.5 - OpenJdk 7u79 to fix security issues and\n bugs:\n\n The following vulnerabilities were fixed:\n\n * CVE-2015-0458: Deployment: unauthenticated remote attackers could\n execute arbitrary code via multiple protocols.\n * CVE-2015-0459: 2D: unauthenticated remote attackers could execute\n arbitrary code via multiple protocols.\n * CVE-2015-0460: Hotspot: unauthenticated remote attackers could execute\n arbitrary code via multiple protocols.\n * CVE-2015-0469: 2D: unauthenticated remote attackers could execute\n arbitrary code via multiple protocols.\n * CVE-2015-0477: Beans: unauthenticated remote attackers could update,\n insert or delete some JAVA accessible data via multiple protocols\n * CVE-2015-0478: JCE: unauthenticated remote attackers could read some\n JAVA accessible data via multiple protocols\n * CVE-2015-0480: Tools: unauthenticated remote attackers could update,\n insert or delete some JAVA accessible data via multiple protocols and\n cause a partial denial of service (partial DOS)\n * CVE-2015-0484: JavaFX: unauthenticated remote attackers could read,\n update, insert or delete access some Java accessible data via multiple\n protocols and cause a partial denial of service (partial DOS).\n * CVE-2015-0488: JSSE: unauthenticated remote attackers could cause a\n partial denial of service (partial DOS).\n * CVE-2015-0491: 2D: unauthenticated remote attackers could execute\n arbitrary code via multiple protocols.\n * CVE-2015-0492: JavaFX: unauthenticated remote attackers could execute\n arbitrary code via multiple protocols.\n\n", "published": "2015-04-27T13:05:55", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00018.html", "cvelist": ["CVE-2015-0484", "CVE-2015-0492", "CVE-2015-0477", "CVE-2015-0469", "CVE-2015-0458", "CVE-2015-0459", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0480", "CVE-2015-0491"], "lastseen": "2016-09-04T12:17:56"}, {"id": "SUSE-SU-2015:0833-1", "type": "suse", "title": "Security update for java-1_7_0-openjdk (critical)", "description": "OpenJDK was updated to version 2.5.5 - OpenJDK 7u79 to fix security issues\n and bugs.\n\n The following vulnerabilities have been fixed:\n\n * CVE-2015-0458: Deployment: unauthenticated remote attackers could\n execute arbitrary code via multiple protocols.\n * CVE-2015-0459: 2D: unauthenticated remote attackers could execute\n arbitrary code via multiple protocols.\n * CVE-2015-0460: Hotspot: unauthenticated remote attackers could\n execute arbitrary code via multiple protocols.\n * CVE-2015-0469: 2D: unauthenticated remote attackers could execute\n arbitrary code via multiple protocols.\n * CVE-2015-0477: Beans: unauthenticated remote attackers could update,\n insert or delete some JAVA accessible data via multiple protocols\n * CVE-2015-0478: JCE: unauthenticated remote attackers could read some\n JAVA accessible data via multiple protocols\n * CVE-2015-0480: Tools: unauthenticated remote attackers could update,\n insert or delete some JAVA accessible data via multiple protocols\n and cause a partial denial of service (partial DOS)\n * CVE-2015-0484: JavaFX: unauthenticated remote attackers could read,\n update, insert or delete access some Java accessible data via\n multiple protocols and cause a partial denial of service (partial\n DOS).\n * CVE-2015-0488: JSSE: unauthenticated remote attackers could cause a\n partial denial of service (partial DOS).\n * CVE-2015-0491: 2D: unauthenticated remote attackers could execute\n arbitrary code via multiple protocols.\n * CVE-2015-0492: JavaFX: unauthenticated remote attackers could\n execute arbitrary code via multiple protocols.\n\n Security Issues:\n\n * CVE-2015-0458\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0458\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0458</a>&gt;\n * CVE-2015-0459\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0459\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0459</a>&gt;\n * CVE-2015-0460\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0460\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0460</a>&gt;\n * CVE-2015-0469\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0469\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0469</a>&gt;\n * CVE-2015-0477\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0477\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0477</a>&gt;\n * CVE-2015-0478\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0478\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0478</a>&gt;\n * CVE-2015-0480\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0480\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0480</a>&gt;\n * CVE-2015-0484\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0484\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0484</a>&gt;\n * CVE-2015-0488\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0488\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0488</a>&gt;\n * CVE-2015-0491\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0491\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0491</a>&gt;\n * CVE-2015-0492\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0492\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0492</a>&gt;\n\n", "published": "2015-05-07T21:04:54", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00002.html", "cvelist": ["CVE-2015-0484", "CVE-2015-0492", "CVE-2015-0477", "CVE-2015-0469", "CVE-2015-0458", "CVE-2015-0459", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0480", "CVE-2015-0491"], "lastseen": "2016-09-04T12:47:49"}, {"id": "OPENSUSE-SU-2015:0773-1", "type": "suse", "title": "Security update for java-1_8_0-openjdk (important)", "description": "OpenJDK was updated to jdk8u45-b14 to fix security issues and bugs.\n\n The following vulnerabilities were fixed:\n\n * CVE-2015-0458: Deployment: unauthenticated remote attackers could\n execute arbitrary code via multiple protocols.\n * CVE-2015-0459: 2D: unauthenticated remote attackers could execute\n arbitrary code via multiple protocols.\n * CVE-2015-0460: Hotspot: unauthenticated remote attackers could execute\n arbitrary code via multiple protocols.\n * CVE-2015-0469: 2D: unauthenticated remote attackers could execute\n arbitrary code via multiple protocols.\n * CVE-2015-0470: Hotspot: unauthenticated remote attackers could update,\n insert or delete some JAVA accessible data via multiple protocols\n * CVE-2015-0477: Beans: unauthenticated remote attackers could update,\n insert or delete some JAVA accessible data via multiple protocols\n * CVE-2015-0478: JCE: unauthenticated remote attackers could read some\n JAVA accessible data via multiple protocols\n * CVE-2015-0480: Tools: unauthenticated remote attackers could update,\n insert or delete some JAVA accessible data via multiple protocols and\n cause a partial denial of service (partial DOS)\n * CVE-2015-0484: JavaFX: unauthenticated remote attackers could read,\n update, insert or delete access some Java accessible data via multiple\n protocols and cause a partial denial of service (partial DOS).