{"id": "CVE-2013-1485", "bulletinFamily": "NVD", "title": "CVE-2013-1485", "description": "Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 13 and earlier allows remote attackers to affect integrity via unknown vectors related to Libraries.\nPer vendor Note 1 \"Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.)\"", "published": "2013-02-20T21:55:00", "modified": "2017-09-19T01:36:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1485", "reporter": "cve@mitre.org", "references": ["http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-3-7-for-openjdk-7-released/", "http://www.mandriva.com/security/advisories?name=MDVSA-2013:095", "http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html", "http://marc.info/?l=bugtraq&m=136439120408139&w=2", "https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0084", "http://security.gentoo.org/glsa/glsa-201406-32.xml", "http://www.us-cert.gov/cas/techalerts/TA13-051A.html", "http://www.ubuntu.com/usn/USN-1735-1", "http://marc.info/?l=bugtraq&m=136733161405818&w=2", "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19388"], "cvelist": ["CVE-2013-1485"], "type": "cve", "lastseen": "2021-02-02T06:06:49", "edition": 4, "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "zdi", "idList": ["ZDI-13-041"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310881611", "OPENVAS:1361412562310870916", "OPENVAS:1361412562310120391", "OPENVAS:881602", "OPENVAS:903203", "OPENVAS:1361412562310903203", "OPENVAS:870916", "OPENVAS:1361412562310123720", "OPENVAS:1361412562310881602", "OPENVAS:881611"]}, {"type": "centos", "idList": ["CESA-2013:0275"]}, {"type": "oraclelinux", "idList": ["ELSA-2013-0275"]}, {"type": "redhat", "idList": ["RHSA-2013:0275", "RHSA-2013:0626", "RHSA-2013:0532"]}, {"type": "amazon", "idList": ["ALAS-2013-162"]}, {"type": "nessus", "idList": ["ORACLE_JAVA_CPU_FEB_2013_1_UNIX.NASL", "CENTOS_RHSA-2013-0275.NASL", "ORACLE_JAVA_CPU_FEB_2013_1.NASL", "UBUNTU_USN-1735-1.NASL", "ORACLELINUX_ELSA-2013-0275.NASL", "MANDRIVA_MDVSA-2013-095.NASL", "REDHAT-RHSA-2013-0275.NASL", "SUSE_11_JAVA-1_7_0-IBM-130306.NASL", "ALA_ALAS-2013-162.NASL", "REDHAT-RHSA-2013-0532.NASL"]}, {"type": "ubuntu", "idList": ["USN-1735-1"]}, {"type": "suse", "idList": ["SUSE-SU-2013:0440-1"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12873"]}, {"type": "gentoo", "idList": ["GLSA-201401-30", "GLSA-201406-32"]}], "modified": "2021-02-02T06:06:49", "rev": 2}, "score": {"value": 7.1, "vector": "NONE", "modified": "2021-02-02T06:06:49", "rev": 2}, "vulnersScore": 7.1}, "cpe": ["cpe:/a:oracle:jdk:1.7.0", "cpe:/a:oracle:jre:1.7.0"], "affectedSoftware": [{"cpeName": "oracle:jdk", "name": "oracle jdk", "operator": "eq", "version": "1.7.0"}, {"cpeName": "oracle:jdk", "name": "oracle jdk", "operator": "eq", "version": "1.7.0"}, {"cpeName": "oracle:jdk", "name": "oracle jdk", "operator": "eq", "version": "1.7.0"}, {"cpeName": "oracle:jdk", "name": "oracle jdk", "operator": "eq", "version": "1.7.0"}, {"cpeName": "oracle:jdk", "name": "oracle jdk", "operator": "eq", "version": "1.7.0"}, {"cpeName": "oracle:jdk", "name": "oracle jdk", "operator": "eq", "version": "1.7.0"}, {"cpeName": "oracle:jdk", "name": "oracle jdk", "operator": "eq", "version": "1.7.0"}, {"cpeName": "oracle:jdk", "name": "oracle jdk", "operator": "eq", "version": "1.7.0"}, {"cpeName": "oracle:jdk", "name": "oracle jdk", "operator": "eq", "version": "1.7.0"}, {"cpeName": "oracle:jdk", "name": "oracle jdk", "operator": "eq", "version": "1.7.0"}, {"cpeName": "oracle:jdk", "name": "oracle jdk", "operator": "eq", "version": "1.7.0"}, {"cpeName": "oracle:jre", "name": "oracle jre", "operator": "eq", "version": "1.7.0"}, {"cpeName": "oracle:jre", "name": "oracle jre", "operator": "eq", "version": "1.7.0"}, {"cpeName": "oracle:jre", "name": "oracle jre", "operator": "eq", "version": "1.7.0"}, {"cpeName": "oracle:jre", "name": "oracle jre", "operator": "eq", "version": "1.7.0"}, {"cpeName": "oracle:jre", "name": "oracle jre", "operator": "eq", "version": "1.7.0"}, {"cpeName": "oracle:jre", "name": "oracle jre", "operator": "eq", "version": "1.7.0"}, {"cpeName": "oracle:jre", "name": "oracle jre", "operator": "eq", "version": "1.7.0"}, {"cpeName": "oracle:jre", "name": "oracle jre", "operator": "eq", "version": "1.7.0"}, {"cpeName": "oracle:jre", "name": "oracle jre", "operator": "eq", "version": "1.7.0"}, {"cpeName": "oracle:jre", "name": "oracle jre", "operator": "eq", "version": "1.7.0"}, {"cpeName": "oracle:jre", "name": "oracle jre", "operator": "eq", "version": "1.7.0"}], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {}, "cpe23": ["cpe:2.3:a:oracle:jdk:1.7.0:update4:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update2:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update6:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update4:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update3:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update9:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update3:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update1:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update6:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update9:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update10:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update7:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update2:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update11:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update1:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update5:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update7:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update11:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update5:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update10:*:*:*:*:*:*"], "cwe": ["NVD-CWE-noinfo"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:oracle:jdk:1.7.0:update3:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jdk:1.7.0:update7:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jdk:1.7.0:update11:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jdk:1.7.0:update10:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jdk:1.7.0:update5:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jdk:1.7.0:update6:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jdk:1.7.0:update9:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jdk:1.7.0:update1:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jdk:1.7.0:update2:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jdk:1.7.0:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jdk:1.7.0:update4:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:a:oracle:jre:1.7.0:update4:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jre:1.7.0:update1:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jre:1.7.0:update2:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jre:1.7.0:update10:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jre:1.7.0:update11:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jre:1.7.0:update9:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jre:1.7.0:update6:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jre:1.7.0:update3:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jre:1.7.0:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jre:1.7.0:update7:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jre:1.7.0:update5:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}, "extraReferences": [{"name": "HPSBMU02874", "refsource": "HP", "tags": [], "url": "http://marc.info/?l=bugtraq&m=136733161405818&w=2"}, {"name": "oval:org.mitre.oval:def:19388", "refsource": "OVAL", "tags": [], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19388"}, {"name": "USN-1735-1", "refsource": "UBUNTU", "tags": [], "url": "http://www.ubuntu.com/usn/USN-1735-1"}, {"name": "GLSA-201406-32", "refsource": "GENTOO", "tags": [], "url": "http://security.gentoo.org/glsa/glsa-201406-32.xml"}, {"name": "MDVSA-2013:095", "refsource": "MANDRIVA", "tags": [], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:095"}, {"name": "http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-3-7-for-openjdk-7-released/", "refsource": "MISC", "tags": [], "url": "http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-3-7-for-openjdk-7-released/"}, {"name": "http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html", "refsource": "CONFIRM", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html"}, {"name": "HPSBUX02857", "refsource": "HP", "tags": [], "url": "http://marc.info/?l=bugtraq&m=136439120408139&w=2"}, {"name": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0084", "refsource": "CONFIRM", "tags": [], "url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0084"}, {"name": "TA13-051A", "refsource": "CERT", "tags": ["US Government Resource"], "url": "http://www.us-cert.gov/cas/techalerts/TA13-051A.html"}]}

{"zdi": [{"lastseen": "2020-06-22T11:40:22", "bulletinFamily": "info", "cvelist": ["CVE-2013-1485"], "edition": 3, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Oracle Java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or run a malicious file. The specific bypass exists within usage of MethodHandles invoking AccessController.doPrivilegedWithCombiner. This allows a malicious applet to execute attacker supplied code resulting in remote code execution under the context of the process.", "modified": "2013-06-22T00:00:00", "published": "2013-03-22T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-13-041/", "id": "ZDI-13-041", "title": "Oracle Java doPrivilegedWithCombiner Security Manager Bypass Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "openvas": [{"lastseen": "2017-07-25T10:51:39", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1485", "CVE-2013-0169", "CVE-2013-1486", "CVE-2013-1484"], "description": "Check for the Version of java", "modified": "2017-07-10T00:00:00", "published": "2013-02-22T00:00:00", "id": "OPENVAS:881602", "href": "http://plugins.openvas.org/nasl.php?oid=881602", "type": "openvas", "title": "CentOS Update for java CESA-2013:0275 centos5 ", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for java CESA-2013:0275 centos5 \n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"These packages provide the OpenJDK 7 Java Runtime Environment and the\n OpenJDK 7 Software Development Kit.\n\n Multiple improper permission check issues were discovered in the JMX and\n Libraries components in OpenJDK. An untrusted Java application or applet\n could use these flaws to bypass Java sandbox restrictions. (CVE-2013-1486,\n CVE-2013-1484)\n \n An improper permission check issue was discovered in the Libraries\n component in OpenJDK. An untrusted Java application or applet could use\n this flaw to bypass certain Java sandbox restrictions. (CVE-2013-1485)\n \n It was discovered that OpenJDK leaked timing information when decrypting\n TLS/SSL protocol encrypted records when CBC-mode cipher suites were used.\n A remote attacker could possibly use this flaw to retrieve plain text from\n the encrypted packets by using a TLS/SSL server as a padding oracle.\n (CVE-2013-0169)\n \n This erratum also upgrades the OpenJDK package to IcedTea7 2.3.7. Refer to\n the NEWS file, linked to in the References, for further information.\n \n All users of java-1.7.0-openjdk are advised to upgrade to these updated\n packages, which resolve these issues. All running instances of OpenJDK Java\n must be restarted for the update to take effect.\";\n\n\ntag_affected = \"java on CentOS 5\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2013-February/019254.html\");\n script_id(881602);\n script_version(\"$Revision: 6655 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 13:48:58 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-02-22 10:04:08 +0530 (Fri, 22 Feb 2013)\");\n script_cve_id(\"CVE-2013-0169\", \"CVE-2013-1484\", \"CVE-2013-1485\", \"CVE-2013-1486\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"CESA\", value: \"2013:0275\");\n script_name(\"CentOS Update for java CESA-2013:0275 centos5 \");\n\n script_summary(\"Check for the Version of java\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.9~2.3.7.1.el5_9\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.9~2.3.7.1.el5_9\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.9~2.3.7.1.el5_9\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.9~2.3.7.1.el5_9\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.9~2.3.7.1.el5_9\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-24T11:09:28", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1485", "CVE-2013-0169", "CVE-2013-1486", "CVE-2013-1484"], "description": "Check for the Version of java", "modified": "2018-01-24T00:00:00", "published": "2013-02-22T00:00:00", "id": "OPENVAS:881611", "href": "http://plugins.openvas.org/nasl.php?oid=881611", "type": "openvas", "title": "CentOS Update for java CESA-2013:0275 centos6 ", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for java CESA-2013:0275 centos6 \n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"These packages provide the OpenJDK 7 Java Runtime Environment and the\n OpenJDK 7 Software Development Kit.\n\n Multiple improper permission check issues were discovered in the JMX and\n Libraries components in OpenJDK. An untrusted Java application or applet\n could use these flaws to bypass Java sandbox restrictions. (CVE-2013-1486,\n CVE-2013-1484)\n \n An improper permission check issue was discovered in the Libraries\n component in OpenJDK. An untrusted Java application or applet could use\n this flaw to bypass certain Java sandbox restrictions. (CVE-2013-1485)\n \n It was discovered that OpenJDK leaked timing information when decrypting\n TLS/SSL protocol encrypted records when CBC-mode cipher suites were used.\n A remote attacker could possibly use this flaw to retrieve plain text from\n the encrypted packets by using a TLS/SSL server as a padding oracle.\n (CVE-2013-0169)\n \n This erratum also upgrades the OpenJDK package to IcedTea7 2.3.7. Refer to\n the NEWS file, linked to in the References, for further information.\n \n All users of java-1.7.0-openjdk are advised to upgrade to these updated\n packages, which resolve these issues. All running instances of OpenJDK Java\n must be restarted for the update to take effect.\";\n\n\ntag_affected = \"java on CentOS 6\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2013-February/019253.html\");\n script_id(881611);\n script_version(\"$Revision: 8509 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-24 07:57:46 +0100 (Wed, 24 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-02-22 10:07:08 +0530 (Fri, 22 Feb 2013)\");\n script_cve_id(\"CVE-2013-0169\", \"CVE-2013-1484\", \"CVE-2013-1485\", \"CVE-2013-1486\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"CESA\", value: \"2013:0275\");\n script_name(\"CentOS Update for java CESA-2013:0275 centos6 \");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of java\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.9~2.3.7.1.el6_3\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.9~2.3.7.1.el6_3\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.9~2.3.7.1.el6_3\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.9~2.3.7.1.el6_3\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.9~2.3.7.1.el6_3\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:37:57", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1485", "CVE-2013-0169", "CVE-2013-1486", "CVE-2013-1484"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-02-22T00:00:00", "id": "OPENVAS:1361412562310881602", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881602", "type": "openvas", "title": "CentOS Update for java CESA-2013:0275 centos5", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for java CESA-2013:0275 centos5\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2013-February/019254.