{"id": "CVE-2014-0416", "bulletinFamily": "NVD", "title": "CVE-2014-0416", "description": "Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect integrity via vectors related to JAAS. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to how principals are set for the Subject class, which allows attackers to escape the sandbox using deserialization of a crafted Subject instance.", "published": "2014-01-15T16:08:00", "modified": "2020-09-08T13:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0416", "reporter": "cve@mitre.org", "references": ["http://www-01.ibm.com/support/docview.wss?uid=swg21679287", "https://access.redhat.com/errata/RHSA-2014:0414", "http://rhn.redhat.com/errata/RHSA-2014-0135.html", "http://osvdb.org/102017", "http://www-01.ibm.com/support/docview.wss?uid=swg21677388", "http://www.securitytracker.com/id/1029608", "http://rhn.redhat.com/errata/RHSA-2014-0030.html", "http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00012.html", "http://lists.opensuse.org/opensuse-updates/2014-02/msg00000.html", "http://secunia.com/advisories/59339", "http://secunia.com/advisories/59235", "http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/abe1cb2d27cb", "http://secunia.com/advisories/60568", "https://exchange.xforce.ibmcloud.com/vulnerabilities/90349", "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00024.html", "http://secunia.com/advisories/59283", "http://www-01.ibm.com/support/docview.wss?uid=swg21676978", "http://www.securityfocus.com/bid/64937", "http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00009.html", "http://www-01.ibm.com/support/docview.wss?uid=swg21677294", "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04166777", "http://lists.opensuse.org/opensuse-updates/2014-01/msg00107.html", "http://secunia.com/advisories/56535", "http://secunia.com/advisories/56485", "http://secunia.com/advisories/56432", "http://rhn.redhat.com/errata/RHSA-2014-0097.html", "http://lists.opensuse.org/opensuse-updates/2014-01/msg00105.html", "http://rhn.redhat.com/errata/RHSA-2014-0136.html", "http://www.ubuntu.com/usn/USN-2124-1", "http://www.ubuntu.com/usn/USN-2089-1", "http://secunia.com/advisories/59307", "http://www.securityfocus.com/bid/64758", "http://rhn.redhat.com/errata/RHSA-2014-0027.html", "http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html", "http://marc.info/?l=bugtraq&m=139402749111889&w=2", "https://bugzilla.redhat.com/show_bug.cgi?id=1051912", "http://rhn.redhat.com/errata/RHSA-2014-0134.html", "http://rhn.redhat.com/errata/RHSA-2014-0026.html", "http://secunia.com/advisories/56486", "http://marc.info/?l=bugtraq&m=139402697611681&w=2"], "cvelist": ["CVE-2014-0416"], "type": "cve", "lastseen": "2021-02-02T06:14:25", "edition": 5, "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "redhat", "idList": ["RHSA-2014:0097", "RHSA-2014:0030", "RHSA-2014:0705", "RHSA-2014:0982", "RHSA-2014:0134", "RHSA-2014:0414", "RHSA-2014:0027", "RHSA-2014:0026", "RHSA-2014:0136", "RHSA-2014:0135"]}, {"type": "nessus", "idList": ["CENTOS_RHSA-2014-0026.NASL", "UBUNTU_USN-2124-1.NASL", "CENTOS_RHSA-2014-0097.NASL", "REDHAT-RHSA-2014-0136.NASL", "ALA_ALAS-2014-283.NASL", "SL_20140127_JAVA_1_6_0_OPENJDK_ON_SL5_X.NASL", "UBUNTU_USN-2124-2.NASL", "ORACLELINUX_ELSA-2014-0026.NASL", "SUSE_11_JAVA-1_7_0-OPENJDK-140205.NASL", "ALA_ALAS-2014-280.NASL"]}, {"type": "ubuntu", "idList": ["USN-2089-1", "USN-2124-2", "USN-2124-1"]}, {"type": "amazon", "idList": ["ALAS-2014-280", "ALAS-2014-283"]}, {"type": "oraclelinux", "idList": ["ELSA-2014-0097", "ELSA-2014-0026", "ELSA-2014-0027"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310881867", "OPENVAS:1361412562310841768", "OPENVAS:881867", "OPENVAS:1361412562310120002", "OPENVAS:1361412562310871117", "OPENVAS:1361412562310841732", "OPENVAS:841768", "OPENVAS:871117", "OPENVAS:1361412562310881865", "OPENVAS:881865"]}, {"type": "centos", "idList": ["CESA-2014:0026", "CESA-2014:0027", "CESA-2014:0097"]}, {"type": "suse", "idList": ["SUSE-SU-2014:0246-1", "SUSE-SU-2014:0266-2", "SUSE-SU-2014:0266-1", "SUSE-SU-2014:0451-1", "SUSE-SU-2014:0266-3"]}, {"type": "aix", "idList": ["JAVA_JAN2014_ADVISORY.ASC"]}, {"type": "f5", "idList": ["SOL53146535", "F5:K53146535"]}, {"type": "kaspersky", "idList": ["KLA10511"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13537"]}, {"type": "oracle", "idList": ["ORACLE:CPUJAN2014-1972949"]}], "modified": "2021-02-02T06:14:25", "rev": 