\n * CVE-2015-0486: Deployment: unauthenticated remote attackers could read\n some JAVA accessible data via multiple protocols\n * CVE-2015-0488: JSSE: unauthenticated remote attackers could cause a\n partial denial of service (partial DOS).\n * CVE-2015-0491: 2D: unauthenticated remote attackers could execute\n arbitrary code via multiple protocols.\n * CVE-2015-0492: JavaFX: unauthenticated remote attackers could execute\n arbitrary code via multiple protocols.\n\n", "published": "2015-04-27T13:05:39", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00017.html", "cvelist": ["CVE-2015-0484", "CVE-2015-0492", "CVE-2015-0477", "CVE-2015-0469", "CVE-2015-0458", "CVE-2015-0459", "CVE-2015-0478", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0470", "CVE-2015-0480", "CVE-2015-0486", "CVE-2015-0491"], "lastseen": "2016-09-04T11:24:48"}, {"id": "SUSE-SU-2015:1086-2", "type": "suse", "title": "Security update for IBM Java (important)", "description": "IBM Java 1.6.0 was updated to SR16-FP4 fixing security issues and bugs.\n\n Tabulated information can be found on:\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_May_\">http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_May_</a>\n 2015\n &lt;<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_May\">http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_May</a>\n _2015&gt;\n\n CVE-2015-0192 CVE-2015-2808 CVE-2015-1914 CVE-2015-0138 CVE-2015-0491\n CVE-2015-0458 CVE-2015-0459 CVE-2015-0469 CVE-2015-0480 CVE-2015-0488\n CVE-2015-0478 CVE-2015-0477 CVE-2015-0204\n\n", "published": "2015-06-22T16:04:54", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00018.html", "cvelist": ["CVE-2015-0138", "CVE-2015-0192", "CVE-2015-0477", "CVE-2015-0469", "CVE-2015-0458", "CVE-2015-1914", "CVE-2015-0459", "CVE-2015-2808", "CVE-2015-0478", "CVE-2015-0204", "CVE-2015-0488", "CVE-2015-0480", "CVE-2015-0491"], "lastseen": "2016-09-04T11:45:49"}, {"id": "SUSE-SU-2015:1085-1", "type": "suse", "title": "Security update for IBM Java (important)", "description": "IBM Java 1.5.0 was updated to SR16-FP10 fixing security issues and bugs.\n\n Tabulated information can be found on:\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_May_\">http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_May_</a>\n 2015\n &lt;<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_May\">http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_May</a>\n _2015&gt;\n\n CVE-2015-0192 CVE-2015-2808 CVE-2015-1914 CVE-2015-0138 CVE-2015-0491\n CVE-2015-0459 CVE-2015-0469 CVE-2015-0480 CVE-2015-0488 CVE-2015-0478\n CVE-2015-0477 CVE-2015-0204\n\n\n", "published": "2015-06-18T16:05:20", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00014.html", "cvelist": ["CVE-2015-0138", "CVE-2015-0192", "CVE-2015-0477", "CVE-2015-0469", "CVE-2015-1914", "CVE-2015-0459", "CVE-2015-2808", "CVE-2015-0478", "CVE-2015-0204", "CVE-2015-0488", "CVE-2015-0480", "CVE-2015-0491"], "lastseen": "2016-09-04T11:57:33"}, {"id": "SUSE-SU-2015:1138-1", "type": "suse", "title": "Security update for IBM Java (important)", "description": "IBM Java 1.6.0 was updated to SR16-FP4 fixing security issues and bugs.\n\n Tabulated information can be found on:\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_May_\">http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_May_</a>\n 2015\n &lt;<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_May\">http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_May</a>\n _2015&gt;\n\n CVE-2015-0192 CVE-2015-2808 CVE-2015-1914 CVE-2015-0138 CVE-2015-0491\n CVE-2015-0458 CVE-2015-0459 CVE-2015-0469 CVE-2015-0480 CVE-2015-0488\n CVE-2015-0478 CVE-2015-0477 CVE-2015-0204\n\n\n", "published": "2015-06-24T22:06:20", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00022.html", "cvelist": ["CVE-2015-0138", "CVE-2015-0192", "CVE-2015-0477", "CVE-2015-0469", "CVE-2015-0458", "CVE-2015-1914", "CVE-2015-0459", "CVE-2015-2808", "CVE-2015-0478", "CVE-2015-0204", "CVE-2015-0488", "CVE-2015-0480", "CVE-2015-0491"], "lastseen": "2016-09-04T12:36:33"}, {"id": "SUSE-SU-2015:1161-1", "type": "suse", "title": "Security update for java-1_6_0-ibm (important)", "description": "IBM Java 1.6.0 was updated to SR16-FP4 fixing security issues and bugs.\n\n Tabulated information can be found on:\n [<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_May\">http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_May</a>\n _2015](<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Upda\">http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Upda</a>\n te_May_2015)\n\n CVEs addressed: CVE-2015-0192 CVE-2015-2808 CVE-2015-1914 CVE-2015-0138\n CVE-2015-0491 CVE-2015-0458 CVE-2015-0459 CVE-2015-0469 CVE-2015-0480\n CVE-2015-0488 CVE-2015-0478 CVE-2015-0477 CVE-2015-0204\n\n Additional bugs fixed:\n\n * Fix javaws/plugin stuff should slave plugin update-alternatives\n (bnc#912434)\n * Changed Java to use the system root CA certificates (bnc#912447)\n\n", "published": "2015-06-30T17:05:18", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00031.html", "cvelist": ["CVE-2015-0138", "CVE-2015-0192", "CVE-2015-0477", "CVE-2015-0469", "CVE-2015-0458", "CVE-2015-1914", "CVE-2015-0459", "CVE-2015-2808", "CVE-2015-0478", "CVE-2015-0204", "CVE-2015-0488", "CVE-2015-0480", "CVE-2015-0491"], "lastseen": "2016-09-04T12:35:28"}, {"id": "SUSE-SU-2015:1086-4", "type": "suse", "title": "Security update for java-1_7_0-ibm (important)", "description": "IBM Java 1.7.0 was updated to SR9 fixing security issues and bugs.\n\n Tabulated information can be found on:\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_May_\">http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_May_</a>\n 2015\n &lt;<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_May\">http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_May</a>\n _2015&gt; .