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.881602\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-02-22 10:04:08 +0530 (Fri, 22 Feb 2013)\");\n script_cve_id(\"CVE-2013-0169\", \"CVE-2013-1484\", \"CVE-2013-1485\", \"CVE-2013-1486\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"CESA\", value:\"2013:0275\");\n script_name(\"CentOS Update for java CESA-2013:0275 centos5\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS5\");\n script_tag(name:\"affected\", value:\"java on CentOS 5\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"insight\", value:\"These packages provide the OpenJDK 7 Java Runtime Environment and the\n OpenJDK 7 Software Development Kit.\n\n Multiple improper permission check issues were discovered in the JMX and\n Libraries components in OpenJDK. An untrusted Java application or applet\n could use these flaws to bypass Java sandbox restrictions. (CVE-2013-1486,\n CVE-2013-1484)\n\n An improper permission check issue was discovered in the Libraries\n component in OpenJDK. An untrusted Java application or applet could use\n this flaw to bypass certain Java sandbox restrictions. (CVE-2013-1485)\n\n It was discovered that OpenJDK leaked timing information when decrypting\n TLS/SSL protocol encrypted records when CBC-mode cipher suites were used.\n A remote attacker could possibly use this flaw to retrieve plain text from\n the encrypted packets by using a TLS/SSL server as a padding oracle.\n (CVE-2013-0169)\n\n This erratum also upgrades the OpenJDK package to IcedTea7 2.3.7. Refer to\n the NEWS file, linked to in the References, for further information.\n\n All users of java-1.7.0-openjdk are advised to upgrade to these updated\n packages, which resolve these issues. All running instances of OpenJDK Java\n must be restarted for the update to take effect.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.9~2.3.7.1.el5_9\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.9~2.3.7.1.el5_9\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.9~2.3.7.1.el5_9\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.9~2.3.7.1.el5_9\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.9~2.3.7.1.el5_9\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-17T23:01:43", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1485", "CVE-2013-0169", "CVE-2013-1486", "CVE-2013-1484"], "description": "The remote host is missing an update announced via the referenced Security Advisory.", "modified": "2020-03-13T00:00:00", "published": "2015-09-08T00:00:00", "id": "OPENVAS:1361412562310120391", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120391", "type": "openvas", "title": "Amazon Linux: Security Advisory (ALAS-2013-162)", "sourceData": "# Copyright (C) 2015 Eero Volotinen\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120391\");\n script_version(\"2020-03-13T13:19:50+0000\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 13:25:16 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 13:19:50 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Amazon Linux: Security Advisory (ALAS-2013-162)\");\n script_tag(name:\"insight\", value:\"Multiple improper permission check issues were discovered in the JMX and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2013-1486, CVE-2013-1484 )An improper permission check issue was discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2013-1485 )It was discovered that OpenJDK leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle. (CVE-2013-0169 )\");\n script_tag(name:\"solution\", value:\"Run yum update java-1.7.0-openjdk to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2013-162.html\");\n script_cve_id(\"CVE-2013-0169\", \"CVE-2013-1486\", \"CVE-2013-1485\", \"CVE-2013-1484\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"The remote host is missing an update announced via the referenced Security Advisory.\");\n script_copyright(\"Copyright (C) 2015 Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"AMAZON\") {\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.9~2.3.7.1.20.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-debuginfo\", rpm:\"java-1.7.0-openjdk-debuginfo~1.7.0.9~2.3.7.1.20.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.9~2.3.7.1.20.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.9~2.3.7.1.20.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.9~2.3.7.1.20.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.9~2.3.7.1.20.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-27T10:52:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1485", "CVE-2013-0169", "CVE-2013-1486", "CVE-2013-1484"], "description": "Check for the Version of java-1.7.0-openjdk", "modified": "2017-07-12T00:00:00", "published": "2013-02-22T00:00:00", "id": "OPENVAS:870916", "href": "http://plugins.openvas.org/nasl.php?oid=870916", "type": "openvas", "title": "RedHat Update for java-1.7.0-openjdk RHSA-2013:0275-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for java-1.7.0-openjdk RHSA-2013:0275-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"These packages provide the OpenJDK 7 Java Runtime Environment and the\n OpenJDK 7 Software Development Kit.\n\n Multiple improper permission check issues were discovered in the JMX and\n Libraries components in OpenJDK. An untrusted Java application or applet\n could use these flaws to bypass Java sandbox restrictions. (CVE-2013-1486,\n CVE-2013-1484)\n\n An improper permission check issue was discovered in the Libraries\n component in OpenJDK. An untrusted Java application or applet could use\n this flaw to bypass certain Java sandbox restrictions. (CVE-2013-1485)\n\n It was discovered that OpenJDK leaked timing information when decrypting\n TLS/SSL protocol encrypted records when CBC-mode cipher suites were used.\n A remote attacker could possibly use this flaw to retrieve plain text from\n the encrypted packets by using a TLS/SSL server as a padding oracle.\n (CVE-2013-0169)\n\n This erratum also upgrades the OpenJDK package to IcedTea7 2.3.7. Refer to\n the NEWS file, linked to in the References, for further information.\n\n All users of java-1.7.0-openjdk are advised to upgrade to these updated\n packages, which resolve these issues. All running instances of OpenJDK Java\n must be restarted for the update to take effect.\";\n\n\ntag_affected = \"java-1.7.0-openjdk on Red Hat Enterprise Linux (v. 5 server),\n Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/rhsa-announce/2013-February/msg00036.html\");\n script_id(870916);\n script_version(\"$Revision: 6687 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-12 11:46:43 +0200 (Wed, 12 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-02-22 10:01:23 +0530 (Fri, 22 Feb 2013)\");\n script_cve_id(\"CVE-2013-0169\", \"CVE-2013-1484\", \"CVE-2013-1485\", \"CVE-2013-1486\");\n script_bugtraq_id(57778, 58027, 58028, 58029);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"RHSA\", value: \"2013:0275-01\");\n script_name(\"RedHat Update for java-1.7.0-openjdk RHSA-2013:0275-01\");\n\n script_summary(\"Check for the Version of java-1.7.0-openjdk\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.9~2.3.7.1.el6_3\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-debuginfo\", rpm:\"java-1.7.0-openjdk-debuginfo~1.7.0.9~2.3.7.1.el6_3\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.9~2.3.7.1.el6_3\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.9~2.3.7.1.el5_9\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-debuginfo\", rpm:\"java-1.7.0-openjdk-debuginfo~1.7.0.9~2.3.7.1.el5_9\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.9~2.3.7.1.el5_9\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.9~2.3.7.1.el5_9\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.9~2.3.7.1.el5_9\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.9~2.3.7.1.el5_9\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:37:57", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1485", "CVE-2013-0169", "CVE-2013-1486", "CVE-2013-1484"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2013-02-22T00:00:00", "id": "OPENVAS:1361412562310870916", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310870916", "type": "openvas", "title": "RedHat Update for java-1.7.0-openjdk RHSA-2013:0275-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for java-1.7.0-openjdk RHSA-2013:0275-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2013-February/msg00036.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.870916\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-02-22 10:01:23 +0530 (Fri, 22 Feb 2013)\");\n script_cve_id(\"CVE-2013-0169\", \"CVE-2013-1484\", \"CVE-2013-1485\", \"CVE-2013-1486\");\n script_bugtraq_id(57778, 58027, 58028, 58029);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"RHSA\", value:\"2013:0275-01\");\n script_name(\"RedHat Update for java-1.7.0-openjdk RHSA-2013:0275-01\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java-1.7.0-openjdk'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_(6|5)\");\n script_tag(name:\"affected\", value:\"java-1.7.0-openjdk on Red Hat Enterprise Linux (v. 5 server),\n Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"insight\", value:\"These packages provide the OpenJDK 7 Java Runtime Environment and the\n OpenJDK 7 Software Development Kit.\n\n Multiple improper permission check issues were discovered in the JMX and\n Libraries components in OpenJDK. An untrusted Java application or applet\n could use these flaws to bypass Java sandbox restrictions. (CVE-2013-1486,\n CVE-2013-1484)\n\n An improper permission check issue was discovered in the Libraries\n component in OpenJDK. An untrusted Java application or applet could use\n this flaw to bypass certain Java sandbox restrictions. (CVE-2013-1485)\n\n It was discovered that OpenJDK leaked timing information when decrypting\n TLS/SSL protocol encrypted records when CBC-mode cipher suites were used.\n A remote attacker could possibly use this flaw to retrieve plain text from\n the encrypted packets by using a TLS/SSL server as a padding oracle.\n (CVE-2013-0169)\n\n This erratum also upgrades the OpenJDK package to IcedTea7 2.3.7. Refer to\n the NEWS file, linked to in the References, for further information.\n\n All users of java-1.7.0-openjdk are advised to upgrade to these updated\n packages, which resolve these issues. All running instances of OpenJDK Java\n must be restarted for the update to take effect.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.9~2.3.7.1.el6_3\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-debuginfo\", rpm:\"java-1.7.0-openjdk-debuginfo~1.7.0.9~2.3.7.1.el6_3\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.9~2.3.7.1.el6_3\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.9~2.3.7.1.el5_9\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-debuginfo\", rpm:\"java-1.7.0-openjdk-debuginfo~1.7.0.9~2.3.7.1.el5_9\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.9~2.3.7.1.el5_9\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.9~2.3.7.1.el5_9\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.9~2.3.7.1.el5_9\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.9~2.3.7.1.el5_9\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:22", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1485", "CVE-2013-1486", "CVE-2013-1487", "CVE-2013-1484"], "description": "This host is installed with Oracle Java SE and is prone to\n multiple vulnerabilities.", "modified": "2018-10-24T00:00:00", "published": "2013-02-22T00:00:00", "id": "OPENVAS:1361412562310903203", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310903203", "type": "openvas", "title": "Oracle Java SE Multiple Vulnerabilities -02 Feb 13 (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_oracle_java_se_mult_vuln02_feb13_win.nasl 28074 2013-02-22 13:41:39Z feb$\n#\n# Oracle Java SE Multiple Vulnerabilities -02 Feb 13 (Windows)\n#\n# Authors:\n# Arun Kallavi <karun@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.903203\");\n script_version(\"$Revision: 12047 $\");\n script_cve_id(\"CVE-2013-1484\", \"CVE-2013-1485\", \"CVE-2013-1486\", \"CVE-2013-1487\");\n script_bugtraq_id(58027, 58028, 58029, 58031);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-24 09:38:41 +0200 (Wed, 24 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-02-22 13:41:39 +0530 (Fri, 22 Feb 2013)\");\n script_name(\"Oracle Java SE Multiple Vulnerabilities -02 Feb 13 (Windows)\");\n script_xref(name:\"URL\", value:\"http://securitytracker.com/id/1028155\");\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 SecPod\");\n script_family(\"General\");\n script_dependencies(\"gb_java_prdts_detect_portable_win.nasl\");\n script_mandatory_keys(\"Sun/Java/JRE/Win/Ver\");\n script_tag(name:\"impact\", value:\"Successful exploitation allows remote attackers to affect confidentiality,\n integrity and availability via unknown vectors. Attackers can even execute\n arbitrary code on the target system.\");\n script_tag(name:\"affected\", value:\"Oracle Java SE Version 7 Update 13 and earlier, 6 Update 39 and earlier,\n 5 Update 39 and earlier.\");\n script_tag(name:\"insight\", value:\"Multiple flaws due to unspecified errors in the following components:\n\n - Deployment\n\n - Libraries\n\n - Java Management Extensions (JMX)\");\n script_tag(name:\"solution\", value:\"Apply the patch from the referenced advisory.\");\n script_tag(name:\"summary\", value:\"This host is installed with Oracle Java SE and is prone to\n multiple vulnerabilities.\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\n\njreVer = get_kb_item(\"Sun/Java/JRE/Win/Ver\");\n\nif(jreVer)\n{\n if(version_in_range(version:jreVer, test_version:\"1.7\", test_version2:\"1.7.0.13\")||\n version_in_range(version:jreVer, test_version:\"1.6\", test_version2:\"1.6.0.39\")||\n version_in_range(version:jreVer, test_version:\"1.5\", test_version2:\"1.5.0.39\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-11-13T12:52:01", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1485", "CVE-2013-1486", "CVE-2013-1487", "CVE-2013-1484"], "description": "This host is installed with Oracle Java SE and is prone to\n multiple vulnerabilities.", "modified": "2017-11-08T00:00:00", "published": "2013-02-22T00:00:00", "id": "OPENVAS:903203", "href": "http://plugins.openvas.org/nasl.php?oid=903203", "type": "openvas", "title": "Oracle Java SE Multiple Vulnerabilities -02 Feb 13 (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_oracle_java_se_mult_vuln02_feb13_win.nasl 28074 2013-02-22 13:41:39Z feb$\n#\n# Oracle Java SE Multiple Vulnerabilities -02 Feb 13 (Windows)\n#\n# Authors:\n# Arun Kallavi <karun@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation allows remote attackers to affect confidentiality,\n integrity and availability via unknown vectors. Attackers can even execute\n arbitrary code on the target system.