2}, "score": {"value": 5.5, "vector": "NONE", "modified": "2021-02-02T06:14:25", "rev": 2}, "vulnersScore": 5.5}, "cpe": ["cpe:/a:oracle:jre:1.6.0", "cpe:/a:oracle:jdk:1.5.0", "cpe:/a:oracle:jdk:1.6.0", "cpe:/a:oracle:jre:1.7.0", "cpe:/a:oracle:jre:1.5.0"], "affectedSoftware": [{"cpeName": "oracle:jdk", "name": "oracle jdk", "operator": "eq", "version": "1.5.0"}, {"cpeName": "oracle:jre", "name": "oracle jre", "operator": "eq", "version": "1.5.0"}, {"cpeName": "oracle:jre", "name": "oracle jre", "operator": "eq", "version": "1.6.0"}, {"cpeName": "oracle:jdk", "name": "oracle jdk", "operator": "eq", "version": "1.6.0"}, {"cpeName": "oracle:jre", "name": "oracle jre", "operator": "eq", "version": "1.7.0"}], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {}, "cpe23": ["cpe:2.3:a:oracle:jre:1.6.0:update_65:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.5.0:update_55:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.5.0:update_55:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update_45:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update_65:*:*:*:*:*:*"], "cwe": ["NVD-CWE-noinfo"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:oracle:jre:1.7.0:update_45:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:a:oracle:jre:1.5.0:update_55:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jdk:1.5.0:update_55:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:a:oracle:jre:1.6.0:update_65:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jdk:1.6.0:update_65:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}, "extraReferences": [{"name": "USN-2124-1", "refsource": "UBUNTU", "tags": [], "url": "http://www.ubuntu.com/usn/USN-2124-1"}, {"name": "SUSE-SU-2014:0266", "refsource": "SUSE", "tags": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00012.html"}, {"name": "56485", "refsource": "SECUNIA", "tags": [], "url": "http://secunia.com/advisories/56485"}, {"name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04166777", "refsource": "CONFIRM", "tags": [], "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04166777"}, {"name": "59235", "refsource": "SECUNIA", "tags": [], "url": "http://secunia.com/advisories/59235"}, {"name": "RHSA-2014:0027", "refsource": "REDHAT", "tags": [], "url": "http://rhn.redhat.com/errata/RHSA-2014-0027.html"}, {"name": "SUSE-SU-2014:0451", "refsource": "SUSE", "tags": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00024.html"}, {"name": "59283", "refsource": "SECUNIA", "tags": [], "url": "http://secunia.com/advisories/59283"}, {"name": "openSUSE-SU-2014:0180", "refsource": "SUSE", "tags": [], "url": "http://lists.opensuse.org/opensuse-updates/2014-02/msg00000.html"}, {"name": "RHSA-2014:0135", "refsource": "REDHAT", "tags": [], "url": "http://rhn.redhat.com/errata/RHSA-2014-0135.html"}, {"name": "http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html", "refsource": "CONFIRM", "tags": ["Vendor Advisory"], "url": "http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html"}, {"name": "64758", "refsource": "BID", "tags": [], "url": "http://www.securityfocus.com/bid/64758"}, {"name": "openSUSE-SU-2014:0174", "refsource": "SUSE", "tags": [], "url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00105.html"}, {"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21679287", "refsource": "CONFIRM", "tags": [], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21679287"}, {"name": "56486", "refsource": "SECUNIA", "tags": [], "url": "http://secunia.com/advisories/56486"}, {"name": "RHSA-2014:0414", "refsource": "REDHAT", "tags": [], "url": "https://access.redhat.com/errata/RHSA-2014:0414"}, {"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21677294", "refsource": "CONFIRM", "tags": [], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21677294"}, {"name": "http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/abe1cb2d27cb", "refsource": "MISC", "tags": [], "url": "http