\n\n Security Issues:\n\n * CVE-2015-0192\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0192\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0192</a>&gt;\n * CVE-2015-2808\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2808\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2808</a>&gt;\n * CVE-2015-1914\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1914\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1914</a>&gt;\n * CVE-2015-0138\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0138\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0138</a>&gt;\n * CVE-2015-0491\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0491\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0491</a>&gt;\n * CVE-2015-0458\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0458\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0458</a>&gt;\n * CVE-2015-0459\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0459\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0459</a>&gt;\n * CVE-2015-0469\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0469\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0469</a>&gt;\n * CVE-2015-0480\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0480\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0480</a>&gt;\n * CVE-2015-0488\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0488\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0488</a>&gt;\n * CVE-2015-0478\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0478\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0478</a>&gt;\n * CVE-2015-0477\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0477\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0477</a>&gt;\n * CVE-2015-0204\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204</a>&gt;\n\n", "published": "2015-06-27T04:05:10", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00028.html", "cvelist": ["CVE-2015-0138", "CVE-2015-0192", "CVE-2015-0477", "CVE-2015-0469", "CVE-2015-0458", "CVE-2015-1914", "CVE-2015-0459", "CVE-2015-2808", "CVE-2015-0478", "CVE-2015-0204", "CVE-2015-0488", "CVE-2015-0480", "CVE-2015-0491"], "lastseen": "2016-09-04T11:50:17"}], "f5": [{"id": "SOL17125", "type": "f5", "title": "SOL17125 - Multiple Java vulnerabilities", "description": "Vulnerability Recommended Actions\n\nNone\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "published": "2015-08-12T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/17000/100/sol17125.html", "cvelist": ["CVE-2015-0484", "CVE-2015-0492", "CVE-2015-0477", "CVE-2015-0469", "CVE-2015-0458", "CVE-2015-0459", "CVE-2015-0460", "CVE-2015-0470", "CVE-2015-0480", "CVE-2015-0486", "CVE-2015-0491"], "lastseen": "2016-11-09T00:09:33"}, {"id": "F5:K17125", "type": "f5", "title": "Multiple Java vulnerabilities", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 11.4.0 - 11.6.0| Not vulnerable| None \nBIG-IP AFM| None| 11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP Analytics| None| 11.0.0 - 11.6.0| Not vulnerable| None \nBIG-IP APM| None| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP PSM| None| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nARX| None| 6.0.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.0.0 - 3.1.1| Not vulnerable| None \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| None| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1 \n| Not vulnerable| None \n \n**Note**: As of February 17, 2015, AskF5 Security Advisory articles include the **Severity** value. Security Advisory articles published before this date do not list a **Severity** value.\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "published": "2015-08-13T02:14:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://support.f5.com/csp/article/K17125", "cvelist": ["CVE-2015-0484", "CVE-2015-0492", "CVE-2015-0477", "CVE-2015-0469", "CVE-2015-0458", "CVE-2015-0459", "CVE-2015-0460", "CVE-2015-0470", "CVE-2015-0480", "CVE-2015-0486", "CVE-2015-0491"], "lastseen": "2017-06-08T00:16:12"}, {"id": "F5:K60565503", "type": "f5", "title": "OpenJDK vulnerability CVE-2005-1080", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1 | Not vulnerable | None \nBIG-IP AAM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 | Not vulnerable | None \nBIG-IP AFM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 | Not vulnerable | None \nBIG-IP Analytics | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1 | Not vulnerable | None \nBIG-IP APM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1 | Not vulnerable | None \nBIG-IP ASM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1 | Not vulnerable | None \nBIG-IP DNS | None | 13.0.0 \n12.0.0 - 12.1.2 | Not vulnerable | None \nBIG-IP Edge Gateway | None | 11.2.1 | Not vulnerable | None \nBIG-IP GTM | None | 11.4.1 - 11.6.1 \n11.2.1 | Not vulnerable | None \nBIG-IP Link Controller | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1 | Not vulnerable | None \nBIG-IP PEM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 | Not vulnerable | None \nBIG-IP PSM | None | 11.4.1 | Not vulnerable | None \nBIG-IP WebAccelerator | None | 11.2.1 | Not vulnerable | None \nBIG-IP WebSafe | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 | Not vulnerable | None \nARX | None | 6.2.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | None | 3.1.1 | Not vulnerable | None \nBIG-IQ Cloud | None | 4.4.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Device | None | 4.4.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Security | None | 4.4.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ ADC | None | 4.5.0 | Not vulnerable | None \nBIG-IQ Centralized Management | None | 5.0.0 - 5.3.0 \n4.6.0 | Not vulnerable | None \nBIG-IQ Cloud and Orchestration | None | 1.0.0 | Not vulnerable | None \nF5 iWorkflow | None | 2.0.0 - 2.3.0 | Not vulnerable | None \nLineRate | None | 2.5.0 - 2.6.2 | Not vulnerable | None \nTraffix SDC | None | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | Not vulnerable | None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "published": "2017-10-04T23:31:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://support.f5.com/csp/article/K60565503", "cvelist": ["CVE-2005-1080"], "lastseen": "2017-10-05T00:18:51"}, {"id": "F5:K17136", "type": "f5", "title": "Java and JRockit vulnerabilities CVE-2015-0478 and CVE-2015-0488", "description": "\nF5 Product Development has assigned IDs 519664 and 519668 (BIG-IP) and INSTALLER-1350 (Traffix SDC) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 11.4.0 - 11.6.0| Not vulnerable| None \nBIG-IP AFM| None| 11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP Analytics| None| 11.0.0 - 11.6.0| Not vulnerable| None \nBIG-IP APM| None| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP PSM| None| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nARX| None| 6.0.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.0.0 - 3.1.1 \n2.1.0 - 2.3.0| Not vulnerable| None \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| 3.3.2 - 4.4.0| None| Low| JDK \nBIG-IP Edge Clients for Android| None| 2.0.0 - 2.0.6| Not vulnerable| None \nBIG-IP Edge Clients for Apple iOS| None| 2.0.0 - 2.0.4 \n1.0.5 - 1.0.6| Not vulnerable| None \nBIG-IP Edge Clients for Linux| None| 6035.x - 7110.x| Not vulnerable| None \nBIG-IP Edge Clients for MAC OS X| None| 6035.x - 7110.x| Not vulnerable| None \nBIG-IP Edge Clients for Windows| None| 6035.x - 7110.x| Not vulnerable| None \nBIG-IP Edge Clients Windows Phone 8.1| None| 1.0.0.x| Not vulnerable| None \nBIG-IP Edge Portal for Android| None| 1.0.0 - 1.0.2| Not vulnerable| None \nBIG-IP Edge Portal for Apple iOS| None| 1.0.0 - 1.0.3| Not vulnerable| None \n \n**Note**: As of February 17, 2015, AskF5 Security Advisory articles include the** Severity **value. Security Advisory articles published before this date do not list a **Severity **value.