\n Impact Level: System/Application\";\n\ntag_affected = \"Oracle Java SE Version 7 Update 13 and earlier, 6 Update 39 and earlier,\n 5 Update 39 and earlier.\";\ntag_insight = \"Multiple flaws due to unspecified errors in the following components:\n - Deployment\n - Libraries\n - Java Management Extensions (JMX)\";\ntag_solution = \"Apply patch from below link,\n http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html\";\ntag_summary = \"This host is installed with Oracle Java SE and is prone to\n multiple vulnerabilities.\";\n\nif(description)\n{\n script_id(903203);\n script_version(\"$Revision: 7699 $\");\n script_cve_id(\"CVE-2013-1484\",\"CVE-2013-1485\",\"CVE-2013-1486\",\"CVE-2013-1487\");\n script_bugtraq_id(58027,58028,58029,58031);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-11-08 13:10:34 +0100 (Wed, 08 Nov 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-02-22 13:41:39 +0530 (Fri, 22 Feb 2013)\");\n script_name(\"Oracle Java SE Multiple Vulnerabilities -02 Feb 13 (Windows)\");\n script_xref(name : \"URL\" , value : \"http://securitytracker.com/id/1028155\");\n script_xref(name : \"URL\" , value : \"http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 SecPod\");\n script_family(\"General\");\n script_dependencies(\"gb_java_prdts_detect_win.nasl\");\n script_require_keys(\"Sun/Java/JRE/Win/Ver\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\n\n## Variable Initialization\njreVer = \"\";\n\n## Get JRE Version from KB\njreVer = get_kb_item(\"Sun/Java/JRE/Win/Ver\");\n\nif(jreVer)\n{\n ##Check for Oracle Java SE Versions\n if(version_in_range(version:jreVer, test_version:\"1.7\", test_version2:\"1.7.0.13\")||\n version_in_range(version:jreVer, test_version:\"1.6\", test_version2:\"1.6.0.39\")||\n version_in_range(version:jreVer, test_version:\"1.5\", test_version2:\"1.5.0.39\"))\n {\n security_message(0);\n exit(0);\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:36:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1485", "CVE-2013-0169", "CVE-2013-1486", "CVE-2013-1484"], "description": "Oracle Linux Local Security Checks ELSA-2013-0275", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123720", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123720", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2013-0275", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2013-0275.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123720\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:07:38 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2013-0275\");\n script_tag(name:\"insight\", value:\"ELSA-2013-0275 - java-1.7.0-openjdk security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2013-0275\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2013-0275.html\");\n script_cve_id(\"CVE-2013-0169\", \"CVE-2013-1486\", \"CVE-2013-1484\", \"CVE-2013-1485\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux(5|6)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.9~2.3.7.1.0.1.el5_9\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.9~2.3.7.1.0.1.el5_9\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.9~2.3.7.1.0.1.el5_9\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.9~2.3.7.1.0.1.el5_9\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.9~2.3.7.1.0.1.el5_9\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.9~2.3.7.1.0.2.el6_3\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.9~2.3.7.1.0.2.el6_3\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.9~2.3.7.1.0.2.el6_3\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.9~2.3.7.1.0.2.el6_3\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.9~2.3.7.1.0.2.el6_3\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:14", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1485", "CVE-2013-0169", "CVE-2013-1486", "CVE-2013-1484"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-02-22T00:00:00", "id": "OPENVAS:1361412562310881611", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881611", "type": "openvas", "title": "CentOS Update for java CESA-2013:0275 centos6", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for java CESA-2013:0275 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2013-February/019253.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.881611\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-02-22 10:07:08 +0530 (Fri, 22 Feb 2013)\");\n script_cve_id(\"CVE-2013-0169\", \"CVE-2013-1484\", \"CVE-2013-1485\", \"CVE-2013-1486\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"CESA\", value:\"2013:0275\");\n script_name(\"CentOS Update for java CESA-2013:0275 centos6\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n script_tag(name:\"affected\", value:\"java on CentOS 6\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"insight\", value:\"These packages provide the OpenJDK 7 Java Runtime Environment and the\n OpenJDK 7 Software Development Kit.\n\n Multiple improper permission check issues were discovered in the JMX and\n Libraries components in OpenJDK. An untrusted Java application or applet\n could use these flaws to bypass Java sandbox restrictions. (CVE-2013-1486,\n CVE-2013-1484)\n\n An improper permission check issue was discovered in the Libraries\n component in OpenJDK. An untrusted Java application or applet could use\n this flaw to bypass certain Java sandbox restrictions. (CVE-2013-1485)\n\n It was discovered that OpenJDK leaked timing information when decrypting\n TLS/SSL protocol encrypted records when CBC-mode cipher suites were used.\n A remote attacker could possibly use this flaw to retrieve plain text from\n the encrypted packets by using a TLS/SSL server as a padding oracle.\n (CVE-2013-0169)\n\n This erratum also upgrades the OpenJDK package to IcedTea7 2.3.7. Refer to\n the NEWS file, linked to in the References, for further information.\n\n All users of java-1.7.0-openjdk are advised to upgrade to these updated\n packages, which resolve these issues. All running instances of OpenJDK Java\n must be restarted for the update to take effect.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.9~2.3.7.1.el6_3\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.9~2.3.7.1.el6_3\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.9~2.3.7.1.el6_3\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.9~2.3.7.1.el6_3\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.9~2.3.7.1.el6_3\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "centos": [{"lastseen": "2019-12-20T18:26:00", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1485", "CVE-2013-0169", "CVE-2013-1486", "CVE-2013-1484"], "description": "**CentOS Errata and Security Advisory** CESA-2013:0275\n\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nMultiple improper permission check issues were discovered in the JMX and\nLibraries components in OpenJDK. An untrusted Java application or applet\ncould use these flaws to bypass Java sandbox restrictions. (CVE-2013-1486,\nCVE-2013-1484)\n\nAn improper permission check issue was discovered in the Libraries\ncomponent in OpenJDK. An untrusted Java application or applet could use\nthis flaw to bypass certain Java sandbox restrictions. (CVE-2013-1485)\n\nIt was discovered that OpenJDK leaked timing information when decrypting\nTLS/SSL protocol encrypted records when CBC-mode cipher suites were used.\nA remote attacker could possibly use this flaw to retrieve plain text from\nthe encrypted packets by using a TLS/SSL server as a padding oracle.\n(CVE-2013-0169)\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.7. Refer to\nthe NEWS file, linked to in the References, for further information.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2013-February/031291.html\nhttp://lists.centos.org/pipermail/centos-announce/2013-February/031292.html\n\n**Affected packages:**\njava-1.7.0-openjdk\njava-1.7.0-openjdk-demo\njava-1.7.0-openjdk-devel\njava-1.7.0-openjdk-javadoc\njava-1.7.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2013-0275.html", "edition": 3, "modified": "2013-02-20T20:24:28", "published": "2013-02-20T20:12:54", "href": "http://lists.centos.org/pipermail/centos-announce/2013-February/031291.html", "id": "CESA-2013:0275", "title": "java security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:37:06", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1485", "CVE-2013-0169", "CVE-2013-1486", "CVE-2013-1484"], "description": "[1.7.0.9-2.3.7.1.0.2.el6_3]\n- Increase release number and rebuild.\n[1.7.0.9-2.3.7.1.0.1.el6_3]\n- Update DISTRO_NAME in specfile\n[1.7.0.9-2.3.7.1.el6_3]\n- Updated main source tarball\n- Resolves: rhbz#911529\n[1.7.0.9-2.3.7.0.el6_3]\n- Removed patch1000 sec-2013-02-01-8005615.patch\n- Removed patch1001 sec-2013-02-01-8005615-sync_with_jdk7u.patch\n- Removed patch1010 sec-2013-02-01-7201064.patch\n- Removed testing\n - mauve was outdated and\n - jtreg was icedtea relict\n- Updated to icedtea 2.3.7\n- Added java -Xshare:dump to post (see 513605) fo jitarchs\n- Resolves: rhbz#911529", "edition": 4, "modified": "2013-02-20T00:00:00", "published": "2013-02-20T00:00:00", "id": "ELSA-2013-0275", "href": "http://linux.oracle.com/errata/ELSA-2013-0275.html", "title": "java-1.7.0-openjdk security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2019-08-13T18:46:38", "bulletinFamily": "unix", "cvelist": ["CVE-2013-0169", "CVE-2013-1484", "CVE-2013-1485", "CVE-2013-1486"], "description": "These packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nMultiple improper permission check issues were discovered in the JMX and\nLibraries components in OpenJDK. An untrusted Java application or applet\ncould use these flaws to bypass Java sandbox restrictions. (CVE-2013-1486,\nCVE-2013-1484)\n\nAn improper permission check issue was discovered in the Libraries\ncomponent in OpenJDK. An untrusted Java application or applet could use\nthis flaw to bypass certain Java sandbox restrictions. (CVE-2013-1485)\n\nIt was discovered that OpenJDK leaked timing information when decrypting\nTLS/SSL protocol encrypted records when CBC-mode cipher suites were used.\nA remote attacker could possibly use this flaw to retrieve plain text from\nthe encrypted packets by using a TLS/SSL server as a padding oracle.\n(CVE-2013-0169)\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.7. Refer to\nthe NEWS file, linked to in the References, for further information.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "modified": "2018-06-06T20:24:30", "published": "2013-02-20T05:00:00", "id": "RHSA-2013:0275", "href": "https://access.redhat.com/errata/RHSA-2013:0275", "type": "redhat", "title": "(RHSA-2013:0275) Important: java-1.7.0-openjdk security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:15", "bulletinFamily": "unix", "cvelist": ["CVE-2013-0169", "CVE-2013-1484", "CVE-2013-1485", "CVE-2013-1486", "CVE-2013-1487"], "description": "Oracle Java SE version 7 includes the Oracle Java Runtime Environment and\nthe Oracle Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the Oracle Java Runtime\nEnvironment and the Oracle Java Software Development Kit. Further\ninformation about these flaws can be found on the Oracle Java SE Critical\nPatch Update Advisory page, listed in the References section.\n(CVE-2013-0169, CVE-2013-1484, CVE-2013-1485, CVE-2013-1486, CVE-2013-1487)\n\nAll users of java-1.7.0-oracle are advised to upgrade to these updated\npackages, which provide Oracle Java 7 Update 15 and resolve these issues.\nAll running instances of Oracle Java must be restarted for the update to\ntake effect.\n", "modified": "2018-06-07T09:04:37", "published": "2013-02-20T05:00:00", "id": "RHSA-2013:0532", "href": "https://access.redhat.com/errata/RHSA-2013:0532", "type": "redhat", "title": "(RHSA-2013:0532) Critical: java-1.7.0-oracle security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:21", "bulletinFamily": "unix", "cvelist": ["CVE-2012-1541", "CVE-2012-3174", "CVE-2012-3213", "CVE-2012-3342", "CVE-2012-5085", "CVE-2013-0351", "CVE-2013-0409", "CVE-2013-0419", "CVE-2013-0422", "CVE-2013-0423", "CVE-2013-0424", "CVE-2013-0425", "CVE-2013-0426", "CVE-2013-0427", "CVE-2013-0428", "CVE-2013-0431", "CVE-2013-0432", "CVE-2013-0433", "CVE-2013-0434", "CVE-2013-0435", "CVE-2013-0437", "CVE-2013-0438", "CVE-2013-0440", "CVE-2013-0441", "CVE-2013-0442", "CVE-2013-0443", "CVE-2013-0444", "CVE-2013-0445", "CVE-2013-0446", "CVE-2013-0449", "CVE-2013-0450", "CVE-2013-0809", "CVE-2013-1473", "CVE-2013-1476", "CVE-2013-1478", "CVE-2013-1480", "CVE-2013-1484", "CVE-2013-1485", "CVE-2013-1486", "CVE-2013-1487", "CVE-2013-1493"], "description": "IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM\nJava Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Detailed\nvulnerability descriptions are linked from the IBM Security alerts page,\nlisted in the References section. (CVE-2012-1541, CVE-2012-3174,\nCVE-2012-3213, CVE-2012-3342, CVE-2013-0351, CVE-2013-0409, CVE-2013-0419,\nCVE-2013-0422, CVE-2013-0423, CVE-2013-0424, CVE-2013-0425, CVE-2013-0426,\nCVE-2013-0427, CVE-2013-0428, CVE-2013-0431, CVE-2013-0432, CVE-2013-0433,\nCVE-2013-0434, CVE-2013-0435, CVE-2013-0437, CVE-2013-0438, CVE-2013-0440,\nCVE-2013-0441, CVE-2013-0442, CVE-2013-0443, CVE-2013-0444, CVE-2013-0445,\nCVE-2013-0446, CVE-2013-0449, CVE-2013-0450, CVE-2013-0809, CVE-2013-1473,\nCVE-2013-1476, CVE-2013-1478, CVE-2013-1480, CVE-2013-1484, CVE-2013-1485,\nCVE-2013-1486, CVE-2013-1487, CVE-2013-1493)\n\nAll users of java-1.7.0-ibm are advised to upgrade to these updated\npackages, containing the IBM Java SE 7 SR4 release. All running instances\nof IBM Java must be restarted for the update to take effect.\n", "modified": "2018-06-07T09:04:36", "published": "2013-03-11T04:00:00", "id": "RHSA-2013:0626", "href": "https://access.redhat.com/errata/RHSA-2013:0626", "type": "redhat", "title": "(RHSA-2013:0626) Critical: java-1.7.0-ibm security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "amazon": [{"lastseen": "2020-11-10T12:34:36", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1485", "CVE-2013-0169", "CVE-2013-1486", "CVE-2013-1484"], "description": "**Issue Overview:**\n\nMultiple improper permission check issues were discovered in the JMX and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. ([CVE-2013-1486 __](<https://access.redhat.com/security/cve/CVE-2013-1486>), [CVE-2013-1484 __](<https://access.redhat.com/security/cve/CVE-2013-1484>))\n\nAn improper permission check issue was discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. ([CVE-2013-1485 __](<https://access.redhat.com/security/cve/CVE-2013-1485>))\n\nIt was discovered that OpenJDK leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle. ([CVE-2013-0169 __](<https://access.redhat.com/security/cve/CVE-2013-0169>))\n\n \n**Affected Packages:** \n\n\njava-1.7.