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/abe1cb2d27cb"}, {"name": "SSRT101455", "refsource": "HP", "tags": [], "url": "http://marc.info/?l=bugtraq&m=139402749111889&w=2"}, {"name": "56432", "refsource": "SECUNIA", "tags": [], "url": "http://secunia.com/advisories/56432"}, {"name": "RHSA-2014:0136", "refsource": "REDHAT", "tags": [], "url": "http://rhn.redhat.com/errata/RHSA-2014-0136.html"}, {"name": "SSRT101454", "refsource": "HP", "tags": [], "url": "http://marc.info/?l=bugtraq&m=139402697611681&w=2"}, {"name": "SUSE-SU-2014:0246", "refsource": "SUSE", "tags": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00009.html"}, {"name": "59339", "refsource": "SECUNIA", "tags": [], "url": "http://secunia.com/advisories/59339"}, {"name": "RHSA-2014:0030", "refsource": "REDHAT", "tags": [], "url": "http://rhn.redhat.com/errata/RHSA-2014-0030.html"}, {"name": "RHSA-2014:0026", "refsource": "REDHAT", "tags": [], "url": "http://rhn.redhat.com/errata/RHSA-2014-0026.html"}, {"name": "102017", "refsource": "OSVDB", "tags": [], "url": "http://osvdb.org/102017"}, {"name": "60568", "refsource": "SECUNIA", "tags": [], "url": "http://secunia.com/advisories/60568"}, {"name": "RHSA-2014:0134", "refsource": "REDHAT", "tags": [], "url": "http://rhn.redhat.com/errata/RHSA-2014-0134.html"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1051912", "refsource": "CONFIRM", "tags": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1051912"}, {"name": "59307", "refsource": "SECUNIA", "tags": [], "url": "http://secunia.com/advisories/59307"}, {"name": "64937", "refsource": "BID", "tags": [], "url": "http://www.securityfocus.com/bid/64937"}, {"name": "openSUSE-SU-2014:0177", "refsource": "SUSE", "tags": [], "url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00107.html"}, {"name": "56535", "refsource": "SECUNIA", "tags": [], "url": "http://secunia.com/advisories/56535"}, {"name": "oracle-cpujan2014-cve20140416(90349)", "refsource": "XF", "tags": [], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90349"}, {"name": "1029608", "refsource": "SECTRACK", "tags": [], "url": "http://www.securitytracker.com/id/1029608"}, {"name": "RHSA-2014:0097", "refsource": "REDHAT", "tags": [], "url": "http://rhn.redhat.com/errata/RHSA-2014-0097.html"}, {"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21676978", "refsource": "CONFIRM", "tags": [], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676978"}, {"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21677388", "refsource": "CONFIRM", "tags": [], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21677388"}, {"name": "USN-2089-1", "refsource": "UBUNTU", "tags": [], "url": "http://www.ubuntu.com/usn/USN-2089-1"}], "immutableFields": []}

{"redhat": [{"lastseen": "2019-12-11T13:32:24", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4578", "CVE-2013-5907", "CVE-2014-0368", "CVE-2014-0373", "CVE-2014-0376", "CVE-2014-0411", "CVE-2014-0416", "CVE-2014-0417", "CVE-2014-0422", "CVE-2014-0423", "CVE-2014-0428"], "description": "IBM J2SE version 5.0 includes the IBM Java Runtime Environment and the IBM\nJava Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Detailed\nvulnerability descriptions are linked from the IBM Security alerts\npage, listed in the References section. (CVE-2013-5907, CVE-2014-0368,\nCVE-2014-0373, CVE-2014-0376, CVE-2014-0411, CVE-2014-0416, CVE-2014-0417,\nCVE-2014-0422, CVE-2014-0423, CVE-2014-0428)\n\nAll users of java-1.5.0-ibm are advised to upgrade to these updated\npackages, containing the IBM J2SE 5.0 SR16-FP5 release. All running\ninstances of IBM Java must be restarted for this update to take effect.\n", "modified": "2018-06-07T09:04:17", "published": "2014-02-04T05:00:00", "id": "RHSA-2014:0136", "href": "https://access.redhat.com/errata/RHSA-2014:0136", "type": "redhat", "title": "(RHSA-2014:0136) Important: java-1.5.0-ibm security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-11T13:33:13", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4578", "CVE-2013-5878", "CVE-2013-5884", "CVE-2013-5896", "CVE-2013-5907", "CVE-2013-5910", "CVE-2014-0368", "CVE-2014-0373", "CVE-2014-0376", "CVE-2014-0411", "CVE-2014-0416", "CVE-2014-0422", "CVE-2014-0423", "CVE-2014-0428"], "description": "These packages provide the OpenJDK 6 Java Runtime Environment and the\nOpenJDK 6 Java Software Development Kit.