\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n", "published": "2015-08-25T00:49:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://support.f5.com/csp/article/K17136", "cvelist": ["CVE-2015-0478", "CVE-2015-0488"], "lastseen": "2017-06-08T00:16:36"}, {"id": "SOL17136", "type": "f5", "title": "SOL17136 - Java and JRockit vulnerabilities CVE-2015-0478 and CVE-2015-0488", "description": "Vulnerability Recommended Actions\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n", "published": "2015-08-24T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/17000/100/sol17136.html", "cvelist": ["CVE-2015-0478", "CVE-2015-0488"], "lastseen": "2016-09-26T17:23:27"}], "kaspersky": [{"id": "KLA10548", "type": "kaspersky", "title": "\r KLA10548Multiple vulnerabilities in Oracle products\t\t\t ", "description": "### *CVSS*:\n10.0\n\n### *Detect date*:\n04/14/2015\n\n### *Severity*:\nCritical\n\n### *Description*:\nAn unspecified vulnerabilities were found in Oracle products. By exploiting these vulnerabilities malicious users can affect integrity, availability and confidentiality. These vulnerabilities can be exploited remotely via an unknown vectors related to 2D, Hotspot, JavaFX, Delpoyment, Tools, JSSE, Beans and JCE.\n\n### *Affected products*:\nOracle Java SE 5u81, 6u91, 7u76, 8u40 \nOracle JavaFX 2.2.76 \nOracle JRockit R28.3.5\n\n### *Solution*:\nUpdate to the latest version \n[Get Java SE](<http://www.oracle.com/technetwork/java/javase/downloads/index.html>)\n\n### *Original advisories*:\n[Oracle bulletin](<http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixJAVA>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[Oracle JRockit](<https://threats.kaspersky.com/en/product/Oracle-JRockit/>)\n\n### *CVE-IDS*:\n[CVE-2015-0488](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0488>) \n[CVE-2015-0470](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0470>) \n[CVE-2015-0459](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0459>) \n[CVE-2015-0458](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0458>) \n[CVE-2015-0477](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0477>) \n[CVE-2015-0480](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0480>) \n[CVE-2015-0478](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0478>) \n[CVE-2015-0469](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0469>) \n[CVE-2015-0484](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0484>) \n[CVE-2015-0492](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0492>) \n[CVE-2015-0491](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0491>) \n[CVE-2015-0460](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0460>) \n[CVE-2015-0486](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0486>) \n[CVE-2015-0204](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204>)", "published": "2015-04-14T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threats.kaspersky.com/en/vulnerability/KLA10548", "cvelist": ["CVE-2015-0484", "CVE-2015-0492", "CVE-2015-0477", "CVE-2015-0469", "CVE-2015-0458", "CVE-2015-0459", "CVE-2015-0478", "CVE-2015-0204", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0470", "CVE-2015-0480", "CVE-2015-0486", "CVE-2015-0491"], "lastseen": "2018-03-30T14:11:43"}, {"id": "KLA10551", "type": "kaspersky", "title": "\r KLA10551Code execution vulnerabilities in Microsoft Office\t\t\t ", "description": "### *CVSS*:\n10.0\n\n### *Detect date*:\n04/14/2015\n\n### *Severity*:\nCritical\n\n### *Description*:\nUse-after-free, XSS and aother unspecified vulnerabilities were found in Microsoft products. By exploiting these vulnerabilities malicious users can execute or inject arbitrary code. These vulnerabilities can be exploited remotely via a specially designed Office document.\n\n### *Affected products*:\nMicrosoft Office 2007 Service Pack 3 \nMicrosoft Office 2010 x86, x64 Service Pack 2 \nMicrosoft Office 2013 x86, x64, RT Service Pack1 \nMicrosoft Word Viewer \nMicrosoft Office Compatibility Pack Service Pack 3 \nMicrosoft SharePoint Server 2010 Service Pack 2 \nMicrosoft SharePoinr Server 2013 Service Pack 1 \nMicrosoft Office Web Apps 2010 Service Pack 2 \nMicrosoft Office Web Apps 2013 Service Pack 1\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[MS15-033](<https://technet.microsoft.com/en-us/library/security/MS15-033>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Office](<https://threats.kaspersky.com/en/product/Microsoft-Office/>)\n\n### *CVE-IDS*:\n[CVE-2015-0488](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0488>) \n[CVE-2015-0470](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0470>) \n[CVE-2015-0459](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0459>) \n[CVE-2015-0458](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0458>) \n[CVE-2015-0477](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0477>) \n[CVE-2015-0480](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0480>) \n[CVE-2015-0478](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0478>) \n[CVE-2015-0469](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0469>) \n[CVE-2015-0484](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0484>) \n[CVE-2015-0492](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0492>) \n[CVE-2015-0491](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0491>) \n[CVE-2015-0460](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0460>) \n[CVE-2015-0486](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0486>) \n[CVE-2015-0204](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204>) \n\n\n### *Microsoft official advisories*:\n[MS15-033](<https://technet.microsoft.com/en-us/library/security/MS15-033>)\n\n### *KB list*:\n[2965224](<http://support.microsoft.com/kb/2965224>) \n[2965284](<http://support.microsoft.com/kb/2965284>) \n[2553428](<http://support.microsoft.com/kb/2553428>) \n[2965236](<http://support.microsoft.com/kb/2965236>) \n[2965215](<http://support.microsoft.com/kb/2965215>) \n[2553164](<http://support.microsoft.com/kb/2553164>) \n[2965238](<http://support.microsoft.com/kb/2965238>) \n[2965210](<http://support.microsoft.com/kb/2965210>) \n[2965289](<http://support.microsoft.com/kb/2965289>) \n[3051737](<http://support.microsoft.com/kb/3051737>) \n[2965306](<http://support.microsoft.com/kb/2965306>) \n[3055707](<http://support.microsoft.com/kb/3055707>)", "published": "2015-04-14T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threats.kaspersky.com/en/vulnerability/KLA10551", "cvelist": ["CVE-2015-0484", "CVE-2015-0492", "CVE-2015-0477", "CVE-2015-0469", "CVE-2015-0458", "CVE-2015-0459", "CVE-2015-0478", "CVE-2015-0204", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0470", "CVE-2015-0480", "CVE-2015-0486", "CVE-2015-0491"], "lastseen": "2018-03-30T14:10:54"}], "aix": [{"id": "JAVA_APRIL2015_ADVISORY.ASC", "type": "aix", "title": "Multiple