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.7.0-openjdk_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n java-1.7.0-openjdk-1.7.0.9-2.3.7.1.20.amzn1.i686 \n java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.7.1.20.amzn1.i686 \n java-1.7.0-openjdk-src-1.7.0.9-2.3.7.1.20.amzn1.i686 \n java-1.7.0-openjdk-devel-1.7.0.9-2.3.7.1.20.amzn1.i686 \n java-1.7.0-openjdk-demo-1.7.0.9-2.3.7.1.20.amzn1.i686 \n \n noarch: \n java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.7.1.20.amzn1.noarch \n \n src: \n java-1.7.0-openjdk-1.7.0.9-2.3.7.1.20.amzn1.src \n \n x86_64: \n java-1.7.0-openjdk-1.7.0.9-2.3.7.1.20.amzn1.x86_64 \n java-1.7.0-openjdk-devel-1.7.0.9-2.3.7.1.20.amzn1.x86_64 \n java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.7.1.20.amzn1.x86_64 \n java-1.7.0-openjdk-src-1.7.0.9-2.3.7.1.20.amzn1.x86_64 \n java-1.7.0-openjdk-demo-1.7.0.9-2.3.7.1.20.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2013-03-02T16:49:00", "published": "2013-03-02T16:49:00", "id": "ALAS-2013-162", "href": "https://alas.aws.amazon.com/ALAS-2013-162.html", "title": "Important: java-1.7.0-openjdk", "type": "amazon", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-06T09:28:31", "description": "Updated java-1.7.0-openjdk packages that fix several security issues\nare now available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nMultiple improper permission check issues were discovered in the JMX\nand Libraries components in OpenJDK. An untrusted Java application or\napplet could use these flaws to bypass Java sandbox restrictions.\n(CVE-2013-1486, CVE-2013-1484)\n\nAn improper permission check issue was discovered in the Libraries\ncomponent in OpenJDK. An untrusted Java application or applet could\nuse this flaw to bypass certain Java sandbox restrictions.\n(CVE-2013-1485)\n\nIt was discovered that OpenJDK leaked timing information when\ndecrypting TLS/SSL protocol encrypted records when CBC-mode cipher\nsuites were used. A remote attacker could possibly use this flaw to\nretrieve plain text from the encrypted packets by using a TLS/SSL\nserver as a padding oracle. (CVE-2013-0169)\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.7.\nRefer to the NEWS file, linked to in the References, for further\ninformation.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.", "edition": 24, "published": "2013-02-21T00:00:00", "title": "CentOS 5 / 6 : java-1.7.0-openjdk (CESA-2013:0275)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1485", "CVE-2013-0169", "CVE-2013-1486", "CVE-2013-1484"], "modified": "2013-02-21T00:00:00", "cpe": ["cpe:/o:centos:centos:6", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-devel", "p-cpe:/a:centos:centos:java-1.7.0-openjdk", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-demo", "cpe:/o:centos:centos:5", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-src", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-javadoc"], "id": "CENTOS_RHSA-2013-0275.NASL", "href": "https://www.tenable.com/plugins/nessus/64731", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:0275 and \n# CentOS Errata and Security Advisory 2013:0275 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64731);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2013-0169\", \"CVE-2013-1484\", \"CVE-2013-1485\", \"CVE-2013-1486\");\n script_bugtraq_id(58027, 58028);\n script_xref(name:\"RHSA\", value:\"2013:0275\");\n\n script_name(english:\"CentOS 5 / 6 : java-1.7.0-openjdk (CESA-2013:0275)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.7.0-openjdk packages that fix several security issues\nare now available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nMultiple improper permission check issues were discovered in the JMX\nand Libraries components in OpenJDK. An untrusted Java application or\napplet could use these flaws to bypass Java sandbox restrictions.\n(CVE-2013-1486, CVE-2013-1484)\n\nAn improper permission check issue was discovered in the Libraries\ncomponent in OpenJDK. An untrusted Java application or applet could\nuse this flaw to bypass certain Java sandbox restrictions.\n(CVE-2013-1485)\n\nIt was discovered that OpenJDK leaked timing information when\ndecrypting TLS/SSL protocol encrypted records when CBC-mode cipher\nsuites were used. A remote attacker could possibly use this flaw to\nretrieve plain text from the encrypted packets by using a TLS/SSL\nserver as a padding oracle. (CVE-2013-0169)\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.7.\nRefer to the NEWS file, linked to in the References, for further\ninformation.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2013-February/019253.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d90ac29c\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2013-February/019254.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?820f7484\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1.7.0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-1484\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 5.x / 6.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.7.0-openjdk-1.7.0.9-2.3.7.1.el5_9\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.7.0-openjdk-demo-1.7.0.9-2.3.7.1.el5_9\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.7.0-openjdk-devel-1.7.0.9-2.3.7.1.el5_9\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.7.1.el5_9\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.7.0-openjdk-src-1.7.0.9-2.3.7.1.el5_9\")) flag++;\n\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-1.7.0.9-2.3.7.1.el6_3\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-demo-1.7.0.9-2.3.7.1.el6_3\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-devel-1.7.0.9-2.3.7.1.el6_3\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.7.1.el6_3\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-src-1.7.0.9-2.3.7.1.el6_3\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-demo / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:12:01", "description": "Updated java-1.7.0-openjdk packages that fix several security issues\nare now available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nMultiple improper permission check issues were discovered in the JMX\nand Libraries components in OpenJDK. An untrusted Java application or\napplet could use these flaws to bypass Java sandbox restrictions.\n(CVE-2013-1486, CVE-2013-1484)\n\nAn improper permission check issue was discovered in the Libraries\ncomponent in OpenJDK. An untrusted Java application or applet could\nuse this flaw to bypass certain Java sandbox restrictions.\n(CVE-2013-1485)\n\nIt was discovered that OpenJDK leaked timing information when\ndecrypting TLS/SSL protocol encrypted records when CBC-mode cipher\nsuites were used. A remote attacker could possibly use this flaw to\nretrieve plain text from the encrypted packets by using a TLS/SSL\nserver as a padding oracle. (CVE-2013-0169)\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.7.\nRefer to the NEWS file, linked to in the References, for further\ninformation.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.", "edition": 24, "published": "2013-02-21T00:00:00", "title": "RHEL 5 / 6 : java-1.7.0-openjdk (RHSA-2013:0275)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1485", "CVE-2013-0169", "CVE-2013-1486", "CVE-2013-1484"], "modified": "2013-02-21T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-devel", "cpe:/o:redhat:enterprise_linux:5", "cpe:/o:redhat:enterprise_linux:6.3", "cpe:/o:redhat:enterprise_linux:5.9", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-src", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-debuginfo", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-javadoc"], "id": "REDHAT-RHSA-2013-0275.NASL", "href": "https://www.tenable.com/plugins/nessus/64748", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:0275. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64748);\n script_version(\"1.30\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-0169\", \"CVE-2013-1484\", \"CVE-2013-1485\", \"CVE-2013-1486\");\n script_bugtraq_id(58028);\n script_xref(name:\"RHSA\", value:\"2013:0275\");\n\n script_name(english:\"RHEL 5 / 6 : java-1.7.0-openjdk (RHSA-2013:0275)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.7.0-openjdk packages that fix several security issues\nare now available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nMultiple improper permission check issues were discovered in the JMX\nand Libraries components in OpenJDK. An untrusted Java application or\napplet could use these flaws to bypass Java sandbox restrictions.\n(CVE-2013-1486, CVE-2013-1484)\n\nAn improper permission check issue was discovered in the Libraries\ncomponent in OpenJDK. An untrusted Java application or applet could\nuse this flaw to bypass certain Java sandbox restrictions.\n(CVE-2013-1485)\n\nIt was discovered that OpenJDK leaked timing information when\ndecrypting TLS/SSL protocol encrypted records when CBC-mode cipher\nsuites were used. A remote attacker could possibly use this flaw to\nretrieve plain text from the encrypted packets by using a TLS/SSL\nserver as a padding oracle. (CVE-2013-0169)\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.7.\nRefer to the NEWS file, linked to in the References, for further\ninformation.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\"\n );\n # http://icedtea.classpath.org/hg/release/icedtea7-2.3/file/icedtea-2.3.7/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b1f0b2f2\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2013:0275\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-0169\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-1486\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-1484\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-1485\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x / 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2013:0275\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-1.7.0.9-2.3.7.1.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-1.7.0.9-2.3.7.1.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.7.1.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.7.1.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-demo-1.7.0.9-2.3.7.1.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-demo-1.7.0.9-2.3.7.1.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-devel-1.7.0.9-2.3.7.1.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-devel-1.7.0.9-2.3.7.1.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.7.1.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.7.1.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-src-1.7.0.9-2.3.7.1.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-src-1.7.0.9-2.3.7.1.el5_9\")) flag++;\n\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-openjdk-1.7.0.9-2.3.7.1.el6_3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-1.7.0.9-2.3.7.1.el6_3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.7.1.el6_3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.7.1.el6_3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-openjdk-demo-1.7.0.9-2.3.7.1.el6_3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-demo-1.7.0.9-2.3.7.1.el6_3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-openjdk-devel-1.7.0.9-2.3.7.1.el6_3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-devel-1.7.0.9-2.3.7.1.el6_3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.7.1.el6_3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-openjdk-src-1.7.0.9-2.3.7.1.el6_3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-src-1.7.0.9-2.3.7.1.el6_3\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T12:47:45", "description": "From Red Hat Security Advisory 2013:0275 :\n\nUpdated java-1.7.0-openjdk packages that fix several security issues\nare now available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nMultiple improper permission check issues were discovered in the JMX\nand Libraries components in OpenJDK. An untrusted Java application or\napplet could use these flaws to bypass Java sandbox restrictions.\n(CVE-2013-1486, CVE-2013-1484)\n\nAn improper permission check issue was discovered in the Libraries\ncomponent in OpenJDK. An untrusted Java application or applet could\nuse this flaw to bypass certain Java sandbox restrictions.\n(CVE-2013-1485)\n\nIt was discovered that OpenJDK leaked timing information when\ndecrypting TLS/SSL protocol encrypted records when CBC-mode cipher\nsuites were used. A remote attacker could possibly use this flaw to\nretrieve plain text from the encrypted packets by using a TLS/SSL\nserver as a padding oracle. (CVE-2013-0169)\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.7.\nRefer to the NEWS file, linked to in the References, for further\ninformation.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.", "edition": 21, "published": "2013-07-12T00:00:00", "title": "Oracle Linux 5 / 6 : java-1.7.0-openjdk (ELSA-2013-0275)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1485", "CVE-2013-0169", "CVE-2013-1486", "CVE-2013-1484"], "modified": "2013-07-12T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:java-1.7.0-openjdk-devel", "p-cpe:/a:oracle:linux:java-1.7.0-openjdk-javadoc", "p-cpe:/a:oracle:linux:java-1.7.0-openjdk-src", "p-cpe:/a:oracle:linux:java-1.7.0-openjdk-demo", "cpe:/o:oracle:linux:5", "p-cpe:/a:oracle:linux:java-1.7.0-openjdk"], "id": "ORACLELINUX_ELSA-2013-0275.NASL", "href": "https://www.tenable.com/plugins/nessus/68736", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2013:0275 and \n# Oracle Linux Security Advisory ELSA-2013-0275 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(68736);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-0169\", \"CVE-2013-1484\", \"CVE-2013-1485\", \"CVE-2013-1486\");\n script_bugtraq_id(57778, 58027, 58028, 58029);\n script_xref(name:\"RHSA\", value:\"2013:0275\");\n\n script_name(english:\"Oracle Linux 5 / 6 : java-1.7.0-openjdk (ELSA-2013-0275)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2013:0275 :\n\nUpdated java-1.7.0-openjdk packages that fix several security issues\nare now available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nMultiple improper permission check issues were discovered in the JMX\nand Libraries components in OpenJDK. An untrusted Java application or\napplet could use these flaws to bypass Java sandbox restrictions.\n(CVE-2013-1486, CVE-2013-1484)\n\nAn improper permission check issue was discovered in the Libraries\ncomponent in OpenJDK. An untrusted Java application or applet could\nuse this flaw to bypass certain Java sandbox restrictions.\n(CVE-2013-1485)\n\nIt was discovered that OpenJDK leaked timing information when\ndecrypting TLS/SSL protocol encrypted records when CBC-mode cipher\nsuites were used. A remote attacker could possibly use this flaw to\nretrieve plain text from the encrypted packets by using a TLS/SSL\nserver as a padding oracle. (CVE-2013-0169)\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.7.\nRefer to the NEWS file, linked to in the References, for further\ninformation.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2013-February/003266.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2013-February/003269.