\n\nAn input validation flaw was discovered in the font layout engine in the 2D\ncomponent. A specially crafted font file could trigger a Java Virtual\nMachine memory corruption when processed. An untrusted Java application or\napplet could possibly use this flaw to bypass Java sandbox restrictions.\n(CVE-2013-5907)\n\nMultiple improper permission check issues were discovered in the CORBA and\nJNDI components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass Java sandbox restrictions. (CVE-2014-0428,\nCVE-2014-0422)\n\nMultiple improper permission check issues were discovered in the\nServiceability, Security, CORBA, JAAS, JAXP, and Networking components in\nOpenJDK. An untrusted Java application or applet could use these flaws to\nbypass certain Java sandbox restrictions. (CVE-2014-0373, CVE-2013-5878,\nCVE-2013-5910, CVE-2013-5896, CVE-2013-5884, CVE-2014-0416, CVE-2014-0376,\nCVE-2014-0368)\n\nIt was discovered that the Beans component did not restrict processing of\nXML external entities. This flaw could cause a Java application using Beans\nto leak sensitive information, or affect application availability.\n(CVE-2014-0423)\n\nIt was discovered that the JSSE component could leak timing information\nduring the TLS/SSL handshake. This could possibly lead to a disclosure of\ninformation about the used encryption keys. (CVE-2014-0411)\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "modified": "2018-06-06T20:24:36", "published": "2014-01-27T05:00:00", "id": "RHSA-2014:0097", "href": "https://access.redhat.com/errata/RHSA-2014:0097", "type": "redhat", "title": "(RHSA-2014:0097) Important: java-1.6.0-openjdk security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:19", "bulletinFamily": "unix", "cvelist": ["CVE-2013-5878", "CVE-2013-5884", "CVE-2013-5893", "CVE-2013-5896", "CVE-2013-5907", "CVE-2013-5910", "CVE-2014-0368", "CVE-2014-0373", "CVE-2014-0376", "CVE-2014-0411", "CVE-2014-0416", "CVE-2014-0422", "CVE-2014-0423", "CVE-2014-0428"], "description": "These packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nAn input validation flaw was discovered in the font layout engine in the 2D\ncomponent. A specially crafted font file could trigger Java Virtual Machine\nmemory corruption when processed. An untrusted Java application or applet\ncould possibly use this flaw to bypass Java sandbox restrictions.\n(CVE-2013-5907)\n\nMultiple improper permission check issues were discovered in the CORBA,\nJNDI, and Libraries components in OpenJDK. An untrusted Java application or\napplet could use these flaws to bypass Java sandbox restrictions.\n(CVE-2014-0428, CVE-2014-0422, CVE-2013-5893)\n\nMultiple improper permission check issues were discovered in the\nServiceability, Security, CORBA, JAAS, JAXP, and Networking components in\nOpenJDK. An untrusted Java application or applet could use these flaws to\nbypass certain Java sandbox restrictions. (CVE-2014-0373, CVE-2013-5878,\nCVE-2013-5910, CVE-2013-5896, CVE-2013-5884, CVE-2014-0416, CVE-2014-0376,\nCVE-2014-0368)\n\nIt was discovered that the Beans component did not restrict processing of\nXML external entities. This flaw could cause a Java application using Beans\nto leak sensitive information, or affect application availability.\n(CVE-2014-0423)\n\nIt was discovered that the JSSE component could leak timing information\nduring the TLS/SSL handshake. This could possibly lead to disclosure of\ninformation about the used encryption keys. (CVE-2014-0411)\n\nNote: The java-1.7.0-openjdk package shipped with Red Hat Enterprise Linux\n6.5 via RHBA-2013:1611 replaced \"java7\" with \"java\" in the provides list.\nThis update re-adds \"java7\" to the provides list to maintain backwards\ncompatibility with releases prior to Red Hat Enterprise Linux 6.5.\n\nNote: If the web browser plug-in provided by the icedtea-web package was\ninstalled, the issues exposed via Java applets could have been exploited\nwithout user interaction if a user visited a malicious website.