vulnerabilities in IBM Java SDK affect AIX", "description": "IBM SECURITY ADVISORY\n\nFirst Issued: Wed Jun 3 12:58:42 CDT 2015 \n|Updated: Wed Jun 3 16:10:11 CDT 2015\n|Update: Corrected affected fileset levels \n\nThe most recent version of this document is available here:\n\nhttp://aix.software.ibm.com/aix/efixes/security/java_april2015_advisory.asc\nhttps://aix.software.ibm.com/aix/efixes/security/java_april2015_advisory.asc\nftp://aix.software.ibm.com/aix/efixes/security/java_april2015_advisory.asc\n\n \nSecurity Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX\n CVE-2015-0491 CVE-2015-0459 CVE-2015-0469 CVE-2015-0458 CVE-2015-0480\n CVE-2015-0486 CVE-2015-0488 CVE-2015-0478 CVE-2015-0477 CVE-2015-2808\n CVE-2015-1916 CVE-2015-1914 CVE-2015-0192 CVE-2015-0204\n\n\n===============================================================================\n\nSUMMARY:\n\n There are multiple vulnerabilities in IBM SDK Java Technology Edition,\n Versions 5, 6, 7, 7.1 that are used by AIX. These issues were disclosed as\n part of the IBM Java SDK updates in April 2015.\n\n This bulletin also addresses FREAK: Factoring Attack on RSA-EXPORT keys'\n SSL/TLS vulnerability and RC4 Bar Mitzvah Attack for SSL/TLS vulnerability.\n\n\n===============================================================================\n\nVULNERABILITY DETAILS:\n\n\n CVE-2015-0204 was fixed in IBM SDK, Java Technology Edition under\n CVE-2015-0138. Both CVEs are included in this advisory for completeness. \n\n CVEID: CVE-2015-0491\n DESCRIPTION: An unspecified vulnerability related to the 2D component has\n complete confidentiality impact, complete integrity impact, and\n complete availability impact.\n CVSS Base Score: 10\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/102329 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n CVEID: CVE-2015-0459\n DESCRIPTION: An unspecified vulnerability related to the 2D component has\n complete confidentiality impact, complete integrity impact, and\n complete availability impact.\n CVSS Base Score: 10\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/102328 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n CVEID: CVE-2015-0469\n DESCRIPTION: An unspecified vulnerability related to the 2D component has\n complete confidentiality impact, complete integrity impact, and\n complete availability impact.\n CVSS Base Score: 10\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/102327 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n CVEID: CVE-2015-0458\n DESCRIPTION: An unspecified vulnerability related to the Deployment\n component has complete confidentiality impact, complete integrity\n impact, and complete availability impact.\n CVSS Base Score: 7.6\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/102332 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C) \n\n CVEID: CVE-2015-0480\n DESCRIPTION: A directory traversal vulnerability related to the Tools\n component and the extraction of JAR archive files could allow remote\n attacker to overwrite files on the system with privileges of another\n user.\n CVSS Base Score: 5.8\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/102334 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:P) \n\n CVEID: CVE-2015-0488\n DESCRIPTION: An unspecified vulnerability related to the JSSE component\n could allow a remote attacker to cause a denial of service.\n CVSS Base Score: 5\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/102336 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n CVEID: CVE-2015-0478\n DESCRIPTION: An unspecified vulnerability related to the JCE component\n could allow a remote attacker to obtain sensitive information.\n CVSS Base Score: 4.3\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/102339 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n CVEID: CVE-2015-0477\n DESCRIPTION: An unspecified vulnerability related to the Beans component\n has no confidentiality impact, partial integrity impact, and no\n availability impact.\n CVSS Base Score: 4.3\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/102337 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n CVEID: CVE-2015-0204\n DESCRIPTION: A vulnerability in the OpenSSL ssl3_get_key_exchange\n function could allow a remote attacker to downgrade the security of\n certain TLS connections. An OpenSSL client accepts the use of an RSA\n temporary key in a non-export RSA key exchange ciphersuite. This\n could allow a remote attacker using man-in-the-middle techniques to\n facilitate brute-force decryption of TLS/SSL traffic between\n vulnerable clients and servers. This vulnerability is also known as\n the FREAK attack.\n CVSS Base Score: 4.3\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99707 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n CVEID: CVE-2015-0192\n DESCRIPTION: A vulnerability in the IBM implementation of the Java\n Virtual Machine may, under limited circumstances, allow untrusted\n code running under a security manager to elevate its privileges.\n CVSS Base Score: 6.8\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/101008 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P) \n\n CVEID: CVE-2015-0486\n DESCRIPTION: An unspecified vulnerability related to the Deployment\n component could allow a remote attacker to obtain sensitive\n information.\n CVSS Base Score: 5\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/102335 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n CVEID: CVE-2015-2808\n DESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL\n protocol, could allow a remote attacker to obtain sensitive\n information. An attacker could exploit this vulnerability to remotely\n expose account credentials without requiring an active\n man-in-the-middle session. Successful exploitation could allow an\n attacker to retrieve credit card data or other sensitive information.\n This vulnerability is commonly referred to as \"Bar Mitzvah Attack\".\n CVSS Base Score: 5\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/101851\n for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n CVEID: CVE-2015-1916\n DESCRIPTION: Server applications which use the IBM Java Secure Socket\n Extension provider to accept SSL/TLS connections are vulnerable to a\n denial of service attack due to an unspecified vulnerability.\n CVSS Base Score: 5\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/101995 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n CVEID: CVE-2015-1914\n DESCRIPTION: A vulnerability in the IBM implementation of the Java Virtual\n Machine may allow untrusted code running under a security manager to\n bypass permission checks and view sensitive information.