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1.7.0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5 / 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL5\", reference:\"java-1.7.0-openjdk-1.7.0.9-2.3.7.1.0.1.el5_9\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"java-1.7.0-openjdk-demo-1.7.0.9-2.3.7.1.0.1.el5_9\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"java-1.7.0-openjdk-devel-1.7.0.9-2.3.7.1.0.1.el5_9\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.7.1.0.1.el5_9\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"java-1.7.0-openjdk-src-1.7.0.9-2.3.7.1.0.1.el5_9\")) flag++;\n\nif (rpm_check(release:\"EL6\", reference:\"java-1.7.0-openjdk-1.7.0.9-2.3.7.1.0.2.el6_3\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.7.0-openjdk-demo-1.7.0.9-2.3.7.1.0.2.el6_3\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.7.0-openjdk-devel-1.7.0.9-2.3.7.1.0.2.el6_3\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.7.1.0.2.el6_3\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.7.0-openjdk-src-1.7.0.9-2.3.7.1.0.2.el6_3\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-demo / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-01T01:21:12", "description": "Multiple improper permission check issues were discovered in the JMX\nand Libraries components in OpenJDK. An untrusted Java application or\napplet could use these flaws to bypass Java sandbox restrictions.\n(CVE-2013-1486 , CVE-2013-1484)\n\nAn improper permission check issue was discovered in the Libraries\ncomponent in OpenJDK. An untrusted Java application or applet could\nuse this flaw to bypass certain Java sandbox restrictions.\n(CVE-2013-1485)\n\nIt was discovered that OpenJDK leaked timing information when\ndecrypting TLS/SSL protocol encrypted records when CBC-mode cipher\nsuites were used. A remote attacker could possibly use this flaw to\nretrieve plain text from the encrypted packets by using a TLS/SSL\nserver as a padding oracle. (CVE-2013-0169)", "edition": 25, "published": "2013-09-04T00:00:00", "title": "Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2013-162)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1485", "CVE-2013-0169", "CVE-2013-1486", "CVE-2013-1484"], "modified": "2021-03-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:java-1.7.0-openjdk", "p-cpe:/a:amazon:linux:java-1.7.0-openjdk-javadoc", "p-cpe:/a:amazon:linux:java-1.7.0-openjdk-debuginfo", "p-cpe:/a:amazon:linux:java-1.7.0-openjdk-demo", "p-cpe:/a:amazon:linux:java-1.7.0-openjdk-src", "p-cpe:/a:amazon:linux:java-1.7.0-openjdk-devel", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2013-162.NASL", "href": "https://www.tenable.com/plugins/nessus/69721", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2013-162.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(69721);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/04/18 15:09:34\");\n\n script_cve_id(\"CVE-2013-0169\", \"CVE-2013-1485\", \"CVE-2013-1486\");\n script_xref(name:\"ALAS\", value:\"2013-162\");\n script_xref(name:\"RHSA\", value:\"2013:0275\");\n\n script_name(english:\"Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2013-162)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple improper permission check issues were discovered in the JMX\nand Libraries components in OpenJDK. An untrusted Java application or\napplet could use these flaws to bypass Java sandbox restrictions.\n(CVE-2013-1486 , CVE-2013-1484)\n\nAn improper permission check issue was discovered in the Libraries\ncomponent in OpenJDK. An untrusted Java application or applet could\nuse this flaw to bypass certain Java sandbox restrictions.\n(CVE-2013-1485)\n\nIt was discovered that OpenJDK leaked timing information when\ndecrypting TLS/SSL protocol encrypted records when CBC-mode cipher\nsuites were used. A remote attacker could possibly use this flaw to\nretrieve plain text from the encrypted packets by using a TLS/SSL\nserver as a padding oracle. (CVE-2013-0169)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2013-162.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update java-1.7.0-openjdk' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/03/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/09/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-1.7.0.9-2.3.7.1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.7.1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-demo-1.7.0.9-2.3.7.1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-devel-1.7.0.9-2.3.7.1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.7.1.20.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-src-1.7.0.9-2.3.7.1.20.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-debuginfo / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:12:04", "description": "Updated java-1.7.0-oracle packages that fix several security issues\nare now available for Red Hat Enterprise Linux 5 and 6 Supplementary.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nOracle Java SE version 7 includes the Oracle Java Runtime Environment\nand the Oracle Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the Oracle Java Runtime\nEnvironment and the Oracle Java Software Development Kit. Further\ninformation about these flaws can be found on the Oracle Java SE\nCritical Patch Update Advisory page, listed in the References section.\n(CVE-2013-0169, CVE-2013-1484, CVE-2013-1485, CVE-2013-1486,\nCVE-2013-1487)\n\nAll users of java-1.7.0-oracle are advised to upgrade to these updated\npackages, which provide Oracle Java 7 Update 15 and resolve these\nissues. All running instances of Oracle Java must be restarted for the\nupdate to take effect.", "edition": 21, "published": "2013-02-21T00:00:00", "title": "RHEL 5 / 6 : java-1.7.0-oracle (RHSA-2013:0532)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1485", "CVE-2013-0169", "CVE-2013-1486", "CVE-2013-1487", "CVE-2013-1484"], "modified": "2013-02-21T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-javafx", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-src", "cpe:/o:redhat:enterprise_linux:5", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-devel", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-jdbc", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-plugin"], "id": "REDHAT-RHSA-2013-0532.NASL", "href": "https://www.tenable.com/plugins/nessus/64775", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:0532. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64775);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-0169\", \"CVE-2013-1484\", \"CVE-2013-1485\", \"CVE-2013-1486\", \"CVE-2013-1487\");\n script_bugtraq_id(58027, 58028);\n script_xref(name:\"RHSA\", value:\"2013:0532\");\n\n script_name(english:\"RHEL 5 / 6 : java-1.7.0-oracle (RHSA-2013:0532)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.7.0-oracle packages that fix several security issues\nare now available for Red Hat Enterprise Linux 5 and 6 Supplementary.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nOracle Java SE version 7 includes the Oracle Java Runtime Environment\nand the Oracle Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the Oracle Java Runtime\nEnvironment and the Oracle Java Software Development Kit. Further\ninformation about these flaws can be found on the Oracle Java SE\nCritical Patch Update Advisory page, listed in the References section.\n(CVE-2013-0169, CVE-2013-1484, CVE-2013-1485, CVE-2013-1486,\nCVE-2013-1487)\n\nAll users of java-1.7.0-oracle are advised to upgrade to these updated\npackages, which provide Oracle Java 7 Update 15 and resolve these\nissues. All running instances of Oracle Java must be restarted for the\nupdate to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-0169.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-1484.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-1485.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-1486.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-1487.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.oracle.com/technetwork/topics/security/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://rhn.redhat.com/errata/RHSA-2013-0532.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-javafx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-oracle-1.7.0.15-1jpp.1.el5_9\")) flag++;\nif (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-1.7.0.15-1jpp.1.el5_9\")) flag++;\nif (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-oracle-devel-1.7.0.15-1jpp.1.el5_9\")) flag++;\nif (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-devel-1.7.0.15-1jpp.1.el5_9\")) flag++;\nif (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-oracle-javafx-1.7.0.15-1jpp.1.el5_9\")) flag++;\nif (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-javafx-1.7.0.15-1jpp.1.el5_9\")) flag++;\nif (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-oracle-jdbc-1.7.0.15-1jpp.1.el5_9\")) flag++;\nif (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-jdbc-1.7.0.15-1jpp.1.el5_9\")) flag++;\nif (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-oracle-plugin-1.7.0.15-1jpp.1.el5_9\")) flag++;\nif (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-plugin-1.7.0.15-1jpp.1.el5_9\")) flag++;\nif (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-oracle-src-1.7.0.15-1jpp.1.el5_9\")) flag++;\nif (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-src-1.7.0.15-1jpp.1.el5_9\")) flag++;\n\nif (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-oracle-1.7.0.15-1jpp.1.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-1.7.0.15-1jpp.1.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-oracle-devel-1.7.0.15-1jpp.1.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-devel-1.7.0.15-1jpp.1.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-oracle-javafx-1.7.0.15-1jpp.1.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-javafx-1.7.0.15-1jpp.1.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-oracle-jdbc-1.7.0.15-1jpp.1.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-jdbc-1.7.0.15-1jpp.1.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-oracle-plugin-1.7.0.15-1jpp.1.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-plugin-1.7.0.15-1jpp.1.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-oracle-src-1.7.0.15-1jpp.1.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-src-1.7.0.15-1jpp.1.el6_3\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-01T04:57:41", "description": "The version of Oracle (formerly Sun) Java SE or Java for Business\ninstalled on the remote host is earlier than 7 Update 15, 6 Update 41,\n5 Update 40 or 1.4.2 Update 42. It is, therefore, potentially\naffected by security issues in the following components :\n\n - Deployment\n - JMX\n - JSSE\n - Libraries", "edition": 27, "published": "2013-02-22T00:00:00", "title": "Oracle Java SE Multiple Vulnerabilities (February 2013 CPU Update 1) (Unix)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1485", "CVE-2013-0169", "CVE-2013-1486", "CVE-2013-1487", "CVE-2013-1484"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/a:oracle:jre", "cpe:/a:oracle:jdk"], "id": "ORACLE_JAVA_CPU_FEB_2013_1_UNIX.NASL", "href": "https://www.tenable.com/plugins/nessus/64851", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64851);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2018/11/15 20:50:23\");\n\n script_cve_id(\n \"CVE-2013-0169\",\n \"CVE-2013-1484\",\n \"CVE-2013-1485\",\n \"CVE-2013-1486\",\n \"CVE-2013-1487\"\n );\n script_bugtraq_id(57778, 58027, 58028, 58029, 58031);\n\n script_name(english:\"Oracle Java SE Multiple Vulnerabilities (February 2013 CPU Update 1) (Unix)\");\n script_summary(english:\"Checks version of the JRE\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Unix host contains a programming platform that is\npotentially affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle (formerly Sun) Java SE or Java for Business\ninstalled on the remote host is earlier than 7 Update 15, 6 Update 41,\n5 Update 40 or 1.4.2 Update 42. It is, therefore, potentially\naffected by security issues in the following components :\n\n - Deployment\n - JMX\n - JSSE\n - Libraries\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-13-041/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-13-042/\");\n # https://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?31376144\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.isg.rhul.ac.uk/tls/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.oracle.com/technetwork/java/eol-135779.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update to JDK / JRE 7 Update 15, 6 Update 41, 5 Update 40, 1.4.2\nUpdate 42 or later and, if necessary, remove any affected versions.\n\nNote that an Extended Support contract with Oracle is needed to obtain\nJDK / JRE 5 Update 40 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jre\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jdk\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"sun_java_jre_installed_unix.nasl\");\n script_require_keys(\"Host/Java/JRE/Installed\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Check each installed JRE.\ninstalls = get_kb_list_or_exit(\"Host/Java/JRE/Unmanaged/*\");\n\ninfo = \"\";\nvuln = 0;\nvuln2 = 0;\ninstalled_versions = \"\";\ngranular = \"\";\n\nforeach install (list_uniq(keys(installs)))\n{\n ver = install - \"Host/Java/JRE/Unmanaged/\";\n if (ver !~ \"^[0-9.]+\") continue;\n\n installed_versions = installed_versions + \" & \" + ver;\n\n if (\n ver =~ '^1\\\\.4\\\\.([01]_|2_([0-9]|[0-3][0-9]|4[01]))([^0-9]|$)' ||\n ver =~ '^1\\\\.5\\\\.0_([0-9]|[0-2][0-9]|3[0-9])([^0-9]|$)' ||\n ver =~ '^1\\\\.6\\\\.0_([0-9]|[0-2][0-9]|3[0-9])([^0-9]|$)' ||\n ver =~ '^1\\\\.7\\\\.0_(0[0-9]|1[0-3])([^0-9]|$)'\n\n )\n {\n dirs = make_list(get_kb_list(install));\n vuln += max_index(dirs);\n\n foreach dir (dirs)\n info += '\\n Path : ' + dir;\n\n info += '\\n Installed version : ' + ver;\n info += '\\n Fixed version : 1.4.2_42 / 1.5.0_40 / 1.6.0_41 / 1.7.0_15\\n';\n }\n else if (ver =~ \"^[\\d\\.]+$\")\n {\n dirs = make_list(get_kb_list(install));\n foreach dir (dirs)\n granular += \"The Oracle Java version \"+ver+\" at \"+dir+\" is not granular enough to make a determination.\"+'\\n';\n }\n else\n {\n dirs = make_list(get_kb_list(install));\n vuln2 += max_index(dirs);\n }\n\n}\n\n# Report if any were found to be vulnerable.\nif (info)\n{\n if (report_verbosity > 0)\n {\n if (vuln > 1) s = \"s of Java are\";\n else s = \" of Java is\";\n\n report =\n '\\n' +\n 'The following vulnerable instance'+s+' installed on the\\n' +\n 'remote host :\\n' +\n info;\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n if (granular) exit(0, granular);\n}\nelse\n{\n if (granular) exit(0, granular);\n\n installed_versions = substr(installed_versions, 3);\n if (vuln2 > 1)\n exit(0, \"The Java \"+installed_versions+\" installs on the remote host are not affected.\");\n else\n exit(0, \"The Java \"+installed_versions+\" install on the remote host is not affected.