\n CVSS Base Score: 4.3\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/101908 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n CVEID: CVE-2015-0138\n DESCRIPTION: A vulnerability in various IBM SSL/TLS implementations could\n allow a remote attacker to downgrade the security of certain SSL/TLS\n connections. An IBM SSL/TLS client implementation could accept the use\n of an RSA temporary key in a non-export RSA key exchange ciphersuite.\n This could allow a remote attacker using man-in-the-middle techniques\n to facilitate brute-force decryption of TLS/SSL traffic between\n vulnerable clients and servers. This vulnerability is also known as the\n FREAK attack.\n CVSS Base Score: 4.3\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100691 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n AFFECTED PRODUCTS AND VERSIONS:\n \n AIX 5.3, 6.1, 7.1\n VIOS 2.2.x\n\n The following fileset levels (VRMF) are vulnerable, if the \n respective Java version is installed:\n For Java5: Less than 5.0.0.600\n For Java6: Less than 6.0.0.480\n For Java7: Less than 7.0.0.205\n For Java7.1: Less than 7.1.0.85\n\n Note: to find out whether the affected Java filesets are installed \n on your systems, refer to the lslpp command found in AIX user's guide.\n\n Example: lslpp -L | grep -i java\n\n\n REMEDIATION:\n \n IBM SDK, Java Technology Edition, Version 5.0 Service Refresh 16 \n Fix Pack 10 and subsequent releases:\n 32-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=5.0.0.0&platform=AIX+32-bit,+pSeries&function=all\n 64-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=5.0.0.0&platform=AIX+64-bit,+pSeries&function=all\n\n IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix \n Pack 4 and subsequent releases:\n 32-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=6.0.0.0&platform=AIX+32-bit,+pSeries&function=all\n 64-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=6.0.0.0&platform=AIX+64-bit,+pSeries&function=all\n\n IBM SDK, Java Technology Edition, Version 7 Service Refresh 9 and\n subsequent releases:\n 32-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=7.0.0.0&platform=AIX+32-bit,+pSeries&function=all \n 64-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=7.0.0.0&platform=AIX+64-bit,+pSeries&function=all\n\n IBM SDK, Java Technology Edition, Version 7.1 Service Refresh 3 and\n subsequent releases:\n 32-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=7.1.0.0&platform=AIX+32-bit,+pSeries&function=all\n 64-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=7.1.0.0&platform=AIX+64-bit,+pSeries&function=all \n\n WORKAROUNDS AND MITIGATIONS:\n\n None.\n\n\n===============================================================================\n\nCONTACT US:\n\n If you would like to receive AIX Security Advisories via email,\n please visit \"My Notifications\":\n\n http://www.ibm.com/support/mynotifications\n\n To view previously issued advisories, please visit:\n\n http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq\n \n Comments regarding the content of this announcement can be\n directed to:\n\n security-alert@austin.ibm.com\n\n To obtain the OpenSSL public key that can be used to verify the\n signed advisories and ifixes:\n\n Download the key from our web page:\n\n http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt\n\n To obtain the PGP public key that can be used to communicate\n securely with the AIX Security Team via security-alert@austin.ibm.com you\n can either:\n\n A. Download the key from our web page:\n\nhttp://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt\n\n B. Download the key from a PGP Public Key Server. The key ID is:\n\n 0x28BFAA12\n\n Please contact your local IBM AIX support center for any\n assistance.\n\n\nREFERENCES:\n \n Complete CVSS Guide: http://www.first.org/cvss/cvss-guide.html\n On-line Calculator V2:\n http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2\n IBM Java SDK Security Bulletin: \n http://www-01.ibm.com/support/docview.wss?uid=swg21883640 \n\n\nACKNOWLEDGEMENTS:\n\n CVE-2015-1916 and CVE-2015-0138 were reported to IBM by Karthikeyan\n Bhargavan of the PROSECCO team at INRIA \n\n\nCHANGE HISTORY:\n\n First Issued: Wed Jun 3 12:58:42 CDT 2015 \n| Updated: Wed Jun 3 16:10:11 CDT 2015\n| Update: Corrected affected fileset levels\n\n===============================================================================\n\n*The CVSS Environment Score is customer environment specific and will \nultimately impact the Overall CVSS Score. Customers can evaluate the impact \nof this vulnerability in their environments by accessing the links in the \nReference section of this Security Bulletin. \n\nDisclaimer\nAccording to the Forum of Incident Response and Security Teams (FIRST), the \nCommon Vulnerability Scoring System (CVSS) is an \"industry open standard \ndesigned to convey vulnerability severity and help to determine urgency and \npriority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY \nOF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS \nFOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT \nOF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n \n", "published": "2015-06-03T12:58:42", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://aix.software.ibm.com/aix/efixes/security/java_april2015_advisory.asc", "cvelist": ["CVE-2015-0138", "CVE-2015-0192", "CVE-2015-0477", "CVE-2015-0469", "CVE-2015-0458", "CVE-2015-1914", "CVE-2015-0459", "CVE-2015-2808", "CVE-2015-0478", "CVE-2015-0204", "CVE-2015-0488", "CVE-2015-0480", "CVE-2015-0486", "CVE-2015-1916", "CVE-2015-0491"], "lastseen": "2016-10-24T17:48:11"}], "gentoo": [{"id": "GLSA-201603-11", "type": "gentoo", "title": "Oracle JRE/JDK: Multiple vulnerabilities", "description": "### Background\n\nJava Platform, Standard Edition (Java SE) lets you develop and deploy Java applications on desktops and servers, as well as in today\u2019s demanding embedded environments. Java offers the rich user interface, performance, versatility, portability, and security that today\u2019s applications require. \n\n### Description\n\nMultiple vulnerabilities exist in both Oracle\u2019s JRE and JDK. Please review the referenced CVE\u2019s for additional information. \n\n### Impact\n\nRemote attackers could gain access to information, remotely execute arbitrary code, and cause Denial of Service. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Oracle JRE Users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=dev-java/oracle-jre-bin-1.8.0.72\"\n \n\nAll Oracle JDK Users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=dev-java/oracle-jdk-bin-1.8.0.72\"", "published": "2016-03-12T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://security.gentoo.org/glsa/201603-11", "cvelist": ["CVE-2015-4000", "CVE-2015-0484", "CVE-2015-2627", "CVE-2015-2601", "CVE-2015-4729", "CVE-2015-0492", "CVE-2015-2632", "CVE-2015-2625", "CVE-2015-2664", "CVE-2015-4732", "CVE-2015-4860", "CVE-2015-4868", "CVE-2015-4903", "CVE-2015-0477", "CVE-2015-4906", "CVE-2015-0469", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-7840", "CVE-2015-2613", "CVE-2015-4883", "CVE-2015-0458", "CVE-2015-4736", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-0459", "CVE-2015-4871", "CVE-2015-4803", "CVE-2015-4902", "CVE-2015-2590", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-2628", "CVE-2015-4810", "CVE-2015-4908", "CVE-2015-4733", "CVE-2015-0478", "CVE-2015-4901", "CVE-2015-4835", "CVE-2015-2637", "CVE-2015-2621", "CVE-2015-2638", "CVE-2015-0460", "CVE-2015-2619", "CVE-2015-0488", "CVE-2015-0470", "CVE-2015-4731", "CVE-2015-2659", "CVE-2015-0480", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4748", "CVE-2015-0486", "CVE-2015-4893", "CVE-2015-4916", "CVE-2015-0437", "CVE-2015-0491", "CVE-2015-4760"], "lastseen": "2016-09-06T19:46:05"}], "oracle": [{"id": "ORACLE:CPUAPR2015-2365600", "type": "oracle", "title": "Oracle Critical Patch Update - April 2015", "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n \n\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n \n\n\n**Oracle continues to periodically receive reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\n \n\n\nThis Critical Patch Update contains 98 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\n \n\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n\n \n\n", "published": "2015-04-14T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2015-2576", "CVE-2015-0489", "CVE-2015-0466", "CVE-2015-0473", "CVE-2015-0455", "CVE-2015-0484", "CVE-2014-3566", "CVE-2015-0504", "CVE-2015-0482", "CVE-2015-0235", "CVE-2015-0493", "CVE-2015-0463", "CVE-2015-2579", "CVE-2015-0474", "CVE-2015-0492", "CVE-2014-7809", "CVE-2015-0495", "CVE-2015-0440", "CVE-2015-2567", "CVE-2014-3572", "CVE-2015-0206", "CVE-2015-0502", "CVE-2015-0477", "CVE-2015-0469", "CVE-2015-2568", "CVE-2015-0506", "CVE-2015-2575", "CVE-2015-0447", "CVE-2014-3571", "CVE-2015-0476", "CVE-2015-0511", "CVE-2015-0458", "CVE-2015-0483", "CVE-2014-0116", "CVE-2015-0487", "CVE-2015-0453", "CVE-2015-2572", "CVE-2015-0490", "CVE-2015-2574", "CVE-2015-0510", "CVE-2015-0497", "CVE-2015-0501", "CVE-2015-0450", "CVE-2015-0439", "CVE-2015-0448", "CVE-2015-0472", "CVE-2015-0462", "CVE-2015-0459", "CVE-2015-0507", "CVE-2015-2571", "CVE-2015-0475", "CVE-2014-8275", "CVE-2015-2570", "CVE-2014-3570", "CVE-2015-0509", "CVE-2015-0494", "CVE-2015-0461", "CVE-2015-0503", "CVE-2015-0449", "CVE-2014-0050", "CVE-2015-0500", "CVE-2015-0405", "CVE-2013-4286", "CVE-2015-0451", "CVE-2015-2577", "CVE-2014-1568", "CVE-2015-0478", "CVE-2015-2565", "CVE-2015-0496", "CVE-2015-0204", "CVE-2014-0094", "CVE-2015-2578", "CVE-2015-2566", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0470", "CVE-2015-0471", "CVE-2015-0423", "CVE-2015-0498", "CVE-2014-0113", "CVE-2015-0438", "CVE-2015-0480", "CVE-2015-0499", "CVE-2015-0433", "CVE-2015-0441", "CVE-2015-0486", "CVE-2015-0452", "CVE-2014-0112", "CVE-2015-0508", "CVE-2015-0457", "CVE-2015-0505", "CVE-2015-0465", "CVE-2015-0479", "CVE-2015-2573", "CVE-2015-0205", "CVE-2015-0485", "CVE-2014-3569", "CVE-2015-0464", "CVE-2015-0491", "CVE-2015-0456", "CVE-2013-4545"], "lastseen": "2018-04-18T20:23:52"}], "atlassian": [{"id": "ATLASSIAN:CONF-37240", "type": "atlassian", "title": "Multiple vulnerabilites in Java 1.7.0_15", "description": "The version of Java we bundle with Confluence is badly out of date, and well behind the security baseline Oracle defines (see http://www.oracle.com/technetwork/java/javase/7u80-relnotes-2494162.html for example, which says we should be running update 79 for security fixes, and update 80 for subsequent bugfixes).\r\n\r\nThe April 2015 blog post for the latest update lists multiple security issues affecting server code, several exploitable over the network, and 3 that are severity 10.0 (their highest rating). They do not provide any details for us to know what these vulnerabilities are, aside from their CVE IDs. See https://blogs.oracle.com/security/entry/april_2015_critical_patch_update for all the details we have, and watch https://access.redhat.com/security/cve/CVE-2015-0491 https://access.redhat.com/security/cve/CVE-2015-0459 and https://access.redhat.com/security/cve/CVE-2015-0469 for publication.\r\n\r\nWe need to update the bundled version of the JRE to at least 1.7.0_79.\r\n\r\nIn versions of Confluence where we've dropped support for any JRE other than the one we bundle, we need to do this update as a matter of urgency.", "published": "2015-04-16T06:32:43", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://jira.atlassian.com/browse/CONF-37240", "cvelist": ["CVE-2015-0469", "CVE-2015-0459", "CVE-2015-0491"], "lastseen": "2017-03-22T18:16:54"}, {"id": "ATLASSIAN:CONFSERVER-37240", "type": "atlassian", "title": "Multiple vulnerabilites in Java 1.7.0_15", "description": "The version of Java we bundle with Confluence is badly out of date, and well behind the security baseline Oracle defines (see http://www.oracle.com/technetwork/java/javase/7u80-relnotes-2494162.html for example, which says we should be running update 79 for security fixes, and update 80 for subsequent bugfixes).\r\n\r\nThe April 2015 blog post for the latest update lists multiple security issues affecting server code, several exploitable over the network, and 3 that are severity 10.0 (their highest rating). They do not provide any details for us to know what these vulnerabilities are, aside from their CVE IDs. See https://blogs.oracle.com/security/entry/april_2015_critical_patch_update for all the details we have, and watch https://access.redhat.com/security/cve/CVE-2015-0491 https://access.redhat.com/security/cve/CVE-2015-0459 and https://access.redhat.com/security/cve/CVE-2015-0469 for publication.\r\n\r\nWe need to update the bundled version of the JRE to at least 1.7.0_79.\r\n\r\nIn versions of Confluence where we've dropped support for any JRE other than the one we bundle, we need to do this update as a matter of urgency.", "published": "2015-04-16T06:32:43", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://jira.atlassian.com/browse/CONFSERVER-37240", "cvelist": ["CVE-2015-0469", "CVE-2015-0459", "CVE-2015-0491"], "lastseen": "2017-10-16T08:56:53"}], "osvdb": [{"id": "OSVDB:15435", "type": "osvdb", "title": "Sun JDK / SDK Jar Handling Traversal Arbitrary File Overwrite", "description": "## Vulnerability Description\nThe Jar utility provided with Java's JDK/SDK allows the extraction of files with names that traverse the directory structure of host system. This could be used to create a malicious Jar that will overwrite arbitrary files on the host system when it is extracted.