\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-01T04:57:40", "description": "The version of Oracle (formerly Sun) Java SE or Java for Business\ninstalled on the remote host is earlier than 7 Update 15, 6 Update 41,\n5 Update 40 or 1.4.2 Update 42. It is, therefore, potentially\naffected by security issues in the following components :\n\n - Deployment\n - JMX\n - JSSE\n - Libraries", "edition": 26, "published": "2013-02-21T00:00:00", "title": "Oracle Java SE Multiple Vulnerabilities (February 2013 CPU Update 1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1485", "CVE-2013-0169", "CVE-2013-1486", "CVE-2013-1487", "CVE-2013-1484"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/a:oracle:jre", "cpe:/a:oracle:jdk"], "id": "ORACLE_JAVA_CPU_FEB_2013_1.NASL", "href": "https://www.tenable.com/plugins/nessus/64790", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64790);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2018/11/15 20:50:28\");\n\n script_cve_id(\n \"CVE-2013-0169\",\n \"CVE-2013-1484\",\n \"CVE-2013-1485\",\n \"CVE-2013-1486\",\n \"CVE-2013-1487\"\n );\n script_bugtraq_id(57778, 58027, 58028, 58029, 58031);\n\n script_name(english:\"Oracle Java SE Multiple Vulnerabilities (February 2013 CPU Update 1)\");\n script_summary(english:\"Checks version of the JRE\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host contains a programming platform that is\npotentially affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle (formerly Sun) Java SE or Java for Business\ninstalled on the remote host is earlier than 7 Update 15, 6 Update 41,\n5 Update 40 or 1.4.2 Update 42. It is, therefore, potentially\naffected by security issues in the following components :\n\n - Deployment\n - JMX\n - JSSE\n - Libraries\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-13-041/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-13-042/\");\n # https://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?31376144\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.isg.rhul.ac.uk/tls/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.oracle.com/technetwork/java/eol-135779.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update to JDK / JRE 7 Update 15, 6 Update 41, 5 Update 40, 1.4.2\nUpdate 42 or later and, if necessary, remove any affected versions.\n\nNote that an Extended Support contract with Oracle is needed to obtain\nJDK / JRE 5 Update 40 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jre\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jdk\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"sun_java_jre_installed.nasl\");\n script_require_keys(\"SMB/Java/JRE/Installed\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Check each installed JRE.\ninstalls = get_kb_list_or_exit(\"SMB/Java/JRE/*\");\n\ninfo = \"\";\nvuln = 0;\ninstalled_versions = \"\";\nerrors = make_list();\n\nforeach install (list_uniq(keys(installs)))\n{\n ver = install - \"SMB/Java/JRE/\";\n if (ver !~ \"^[0-9.]+\") continue;\n\n if (\n ver =~ \"^1\\.4(\\.2)?$\" ||\n ver =~ \"^1\\.[567]$\"\n )\n {\n errors = make_list(errors, \"The version, '\"+ver+\"', is not granular enough to make a determination\");\n continue;\n }\n\n installed_versions = installed_versions + \" & \" + ver;\n\n if (\n ver =~ '^1\\\\.4\\\\.([01]_|2_([0-9]|[0-3][0-9]|4[01]))([^0-9]|$)' ||\n ver =~ '^1\\\\.5\\\\.0_([0-9]|[0-2][0-9]|3[0-9])([^0-9]|$)' ||\n ver =~ '^1\\\\.6\\\\.0_([0-9]|[0-2][0-9]|3[0-9])([^0-9]|$)' ||\n ver =~ '^1\\\\.7\\\\.0_(0[0-9]|1[0-3])([^0-9]|$)'\n )\n {\n dirs = make_list(get_kb_list(install));\n vuln += max_index(dirs);\n\n foreach dir (dirs)\n info += '\\n Path : ' + dir;\n\n info += '\\n Installed version : ' + ver;\n info += '\\n Fixed version : 1.4.2_42 / 1.5.0_40 / 1.6.0_41 / 1.7.0_15\\n';\n }\n}\n\n# Report if any were found to be vulnerable.\nif (info)\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n if (report_verbosity > 0)\n {\n if (vuln > 1) s = \"s of Java are\";\n else s = \" of Java is\";\n\n report =\n '\\n' +\n 'The following vulnerable instance'+s+' installed on the\\n' +\n 'remote host :\\n' +\n info;\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\n\nif (max_index(errors))\n{\n if (max_index(errors) == 1) errmsg = errors[0];\n else errmsg = 'Errors were encountered verifying installs : \\n ' + join(errors, sep:'\\n ');\n\n exit(1, errmsg);\n}\nelse\n{\n installed_versions = substr(installed_versions, 3);\n if (\" & \" >< installed_versions)\n exit(0, \"The Java \"+installed_versions+\" installs on the remote host are not affected.\");\n else\n audit(AUDIT_INST_VER_NOT_VULN, \"Java\", installed_versions);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-01T07:25:33", "description": "Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as\nused in OpenJDK was vulnerable to a timing side-channel attack known\nas the 'Lucky Thirteen' issue. A remote attacker could use this issue\nto perform plaintext-recovery attacks via analysis of timing data.\n(CVE-2013-0169)\n\nA vulnerability was discovered in the OpenJDK JRE related to\ninformation disclosure and data integrity. An attacker could exploit\nthis to cause a denial of service. This issue only affected Ubuntu\n12.10. (CVE-2013-1484)\n\nA data integrity vulnerability was discovered in the OpenJDK JRE. This\nissue only affected Ubuntu 12.10. (CVE-2013-1485)\n\nTwo vulnerabilities were discovered in the OpenJDK JRE related to\ninformation disclosure and data integrity. An attacker could exploit\nthese to cause a denial of service. (CVE-2013-1486, CVE-2013-1487).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 27, "published": "2013-02-22T00:00:00", "title": "Ubuntu 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : openjdk-6, openjdk-7 vulnerabilities (USN-1735-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1485", "CVE-2013-0169", "CVE-2013-1486", "CVE-2013-1487", "CVE-2013-1484"], "modified": "2021-03-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:openjdk-7-jre-zero", "p-cpe:/a:canonical:ubuntu_linux:icedtea-6-jre-cacao", "p-cpe:/a:canonical:ubuntu_linux:icedtea-7-jre-jamvm", "cpe:/o:canonical:ubuntu_linux:11.10", "p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre-zero", "p-cpe:/a:canonical:ubuntu_linux:openjdk-7-jre-headless", "p-cpe:/a:canonical:ubuntu_linux:openjdk-7-jre", "cpe:/o:canonical:ubuntu_linux:10.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:icedtea-6-jre-jamvm", "p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre", "cpe:/o:canonical:ubuntu_linux:12.10", "p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre-lib", "p-cpe:/a:canonical:ubuntu_linux:icedtea-7-jre-cacao", "p-cpe:/a:canonical:ubuntu_linux:openjdk-7-jre-lib", "p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre-headless", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts"], "id": "UBUNTU_USN-1735-1.NASL", "href": "https://www.tenable.com/plugins/nessus/64801", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-1735-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(64801);\n script_version(\"1.17\");\n script_cvs_date(\"Date: 2019/09/19 12:54:28\");\n\n script_cve_id(\"CVE-2013-0169\", \"CVE-2013-1484\", \"CVE-2013-1485\", \"CVE-2013-1486\", \"CVE-2013-1487\");\n script_bugtraq_id(57778, 58027, 58028, 58029, 58031);\n script_xref(name:\"USN\", value:\"1735-1\");\n\n script_name(english:\"Ubuntu 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : openjdk-6, openjdk-7 vulnerabilities (USN-1735-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as\nused in OpenJDK was vulnerable to a timing side-channel attack known\nas the 'Lucky Thirteen' issue. A remote attacker could use this issue\nto perform plaintext-recovery attacks via analysis of timing data.\n(CVE-2013-0169)\n\nA vulnerability was discovered in the OpenJDK JRE related to\ninformation disclosure and data integrity. An attacker could exploit\nthis to cause a denial of service. This issue only affected Ubuntu\n12.10. (CVE-2013-1484)\n\nA data integrity vulnerability was discovered in the OpenJDK JRE. This\nissue only affected Ubuntu 12.10. (CVE-2013-1485)\n\nTwo vulnerabilities were discovered in the OpenJDK JRE related to\ninformation disclosure and data integrity. An attacker could exploit\nthese to cause a denial of service. (CVE-2013-1486, CVE-2013-1487).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/1735-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:icedtea-6-jre-cacao\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:icedtea-6-jre-jamvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:icedtea-7-jre-cacao\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:icedtea-7-jre-jamvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre-zero\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-7-jre\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-7-jre-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-7-jre-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-7-jre-zero\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:10.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:11.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2013-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(10\\.04|11\\.10|12\\.04|12\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 10.04 / 11.10 / 12.04 / 12.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"10.04\", pkgname:\"icedtea-6-jre-cacao\", pkgver:\"6b27-1.12.3-0ubuntu1~10.04\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"openjdk-6-jre\", pkgver:\"6b27-1.12.3-0ubuntu1~10.04\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"openjdk-6-jre-headless\", pkgver:\"6b27-1.12.3-0ubuntu1~10.04\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"openjdk-6-jre-lib\", pkgver:\"6b27-1.12.3-0ubuntu1~10.04\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"openjdk-6-jre-zero\", pkgver:\"6b27-1.12.3-0ubuntu1~10.04\")) flag++;\nif (ubuntu_check(osver:\"11.10\", pkgname:\"icedtea-6-jre-cacao\", pkgver:\"6b27-1.12.3-0ubuntu1~11.10\")) flag++;\nif (ubuntu_check(osver:\"11.10\", pkgname:\"icedtea-6-jre-jamvm\", pkgver:\"6b27-1.12.3-0ubuntu1~11.10\")) flag++;\nif (ubuntu_check(osver:\"11.10\", pkgname:\"openjdk-6-jre\", pkgver:\"6b27-1.12.3-0ubuntu1~11.10\")) flag++;\nif (ubuntu_check(osver:\"11.10\", pkgname:\"openjdk-6-jre-headless\", pkgver:\"6b27-1.12.3-0ubuntu1~11.10\")) flag++;\nif (ubuntu_check(osver:\"11.10\", pkgname:\"openjdk-6-jre-lib\", pkgver:\"6b27-1.12.3-0ubuntu1~11.10\")) flag++;\nif (ubuntu_check(osver:\"11.10\", pkgname:\"openjdk-6-jre-zero\", pkgver:\"6b27-1.12.3-0ubuntu1~11.10\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"icedtea-6-jre-cacao\", pkgver:\"6b27-1.12.3-0ubuntu1~12.04\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"icedtea-6-jre-jamvm\", pkgver:\"6b27-1.12.3-0ubuntu1~12.04\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"openjdk-6-jre\", pkgver:\"6b27-1.12.3-0ubuntu1~12.04\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"openjdk-6-jre-headless\", pkgver:\"6b27-1.12.3-0ubuntu1~12.04\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"openjdk-6-jre-lib\", pkgver:\"6b27-1.12.3-0ubuntu1~12.04\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"openjdk-6-jre-zero\", pkgver:\"6b27-1.12.3-0ubuntu1~12.04\")) flag++;\nif (ubuntu_check(osver:\"12.10\", pkgname:\"icedtea-7-jre-cacao\", pkgver:\"7u15-2.3.7-0ubuntu1~12.10\")) flag++;\nif (ubuntu_check(osver:\"12.10\", pkgname:\"icedtea-7-jre-jamvm\", pkgver:\"7u15-2.3.7-0ubuntu1~12.10\")) flag++;\nif (ubuntu_check(osver:\"12.10\", pkgname:\"openjdk-7-jre\", pkgver:\"7u15-2.3.7-0ubuntu1~12.10\")) flag++;\nif (ubuntu_check(osver:\"12.10\", pkgname:\"openjdk-7-jre-headless\", pkgver:\"7u15-2.3.7-0ubuntu1~12.10\")) flag++;\nif (ubuntu_check(osver:\"12.10\", pkgname:\"openjdk-7-jre-lib\", pkgver:\"7u15-2.3.7-0ubuntu1~12.10\")) flag++;\nif (ubuntu_check(osver:\"12.10\", pkgname:\"openjdk-7-jre-zero\", pkgver:\"7u15-2.3.7-0ubuntu1~12.10\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"icedtea-6-jre-cacao / icedtea-6-jre-jamvm / icedtea-7-jre-cacao / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T11:54:06", "description": "Updated java-1.7.0-openjdk packages fix security vulnerabilities :\n\nTwo improper permission check issues were discovered in the reflection\nAPI in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass Java sandbox restrictions (CVE-2012-3174,\nCVE-2013-0422).\n\nMultiple improper permission check issues were discovered in the AWT,\nCORBA, JMX, Libraries, and Beans components in OpenJDK. An untrusted\nJava application or applet could use these flaws to bypass Java\nsandbox restrictions (CVE-2013-0442, CVE-2013-0445, CVE-2013-0441,\nCVE-2013-1475, CVE-2013-1476, CVE-2013-0429, CVE-2013-0450,\nCVE-2013-0425, CVE-2013-0426, CVE-2013-0428, CVE-2013-0444).\n\nMultiple flaws were found in the way image parsers in the 2D and AWT\ncomponents handled image raster parameters. A specially crafted image\ncould cause Java Virtual Machine memory corruption and, possibly, lead\nto arbitrary code execution with the virtual machine privileges\n(CVE-2013-1478, CVE-2013-1480).\n\nA flaw was found in the AWT component's clipboard handling code. An\nuntrusted Java application or applet could use this flaw to access\nclipboard data, bypassing Java sandbox restrictions (CVE-2013-0432).\n\nThe default Java security properties configuration did not restrict\naccess to certain com.sun.xml.internal packages. An untrusted Java\napplication or applet could use this flaw to access information,\nbypassing certain Java sandbox restrictions. This update lists the\nwhole package as restricted (CVE-2013-0435).\n\nMultiple improper permission check issues were discovered in the JMX,\nLibraries, Networking, and JAXP components. An untrusted Java\napplication or applet could use these flaws to bypass certain Java\nsandbox restrictions (CVE-2013-0431, CVE-2013-0427, CVE-2013-0433,\nCVE-2013-0434).\n\nIt was discovered that the RMI component's CGIHandler class used user\ninputs in error messages without any sanitization. An attacker could\nuse this flaw to perform a cross-site scripting (XSS) attack\n(CVE-2013-0424).\n\nIt was discovered that the SSL/TLS implementation in the JSSE\ncomponent did not properly enforce handshake message ordering,\nallowing an unlimited number of handshake restarts. A remote attacker\ncould use this flaw to make an SSL/TLS server using JSSE consume an\nexcessive amount of CPU by continuously restarting the handshake\n(CVE-2013-0440).\n\nIt was discovered that the JSSE component did not properly validate\nDiffie-Hellman public keys. An SSL/TLS client could possibly use this\nflaw to perform a small subgroup attack (CVE-2013-0443).\n\nMultiple improper permission check issues were discovered in the JMX\nand Libraries components in OpenJDK. An untrusted Java application or\napplet could use these flaws to bypass Java sandbox restrictions\n(CVE-2013-1486, CVE-2013-1484).\n\nAn improper permission check issue was discovered in the Libraries\ncomponent in OpenJDK. An untrusted Java application or applet could\nuse this flaw to bypass certain Java sandbox restrictions\n(CVE-2013-1485).\n\nIt was discovered that OpenJDK leaked timing information when\ndecrypting TLS/SSL protocol encrypted records when CBC-mode cipher\nsuites were used. A remote attacker could possibly use this flaw to\nretrieve plain text from the encrypted packets by using a TLS/SSL\nserver as a padding oracle (CVE-2013-0169).