\n## Technical Description\nIf a malicious jar file is created including a file with a name such as, ../../../../../<directory>/<filename>, when this jar is extracted, it will overwrite a file matching /<directory>/<filename>.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nThe Jar utility provided with Java's JDK/SDK allows the extraction of files with names that traverse the directory structure of host system. This could be used to create a malicious Jar that will overwrite arbitrary files on the host system when it is extracted.\n## References:\n[Secunia Advisory ID:14902](https://secuniaresearch.flexerasoftware.com/advisories/14902/)\nOther Advisory URL: http://www.securiteam.com/securitynews/5IP0C0AFGW.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-04/0148.html\n[CVE-2005-1080](https://vulners.com/cve/CVE-2005-1080)\n", "published": "2005-04-11T09:43:08", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://vulners.com/osvdb/OSVDB:15435", "cvelist": ["CVE-2005-1080"], "lastseen": "2017-04-28T13:20:11"}], "freebsd": [{"id": "18E5428F-AE7C-11D9-837D-000E0C2E438A", "type": "freebsd", "title": "jdk -- jar directory traversal vulnerability", "description": "\nPluf has discovered a vulnerability in Sun Java JDK/SDK,\n\t which potentially can be exploited by malicious people to\n\t compromise a user's system.\n\nThe jar tool does not check properly if the files to be\n\t extracted have the string \"../\" on its names, so it's\n\t possible for an attacker to create a malicious jar file in\n\t order to overwrite arbitrary files within the filesystem.\n\n", "published": "2005-04-11T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://vuxml.freebsd.org/freebsd/18e5428f-ae7c-11d9-837d-000e0c2e438a.html", "cvelist": ["CVE-2005-1080"], "lastseen": "2016-09-26T17:25:15"}], "threatpost": [{"id": "TLS-IMPLEMENTATIONS-VULNERABLE-TO-RSA-KEY-LEAKS/114567", "type": "threatpost", "title": "Flawed TLS Implementations Leak RSA Keys", "description": "A number of TLS software implementations contain vulnerabilities that allow hackers with minimal computational expense to learn RSA keys.\n\nFlorian Weimer, a researcher with Red Hat, last week published a paper called \u201c[Factoring RSA Keys With TLS Perfect Forward Secrecy](<https://people.redhat.com/~fweimer/rsa-crt-leaks.pdf>)\u201d that demonstrated vulnerabilities in a number of devices, including a popular Citrix load balancer and others from Hillstone Networks, Nortel, Viprinet and others.\n\n### Related Posts\n\n#### [OneLogin SecureNotes Breach Exposed Data in Cleartext](<https://threatpost.com/onelogin-securenotes-breach-exposes-data-in-cleartext/120278/> \"Permalink to OneLogin SecureNotes Breach Exposed Data in Cleartext\" )\n\nAugust 31, 2016 , 3:04 pm\n\n#### [Fairware Attacks Targeting Linux Servers](<https://threatpost.com/fairware-attacks-targeting-linux-servers/120254/> \"Permalink to Fairware Attacks Targeting Linux Servers\" )\n\nAugust 31, 2016 , 10:21 am\n\n#### [France, Germany Call for European Decryption Law](<https://threatpost.com/france-germany-call-for-european-decryption-law/120139/> \"Permalink to France, Germany Call for European Decryption Law\" )\n\nAugust 25, 2016 , 3:30 pm\n\nThe TLS implementations in these products, Weimer said, lack proper hardening to defend against what is known as the Lenstra attack against the Chinese Remainder Theorem, also known as RSA-CRT.\n\n\u201cIf a fault happened during the computation of a signature (using the RSA-CRT optimization), an attacker might be able to recover the private key from the signature (an \u201cRSA-CRT key leak\u201d). At the time, use of cryptography on the Internet was uncommon, and even ten years later, most TLS (or HTTPS) connections were immune to this problem by design because they did not use RSA signatures,\u201d Weimer wrote of the Lenstra attacks. \u201cThis changed gradually, when forward secrecy for TLS was recommended and introduced by many web sites.\u201d\n\nLenstra is described as a side-channel attack, and Weimer said that the RSA algorithm itself is safe against this attack and that the weakness is strictly in the various implementations that are not hardened.\n\n\u201cWe saw several RSA-CRT key leaks, where we should not have observed any at all,\u201d he wrote, adding that implementations in OpenSSL and NSS were hardened, for example, and that Oracle patched OpenJDK in CVE-2015-0478 after working with Weimer. All browser PKI certs where leaks were observed, have been replaced and revoked, he added.\n\nHackers can use this offline attack relatively inexpensively compared to other cryptographic attacks, he wrote. Grabbing a private crypto key, however, is extremely dangerous to the data and communication the TLS encryption is supposed to be protecting. An attacker, Weimer said, would already have to be on the network via a man-in-the-middle attack or server compromise to pull off this type of secondary attack and ultimately impersonate the server in question.\n\n\u201cEither the client making the TLS handshake can see this leak, or a passive observer capturing network traffic,\u201d Weimer wrote. \u201cThe key leak also enables decryption of connections which do not use forward secrecy, without the need for a man-in-the-middle attack.\u201d\n\nAttacks, meanwhile, are difficult to spot since they\u2019re conducted offline. An intrusion detection system, Weimer said, could spot a key leak if it is configured to check all TLS handshakes.\n\n\u201cFor the key leaks we have observed, we do not think there is a way for remote attackers to produce key leaks at will, in the sense that an attacker could manipulate the server over the network in such a way that the probability of a key leak in a particular TLS handshake increases,\u201d Weimer said. \u201cThe only thing the attacker can do is to capture as many handshakes as possible, perhaps by initiating many such handshakes themselves.\u201d\n\nForward secrecy is being implemented in many critical systems. With forward secrecy, a new crypto key is generated for every session, meaning that if a hacker is able to intercept many sessions, he would not be able to crack them all someday if he figured out one key\u2014just one session. Disabling forward secrecy, he said, is not a wise strategy.\n\n\u201cDisabling forward secrecy would enable passive observers of past key leaks to decrypt future TLS sessions, from passively captured network traffic, without having to redirect client connections,\u201d Weimer wrote. \u201cThis means that disabling forward secrecy generally makes things worse. (Disabling forward secrecy and replacing the server certificate with a new one would work, though.)\u201d", "published": "2015-09-08T15:09:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://threatpost.com/tls-implementations-vulnerable-to-rsa-key-leaks/114567/", "cvelist": ["CVE-2015-0478"], "lastseen": "2016-09-04T20:48:30"}]}}