\n\nAn integer overflow flaw was found in the way the 2D component handled\ncertain sample model instances. A specially crafted sample model\ninstance could cause Java Virtual Machine memory corruption and,\npossibly, lead to arbitrary code execution with virtual machine\nprivileges (CVE-2013-0809).\n\nIt was discovered that the 2D component did not properly reject\ncertain malformed images. Specially crafted raster parameters could\ncause Java Virtual Machine memory corruption and, possibly, lead to\narbitrary code execution with virtual machine privileges\n(CVE-2013-1493).", "edition": 25, "published": "2013-04-20T00:00:00", "title": "Mandriva Linux Security Advisory : java-1.7.0-openjdk (MDVSA-2013:095)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-0426", "CVE-2013-0427", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-1485", "CVE-2013-0169", "CVE-2013-0429", "CVE-2013-1475", "CVE-2013-0435", "CVE-2013-0809", "CVE-2013-0442", "CVE-2013-0431", "CVE-2013-0434", "CVE-2013-0443", "CVE-2012-3174", "CVE-2013-0444", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-1486", "CVE-2013-1476", "CVE-2013-0445", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0450", "CVE-2013-0440", "CVE-2013-1493", "CVE-2013-0425", "CVE-2013-1484", "CVE-2013-0422", "CVE-2013-0441"], "modified": "2013-04-20T00:00:00", "cpe": ["cpe:/o:mandriva:business_server:1", "p-cpe:/a:mandriva:linux:java-1.7.0-openjdk", "p-cpe:/a:mandriva:linux:java-1.7.0-openjdk-demo", "p-cpe:/a:mandriva:linux:java-1.7.0-openjdk-src", "p-cpe:/a:mandriva:linux:java-1.7.0-openjdk-devel", "p-cpe:/a:mandriva:linux:java-1.7.0-openjdk-javadoc"], "id": "MANDRIVA_MDVSA-2013-095.NASL", "href": "https://www.tenable.com/plugins/nessus/66107", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2013:095. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(66107);\n script_version(\"1.21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2012-3174\", \"CVE-2013-0169\", \"CVE-2013-0422\", \"CVE-2013-0424\", \"CVE-2013-0425\", \"CVE-2013-0426\", \"CVE-2013-0427\", \"CVE-2013-0428\", \"CVE-2013-0429\", \"CVE-2013-0431\", \"CVE-2013-0432\", \"CVE-2013-0433\", \"CVE-2013-0434\", \"CVE-2013-0435\", \"CVE-2013-0440\", \"CVE-2013-0441\", \"CVE-2013-0442\", \"CVE-2013-0443\", \"CVE-2013-0444\", \"CVE-2013-0445\", \"CVE-2013-0450\", \"CVE-2013-0809\", \"CVE-2013-1475\", \"CVE-2013-1476\", \"CVE-2013-1478\", \"CVE-2013-1480\", \"CVE-2013-1484\", \"CVE-2013-1485\", \"CVE-2013-1486\", \"CVE-2013-1493\");\n script_bugtraq_id(57246, 57312, 57686, 57687, 57689, 57691, 57692, 57694, 57696, 57701, 57702, 57703, 57709, 57710, 57711, 57712, 57713, 57715, 57719, 57724, 57726, 57727, 57729, 57730, 57778, 58027, 58028, 58029, 58238, 58296);\n script_xref(name:\"MDVSA\", value:\"2013:095\");\n script_xref(name:\"MGASA\", value:\"2013-0018\");\n script_xref(name:\"MGASA\", value:\"2013-0056\");\n script_xref(name:\"MGASA\", value:\"2013-0084\");\n script_xref(name:\"MGASA\", value:\"2013-0088\");\n\n script_name(english:\"Mandriva Linux Security Advisory : java-1.7.0-openjdk (MDVSA-2013:095)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.7.0-openjdk packages fix security vulnerabilities :\n\nTwo improper permission check issues were discovered in the reflection\nAPI in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass Java sandbox restrictions (CVE-2012-3174,\nCVE-2013-0422).\n\nMultiple improper permission check issues were discovered in the AWT,\nCORBA, JMX, Libraries, and Beans components in OpenJDK. An untrusted\nJava application or applet could use these flaws to bypass Java\nsandbox restrictions (CVE-2013-0442, CVE-2013-0445, CVE-2013-0441,\nCVE-2013-1475, CVE-2013-1476, CVE-2013-0429, CVE-2013-0450,\nCVE-2013-0425, CVE-2013-0426, CVE-2013-0428, CVE-2013-0444).\n\nMultiple flaws were found in the way image parsers in the 2D and AWT\ncomponents handled image raster parameters. A specially crafted image\ncould cause Java Virtual Machine memory corruption and, possibly, lead\nto arbitrary code execution with the virtual machine privileges\n(CVE-2013-1478, CVE-2013-1480).\n\nA flaw was found in the AWT component's clipboard handling code. An\nuntrusted Java application or applet could use this flaw to access\nclipboard data, bypassing Java sandbox restrictions (CVE-2013-0432).\n\nThe default Java security properties configuration did not restrict\naccess to certain com.sun.xml.internal packages. An untrusted Java\napplication or applet could use this flaw to access information,\nbypassing certain Java sandbox restrictions. This update lists the\nwhole package as restricted (CVE-2013-0435).\n\nMultiple improper permission check issues were discovered in the JMX,\nLibraries, Networking, and JAXP components. An untrusted Java\napplication or applet could use these flaws to bypass certain Java\nsandbox restrictions (CVE-2013-0431, CVE-2013-0427, CVE-2013-0433,\nCVE-2013-0434).\n\nIt was discovered that the RMI component's CGIHandler class used user\ninputs in error messages without any sanitization. An attacker could\nuse this flaw to perform a cross-site scripting (XSS) attack\n(CVE-2013-0424).\n\nIt was discovered that the SSL/TLS implementation in the JSSE\ncomponent did not properly enforce handshake message ordering,\nallowing an unlimited number of handshake restarts. A remote attacker\ncould use this flaw to make an SSL/TLS server using JSSE consume an\nexcessive amount of CPU by continuously restarting the handshake\n(CVE-2013-0440).\n\nIt was discovered that the JSSE component did not properly validate\nDiffie-Hellman public keys. An SSL/TLS client could possibly use this\nflaw to perform a small subgroup attack (CVE-2013-0443).\n\nMultiple improper permission check issues were discovered in the JMX\nand Libraries components in OpenJDK. An untrusted Java application or\napplet could use these flaws to bypass Java sandbox restrictions\n(CVE-2013-1486, CVE-2013-1484).\n\nAn improper permission check issue was discovered in the Libraries\ncomponent in OpenJDK. An untrusted Java application or applet could\nuse this flaw to bypass certain Java sandbox restrictions\n(CVE-2013-1485).\n\nIt was discovered that OpenJDK leaked timing information when\ndecrypting TLS/SSL protocol encrypted records when CBC-mode cipher\nsuites were used. A remote attacker could possibly use this flaw to\nretrieve plain text from the encrypted packets by using a TLS/SSL\nserver as a padding oracle (CVE-2013-0169).\n\nAn integer overflow flaw was found in the way the 2D component handled\ncertain sample model instances. A specially crafted sample model\ninstance could cause Java Virtual Machine memory corruption and,\npossibly, lead to arbitrary code execution with virtual machine\nprivileges (CVE-2013-0809).\n\nIt was discovered that the 2D component did not properly reject\ncertain malformed images. Specially crafted raster parameters could\ncause Java Virtual Machine memory corruption and, possibly, lead to\narbitrary code execution with virtual machine privileges\n(CVE-2013-1493).\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Java CMM Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/04/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/04/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-1.7.0.6-2.3.8.1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-demo-1.7.0.6-2.3.8.1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-devel-1.7.0.6-2.3.8.1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.6-2.3.8.1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-src-1.7.0.6-2.3.8.1.1.mbs1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T14:39:44", "description": "IBM Java 7 was updated to SR4, fixing various critical security issues\nand bugs.\n\nPlease see the IBM JDK Alert page for more information :\n\nhttp://www.ibm.com/developerworks/java/jdk/alerts/\n\nSecurity issues fixed :\n\n - / CVE-2012-3174. (CVE-2013-1487 / CVE-2013-1486 /\n CVE-2013-1478 / CVE-2013-0445 / CVE-2013-1480 /\n CVE-2013-0441 / CVE-2013-1476 / CVE-2012-1541 /\n CVE-2013-0446 / CVE-2012-3342 / CVE-2013-0442 /\n CVE-2013-0450 / CVE-2013-0425 / CVE-2013-0426 /\n CVE-2013-0428 / CVE-2012-3213 / CVE-2013-0419 /\n CVE-2013-0423 / CVE-2013-0351 / CVE-2013-0432 /\n CVE-2013-1473 / CVE-2013-0435 / CVE-2013-0434 /\n CVE-2013-0409 / CVE-2013-0427 / CVE-2013-0433 /\n CVE-2013-0424 / CVE-2013-0440 / CVE-2013-0438 /\n CVE-2013-0443 / CVE-2013-1484 / CVE-2013-1485 /\n CVE-2013-0437 / CVE-2013-0444 / CVE-2013-0449 /\n CVE-2013-0431 / CVE-2013-0422)", "edition": 17, "published": "2013-03-13T00:00:00", "title": "SuSE 11.2 Security Update : Java (SAT Patch Number 7454)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-0426", "CVE-2012-1541", "CVE-2013-0427", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-1485", "CVE-2013-0435", "CVE-2013-0442", "CVE-2012-3342", "CVE-2013-0431", "CVE-2013-1473", "CVE-2013-0434", "CVE-2013-0443", "CVE-2012-3174", "CVE-2013-0351", "CVE-2013-0444", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-0409", "CVE-2013-0438", "CVE-2013-1486", "CVE-2013-1476", "CVE-2013-1487", "CVE-2013-0445", "CVE-2013-0432", "CVE-2013-0424", "CVE-2012-3213", "CVE-2013-0450", "CVE-2013-0446", "CVE-2013-0440", "CVE-2013-0437", "CVE-2013-0425", "CVE-2013-1484", "CVE-2013-0422", "CVE-2013-0441", "CVE-2013-0449", "CVE-2013-0423", "CVE-2013-0419"], "modified": "2013-03-13T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:11:java-1_7_0-ibm-jdbc", "p-cpe:/a:novell:suse_linux:11:java-1_7_0-ibm", "p-cpe:/a:novell:suse_linux:11:java-1_7_0-ibm-alsa", "p-cpe:/a:novell:suse_linux:11:java-1_7_0-ibm-plugin", "cpe:/o:novell:suse_linux:11"], "id": "SUSE_11_JAVA-1_7_0-IBM-130306.NASL", "href": "https://www.tenable.com/plugins/nessus/65246", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(65246);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2012-1541\", \"CVE-2012-3174\", \"CVE-2012-3213\", \"CVE-2012-3342\", \"CVE-2013-0351\", \"CVE-2013-0409\", \"CVE-2013-0419\", \"CVE-2013-0422\", \"CVE-2013-0423\", \"CVE-2013-0424\", \"CVE-2013-0425\", \"CVE-2013-0426\", \"CVE-2013-0427\", \"CVE-2013-0428\", \"CVE-2013-0431\", \"CVE-2013-0432\", \"CVE-2013-0433\", \"CVE-2013-0434\", \"CVE-2013-0435\", \"CVE-2013-0437\", \"CVE-2013-0438\", \"CVE-2013-0440\", \"CVE-2013-0441\", \"CVE-2013-0442\", \"CVE-2013-0443\", \"CVE-2013-0444\", \"CVE-2013-0445\", \"CVE-2013-0446\", \"CVE-2013-0449\", \"CVE-2013-0450\", \"CVE-2013-1473\", \"CVE-2013-1476\", \"CVE-2013-1478\", \"CVE-2013-1480\", \"CVE-2013-1484\", \"CVE-2013-1485\", \"CVE-2013-1486\", \"CVE-2013-1487\");\n\n script_name(english:\"SuSE 11.2 Security Update : Java (SAT Patch Number 7454)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"IBM Java 7 was updated to SR4, fixing various critical security issues\nand bugs.\n\nPlease see the IBM JDK Alert page for more information :\n\nhttp://www.ibm.com/developerworks/java/jdk/alerts/\n\nSecurity issues fixed :\n\n - / CVE-2012-3174. (CVE-2013-1487 / CVE-2013-1486 /\n CVE-2013-1478 / CVE-2013-0445 / CVE-2013-1480 /\n CVE-2013-0441 / CVE-2013-1476 / CVE-2012-1541 /\n CVE-2013-0446 / CVE-2012-3342 / CVE-2013-0442 /\n CVE-2013-0450 / CVE-2013-0425 / CVE-2013-0426 /\n CVE-2013-0428 / CVE-2012-3213 / CVE-2013-0419 /\n CVE-2013-0423 / CVE-2013-0351 / CVE-2013-0432 /\n CVE-2013-1473 / CVE-2013-0435 / CVE-2013-0434 /\n CVE-2013-0409 / CVE-2013-0427 / CVE-2013-0433 /\n CVE-2013-0424 / CVE-2013-0440 / CVE-2013-0438 /\n CVE-2013-0443 / CVE-2013-1484 / CVE-2013-1485 /\n CVE-2013-0437 / CVE-2013-0444 / CVE-2013-0449 /\n CVE-2013-0431 / CVE-2013-0422)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=798535\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2012-1541.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2012-3174.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2012-3213.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2012-3342.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-0351.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-0409.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-0419.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-0422.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-0423.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-0424.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-0425.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-0426.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-0427.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-0428.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-0431.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-0432.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-0433.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-0434.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-0435.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-0437.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-0438.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-0440.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-0441.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-0442.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-0443.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-0444.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-0445.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-0446.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-0449.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-0450.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-1473.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-1476.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-1478.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-1480.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-1484.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-1485.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-1486.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-1487.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply SAT patch number 7454.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Java Applet JMX Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:java-1_7_0-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:java-1_7_0-ibm-alsa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:java-1_7_0-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:java-1_7_0-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/03/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/03/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\npl = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(pl) || int(pl) != 2) audit(AUDIT_OS_NOT, \"SuSE 11.2\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"java-1_7_0-ibm-1.7.0_sr4.0-0.6.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"java-1_7_0-ibm-jdbc-1.7.0_sr4.0-0.6.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, cpu:\"i586\", reference:\"java-1_7_0-ibm-alsa-1.7.0_sr4.0-0.6.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, cpu:\"i586\", reference:\"java-1_7_0-ibm-plugin-1.7.0_sr4.0-0.6.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, cpu:\"x86_64\", reference:\"java-1_7_0-ibm-plugin-1.7.0_sr4.0-0.6.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntu": [{"lastseen": "2020-07-02T11:39:04", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1485", "CVE-2013-0169", "CVE-2013-1486", "CVE-2013-1487", "CVE-2013-1484"], "description": "Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as used \nin OpenJDK was vulnerable to a timing side-channel attack known as the \n\"Lucky Thirteen\" issue. A remote attacker could use this issue to perform \nplaintext-recovery attacks via analysis of timing data. (CVE-2013-0169)\n\nA vulnerability was discovered in the OpenJDK JRE related to information \ndisclosure and data integrity. An attacker could exploit this to cause a \ndenial of service. This issue only affected Ubuntu 12.10. (CVE-2013-1484)\n\nA data integrity vulnerability was discovered in the OpenJDK JRE. This \nissue only affected Ubuntu 12.10. (CVE-2013-1485)\n\nTwo vulnerabilities were discovered in the OpenJDK JRE related to \ninformation disclosure and data integrity. An attacker could exploit these \nto cause a denial of service. (CVE-2013-1486, CVE-2013-1487)", "edition": 5, "modified": "2013-02-21T00:00:00", "published": "2013-02-21T00:00:00", "id": "USN-1735-1", "href": "https://ubuntu.com/security/notices/USN-1735-1", "title": "OpenJDK vulnerabilities", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2016-09-04T12:25:42", "bulletinFamily": "unix", "cvelist": ["CVE-2013-0426", "CVE-2012-1541", "CVE-2013-0427", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-1485", "CVE-2013-0435", "CVE-2013-0442", "CVE-2012-3342", "CVE-2013-0431", "CVE-2013-1473", "CVE-2013-0434", "CVE-2013-0443", "CVE-2012-3174", "CVE-2013-0351", "CVE-2013-0444", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-0409", "CVE-2013-0438", "CVE-2013-1486", "CVE-2013-1476", "CVE-2013-1487", "CVE-2013-0445", "CVE-2013-0432", "CVE-2013-0424", "CVE-2012-3213", "CVE-2013-0450", "CVE-2013-0446", "CVE-2013-0440", "CVE-2013-0437", "CVE-2013-0425", "CVE-2013-1484", "CVE-2013-0422", "CVE-2013-0441", "CVE-2013-0449", "CVE-2013-0423", "CVE-2013-0419"], "description": "IBM Java 7 was updated to SR4, fixing various critical\n security issues and bugs.\n\n Please see the IBM JDK Alert page for more information:\n\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n &lt;<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>&gt;\n\n Security issues fixed:\n\n CVE-2013-1487, CVE-2013-1486, CVE-2013-1478, CVE-2013-0445,\n CVE-2013-1480, CVE-2013-0441, CVE-2013-1476,\n CVE-2012-1541, CVE-2013-0446, CVE-2012-3342,\n CVE-2013-0442, CVE-2013-0450, CVE-2013-0425, CVE-2013-0426,\n CVE-2013-0428, CVE-2012-3213, CVE-2013-0419,\n CVE-2013-0423, CVE-2013-0351, CVE-2013-0432,\n CVE-2013-1473, CVE-2013-0435, CVE-2013-0434, CVE-2013-0409,\n CVE-2013-0427, CVE-2013-0433, CVE-2013-0424,\n CVE-2013-0440, CVE-2013-0438, CVE-2013-0443,\n CVE-2013-1484, CVE-2013-1485, CVE-2013-0437, CVE-2013-0444,\n CVE-2013-0449, CVE-2013-0431, CVE-2013-0422, CVE-2012-3174.\n\n", "edition": 1, "modified": "2013-03-13T00:05:30", "published": "2013-03-13T00:05:30", "id": "SUSE-SU-2013:0440-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00013.html", "title": "Security update for Java (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:50", "bulletinFamily": "software", "cvelist": ["CVE-2013-0426", "CVE-2012-1541", "CVE-2013-0427", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0448", "CVE-2013-1485", "CVE-2013-1479", "CVE-2013-0169", "CVE-2013-0429", "CVE-2013-1475", "CVE-2013-0435", "CVE-2013-0442", "CVE-2012-3342", "CVE-2013-0431", "CVE-2013-1472", "CVE-2013-1473", "CVE-2012-4301", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0351", "CVE-2013-0444", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-1483", "CVE-2013-1474", "CVE-2013-0409", "CVE-2013-0438", "CVE-2013-0439", "CVE-2013-1477", "CVE-2013-1486", "CVE-2013-1476", "CVE-2013-0447", "CVE-2013-1487", "CVE-2013-0430", "CVE-2013-0445", "CVE-2013-0432", "CVE-2012-4305", "CVE-2013-0424", "CVE-2012-3213", "CVE-2013-0450", "CVE-2013-0446", "CVE-2013-0440", "CVE-2013-1481", "CVE-2013-0436", "CVE-2013-0437", "CVE-2013-0425", "CVE-2013-1484", "CVE-2013-0441", "CVE-2013-1482", "CVE-2013-1489", "CVE-2012-1543", "CVE-2013-0449", "CVE-2013-0423", "CVE-2013-0419"], "description": "~50 of different vulnerabilities are fixed with CPU.", "edition": 1, "modified": "2013-03-19T00:00:00", "published": "2013-03-19T00:00:00", "id": "SECURITYVULNS:VULN:12873", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12873", "title": "Oracle Java multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:20", "bulletinFamily": "unix", "cvelist": ["CVE-2012-5089", "CVE-2013-0426", "CVE-2013-2431", "CVE-2010-3562", "CVE-2013-2420", "CVE-2011-0865", "CVE-2013-2384", "CVE-2013-2415", "CVE-2012-1711", "CVE-2014-2397", "CVE-2013-1571", "CVE-2013-5782", "CVE-2011-3557", "CVE-2013-2417", "CVE-2013-1500", "CVE-2013-2448", "CVE-2010-3557", "CVE-2011-3551", "CVE-2013-4002", "CVE-2013-0401", "CVE-2012-5074", "CVE-2012-5073", "CVE-2013-0427", "CVE-2012-1725", "CVE-2013-2424", "CVE-2014-0457", "CVE-2013-5850", "CVE-2013-2407", "CVE-2013-5778", "CVE-2013-1478", "CVE-2013-2456", "CVE-2010-3551", "CVE-2011-0868", "CVE-2013-0428", "CVE-2014-0446", "CVE-2013-2436", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-1485", "CVE-2013-0169", "CVE-2010-3553", "CVE-2012-1719", "CVE-2014-1876", "CVE-2014-0458", "CVE-2013-0429", "CVE-2014-2427", "CVE-2011-3563", "CVE-2013-1475", "CVE-2013-2421", "CVE-2013-1518", "CVE-2013-0435", "CVE-2012-5087", "CVE-2013-0809", "CVE-2013-0442", "CVE-2010-3566", "CVE-2013-2452", "CVE-2013-2451", "CVE-2013-5842", "CVE-2010-4448", "CVE-2013-0431", "CVE-2010-4465", "CVE-2012-5085", "CVE-2012-4540", "CVE-2011-0869", "CVE-2010-3565", "CVE-2012-5076", "CVE-2013-5830", "CVE-2013-2473", "CVE-2013-6954", "CVE-2012-4416", "CVE-2012-5075", "CVE-2014-0453", "CVE-2013-1488", "CVE-2012-0424", "CVE-2013-0434", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2011-3548", "CVE-2012-5081", "CVE-2011-3547", "CVE-2013-5817", "CVE-2010-4469", "CVE-2012-0503", "CVE-2011-3521", "CVE-2013-0443", "CVE-2011-5035", "CVE-2013-2419", "CVE-2014-0461", "CVE-2012-1723", "CVE-2013-2463", "CVE-2011-3571", "CVE-2010-3860", "CVE-2011-3389", "CVE-2013-2469", "CVE-2014-0459", "CVE-2014-0456", "CVE-2010-4450", "CVE-2012-1726", "CVE-2013-2465", "CVE-2013-1537", "CVE-2014-0429", "CVE-2013-5806", "CVE-2010-3574", "CVE-2011-3544", "CVE-2013-5805", "CVE-2011-3553", "CVE-2013-0444", "CVE-2012-0506", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-5825", "CVE-2012-1717", "CVE-2013-2423", "CVE-2010-3541", "CVE-2013-5823", "CVE-2011-3558", "CVE-2014-2403", "CVE-2012-1713", "CVE-2013-2461", "CVE-2012-1716", "CVE-2009-3555", "CVE-2013-2429", "CVE-2013-5849", "CVE-2014-2412", "CVE-2010-2548", "CVE-2012-5086", "CVE-2013-2471", "CVE-2012-0497", "CVE-2012-5077", "CVE-2013-1486", "CVE-2013-1476", "CVE-2010-4476", "CVE-2010-4472", "CVE-2013-5780", "CVE-2010-4471", "CVE-2014-2421", "CVE-2012-5069", "CVE-2012-3216", "CVE-2014-0460", "CVE-2011-0870", "CVE-2011-0815", "CVE-2013-0432", "CVE-2012-0505", "CVE-2012-5084", "CVE-2012-1718", "CVE-2010-2783", "CVE-2013-2458", "CVE-2011-3554", "CVE-2013-0424", "CVE-2013-2459", "CVE-2013-0450", "CVE-2012-5071", "CVE-2013-5814", "CVE-2010-3561", "CVE-2011-0025", "CVE-2012-0501", "CVE-2010-3564", "CVE-2013-0440", "CVE-2013-2443", "CVE-2010-3549", "CVE-2012-3422", "CVE-2013-2446", "CVE-2011-3556", "CVE-2012-0547", "CVE-2013-5829", "CVE-2010-3554", "CVE-2013-5803", "CVE-2012-5072", "CVE-2013-2450", "CVE-2013-2472", "CVE-2014-2423", "CVE-2010-4470", "CVE-2011-0822", "CVE-2011-3560", "CVE-2013-1493", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2010-4351", "CVE-2011-0864", "CVE-2013-2453", "CVE-2013-1557", "CVE-2013-2426", "CVE-2013-2455", "CVE-2013-2422", "CVE-2013-2383", "CVE-2013-0425", "CVE-2013-1484", "CVE-2011-3552", "CVE-2013-5774", "CVE-2012-1724", "CVE-2010-3567", "CVE-2010-3573", "CVE-2013-6629", "CVE-2012-5068", "CVE-2013-3829", "CVE-2013-0441", "CVE-2010-3548", "CVE-2011-0706", "CVE-2012-5979", "CVE-2012-0502", "CVE-2013-5783", "CVE-2010-4467", "CVE-2012-3423", "CVE-2013-5800", "CVE-2013-5820", "CVE-2013-5790", "CVE-2014-2398", "CVE-2010-3568", "CVE-2014-0451", "CVE-2013-1569", "CVE-2013-2412", "CVE-2014-0452", "CVE-2011-0862", "CVE-2013-2445", "CVE-2013-2430", "CVE-2013-2460", "CVE-2013-5840", "CVE-2014-2414", "CVE-2010-3569", "CVE-2011-0871", "CVE-2013-2449", "CVE-2011-0872", "CVE-2012-5070", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "description": "### Background\n\nIcedTea is a distribution of the Java OpenJDK source code built with free build tools. \n\n### Description\n\nMultiple vulnerabilities have been discovered in the IcedTea JDK. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, obtain sensitive information, bypass intended security policies, or have other unspecified impact. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll IcedTea JDK users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-java/icedtea-bin-6.1.13.3\"", "edition": 1, "modified": "2016-04-19T00:00:00", "published": "2014-06-29T00:00:00", "id": "GLSA-201406-32", "href": "https://security.gentoo.org/glsa/201406-32", "type": "gentoo", "title": "IcedTea JDK: Multiple vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-06T19:46:14", "bulletinFamily": "unix", "cvelist": ["CVE-2013-2418", "CVE-2012-5089", "CVE-2013-2431", "CVE-2013-2468", "CVE-2013-2420", "CVE-2013-5889", "CVE-2013-2384", "CVE-2013-2415", "CVE-2013-5848", "CVE-2012-1711", "CVE-2013-1491", "CVE-2013-1571", "CVE-2013-5782", "CVE-2013-5846", "CVE-2012-1541", "CVE-2013-2417", "CVE-2013-0402", "CVE-2013-5818", "CVE-2013-2433", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2416", "CVE-2013-2427", "CVE-2013-0401", "CVE-2012-5074", "CVE-2012-5073", "CVE-2012-1725", "CVE-2014-0385", "CVE-2013-2424", "CVE-2013-5878", "CVE-2013-5850", "CVE-2013-2407", "CVE-2012-1533", "CVE-2013-5778", "CVE-2013-2456", "CVE-2013-0448", "CVE-2014-0410", "CVE-2013-2436", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-1485", "CVE-2013-1479", "CVE-2013-2462", "CVE-2013-0169", "CVE-2014-0415", "CVE-2013-2414", "CVE-2012-1719", "CVE-2013-2394", "CVE-2011-3563", "CVE-2013-5870", "CVE-2013-2421", "CVE-2012-3159", "CVE-2013-1518", "CVE-2013-5776", "CVE-2012-5087", "CVE-2013-5788", "CVE-2013-5905", "CVE-2013-0809", "CVE-2013-5904", "CVE-2013-5888", "CVE-2013-2452", "CVE-2012-3342", "CVE-2013-2451", "CVE-2013-5893", "CVE-2013-5842", "CVE-2014-0387", "CVE-2012-5085", "CVE-2012-5076", "CVE-2013-5810", "CVE-2013-5830", "CVE-2013-2473", "CVE-2012-5079", "CVE-2012-4416", "CVE-2013-5898", "CVE-2012-0507", "CVE-2012-5075", "CVE-2013-1473", "CVE-2013-5832", "CVE-2012-3136", "CVE-2013-1488", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2014-0375", "CVE-2012-5081", "CVE-2012-5067", "CVE-2013-5817", "CVE-2012-0503", "CVE-2012-3174", "CVE-2011-5035", "CVE-2013-2419", "CVE-2012-1723", "CVE-2013-2463", "CVE-2013-1563", "CVE-2013-2469", "CVE-2013-5787", "CVE-2013-5852", "CVE-2012-1726", "CVE-2014-0418", "CVE-2013-0351", "CVE-2013-2465", "CVE-2014-0373", "CVE-2013-1537", "CVE-2013-3743", "CVE-2013-5854", "CVE-2012-0498", "CVE-2013-5806", "CVE-2013-5805", "CVE-2013-5887", "CVE-2012-0506", "CVE-2014-0408", "CVE-2013-5825", "CVE-2012-1717", "CVE-2012-1721", "CVE-2014-0376", "CVE-2013-2423", "CVE-2014-0422", "CVE-2013-5789", "CVE-2014-0411", "CVE-2013-2439", "CVE-2013-1561", "CVE-2013-5823", "CVE-2013-0409", "CVE-2013-5895", "CVE-2013-0438", "CVE-2012-1713", "CVE-2013-2461", "CVE-2012-1716", "CVE-2013-2428", "CVE-2012-5083", "CVE-2013-5843", "CVE-2012-5088", "CVE-2013-5899", "CVE-2013-2429", "CVE-2013-5812", "CVE-2013-5849", "CVE-2012-5086", "CVE-2013-5896", "CVE-2013-2471", "CVE-2012-0497", "CVE-2012-1532", "CVE-2012-5077", "CVE-2013-1486", "CVE-2014-0417", "CVE-2013-5780", "CVE-2013-5910", "CVE-2013-1487", "CVE-2013-5906", "CVE-2013-0430", "CVE-2013-0445", "CVE-2012-5069", "CVE-2014-0428", "CVE-2012-3216", "CVE-2014-0382", "CVE-2012-0505", "CVE-2013-5824", "CVE-2012-5084", "CVE-2013-5831", "CVE-2012-1718", "CVE-2013-2440", "CVE-2013-2434", "CVE-2013-2464", "CVE-2013-2458", "CVE-2012-3213", "CVE-2013-2459", "CVE-2012-5071", "CVE-2013-5814", "CVE-2013-2442", "CVE-2012-0499", "CVE-2012-0501", "CVE-2013-0446", "CVE-2013-2432", "CVE-2012-1722", "CVE-2014-0368", "CVE-2013-2443", "CVE-2014-0423", "CVE-2013-1481", "CVE-2013-5775", "CVE-2013-2446", "CVE-2012-0547", "CVE-2013-5829", "CVE-2013-5803", "CVE-2012-5072", "CVE-2013-2450", "CVE-2013-2400", "CVE-2013-2472", "CVE-2013-2438", "CVE-2013-1540", "CVE-2012-0500", "CVE-2013-2467", "CVE-2013-5907", "CVE-2013-1493", "CVE-2013-5902", "CVE-2012-1531", "CVE-2013-2444", "CVE-2013-3744", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-5844", "CVE-2013-0437", "CVE-2012-4681", "CVE-2013-2437", "CVE-2013-2453", "CVE-2013-1557", "CVE-2012-0504", "CVE-2013-2426", "CVE-2014-0424", "CVE-2013-2455", "CVE-2013-5819", "CVE-2013-2422", "CVE-2013-2435", "CVE-2013-2383", "CVE-2013-1484", "CVE-2013-1564", "CVE-2013-1558", "CVE-2013-5774", "CVE-2012-1724", "CVE-2013-0422", "CVE-2012-5068", "CVE-2014-0403", "CVE-2013-3829", "CVE-2012-1682", "CVE-2012-3143", "CVE-2012-0502", "CVE-2013-5783", "CVE-2013-5800", "CVE-2013-5820", "CVE-2013-2425", "CVE-2013-5777", "CVE-2013-5790", "CVE-2013-1569", "CVE-2013-5838", "CVE-2013-2412", "CVE-2013-0449", "CVE-2013-2445", "CVE-2013-2430", "CVE-2013-2460", "CVE-2013-5840", "CVE-2013-5801", "CVE-2014-0416", "CVE-2013-2449", "CVE-2013-2466", "CVE-2012-5070", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-0423", "CVE-2013-5772", "CVE-2013-0419"], "description": "### Background\n\nThe Oracle Java Development Kit (JDK) (formerly known as Sun JDK) and the Oracle Java Runtime Environment (JRE) (formerly known as Sun JRE) provide the Oracle Java platform (formerly known as Sun Java Platform). \n\n### Description\n\nMultiple vulnerabilities have been reported in the Oracle Java implementation. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nAn unauthenticated, remote attacker could exploit these vulnerabilities to execute arbitrary code. Furthermore, a local or remote attacker could exploit these vulnerabilities to cause unspecified impact, possibly including remote execution of arbitrary code. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Oracle JDK 1.7 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=dev-java/oracle-jdk-bin-1.7.0.51\"\n \n\nAll Oracle JRE 1.7 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=dev-java/oracle-jre-bin-1.7.0.51\"\n \n\nAll users of the precompiled 32-bit Oracle JRE should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=app-emulation/emul-linux-x86-java-1.7.0.51\"\n \n\nAll Sun Microsystems JDK/JRE 1.6 users are suggested to upgrade to one of the newer Oracle packages like dev-java/oracle-jdk-bin or dev-java/oracle-jre-bin or choose another alternative we provide; eg. the IBM JDK/JRE or the open source IcedTea. \n\nNOTE: As Oracle has revoked the DLJ license for its Java implementation, the packages can no longer be updated automatically.", "edition": 1, "modified": "2014-01-27T00:00:00", "published": "2014-01-27T00:00:00", "id": "GLSA-201401-30", "href": "https://security.gentoo.org/glsa/201401-30", "type": "gentoo", "title": "Oracle JRE/JDK: Multiple vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}