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "modified": "2018-06-06T20:24:33", "published": "2014-01-15T05:00:00", "id": "RHSA-2014:0026", "href": "https://access.redhat.com/errata/RHSA-2014:0026", "type": "redhat", "title": "(RHSA-2014:0026) Critical: java-1.7.0-openjdk security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-11T13:33:16", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4578", "CVE-2013-5878", "CVE-2013-5884", "CVE-2013-5893", "CVE-2013-5896", "CVE-2013-5907", "CVE-2013-5910", "CVE-2014-0368", "CVE-2014-0373", "CVE-2014-0376", "CVE-2014-0411", "CVE-2014-0416", "CVE-2014-0422", "CVE-2014-0423", "CVE-2014-0428"], "description": "These packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nAn input validation flaw was discovered in the font layout engine in the 2D\ncomponent. A specially crafted font file could trigger Java Virtual Machine\nmemory corruption when processed. An untrusted Java application or applet\ncould possibly use this flaw to bypass Java sandbox restrictions.\n(CVE-2013-5907)\n\nMultiple improper permission check issues were discovered in the CORBA,\nJNDI, and Libraries components in OpenJDK. An untrusted Java application or\napplet could use these flaws to bypass Java sandbox restrictions.\n(CVE-2014-0428, CVE-2014-0422, CVE-2013-5893)\n\nMultiple improper permission check issues were discovered in the\nServiceability, Security, CORBA, JAAS, JAXP, and Networking components in\nOpenJDK. An untrusted Java application or applet could use these flaws to\nbypass certain Java sandbox restrictions. (CVE-2014-0373, CVE-2013-5878,\nCVE-2013-5910, CVE-2013-5896, CVE-2013-5884, CVE-2014-0416, CVE-2014-0376,\nCVE-2014-0368)\n\nIt was discovered that the Beans component did not restrict processing of\nXML external entities. This flaw could cause a Java application using Beans\nto leak sensitive information, or affect application availability.\n(CVE-2014-0423)\n\nIt was discovered that the JSSE component could leak timing information\nduring the TLS/SSL handshake. This could possibly lead to disclosure of\ninformation about the used encryption keys. (CVE-2014-0411)\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "modified": "2017-09-08T11:49:48", "published": "2014-01-15T05:00:00", "id": "RHSA-2014:0027", "href": "https://access.redhat.com/errata/RHSA-2014:0027", "type": "redhat", "title": "(RHSA-2014:0027) Important: java-1.7.0-openjdk security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-11T13:32:10", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4578", "CVE-2013-5878", "CVE-2013-5884", "CVE-2013-5887", "CVE-2013-5888", "CVE-2013-5889", "CVE-2013-5896", "CVE-2013-5898", "CVE-2013-5899", "CVE-2013-5907", "CVE-2013-5910", "CVE-2014-0368", "CVE-2014-0373", "CVE-2014-0375", "CVE-2014-0376", "CVE-2014-0387", "CVE-2014-0403", "CVE-2014-0410", "CVE-2014-0411", "CVE-2014-0415", "CVE-2014-0416", "CVE-2014-0417", "CVE-2014-0422", "CVE-2014-0423", "CVE-2014-0424", "CVE-2014-0428"], "description": "IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM\nJava Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Detailed\nvulnerability descriptions are linked from the IBM Security alerts\npage, listed in the References section. (CVE-2013-5878, CVE-2013-5884,\nCVE-2013-5887, CVE-2013-5888, CVE-2013-5889, CVE-2013-5896, CVE-2013-5898,\nCVE-2013-5899, CVE-2013-5907, CVE-2013-5910, CVE-2014-0368, CVE-2014-0373,\nCVE-2014-0375, CVE-2014-0376, CVE-2014-0387, CVE-2014-0403, CVE-2014-0410,\nCVE-2014-0411, CVE-2014-0415, CVE-2014-0416, CVE-2014-0417, CVE-2014-0422,\nCVE-2014-0423, CVE-2014-0424, CVE-2014-0428)\n\nAll users of java-1.6.0-ibm are advised to upgrade to these updated\npackages, containing the IBM Java SE 6 SR15-FP1 release. All running\ninstances of IBM Java must be restarted for the update to take effect.\n", "modified": "2018-06-07T09:04:16", "published": "2014-02-04T05:00:00", "id": "RHSA-2014:0135", "href": "https://access.redhat.com/errata/RHSA-2014:0135", "type": "redhat", "title": "(RHSA-2014:0135) Critical: java-1.6.0-ibm security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-11T13:30:56", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4578", "CVE-2013-5878", "CVE-2013-5884", "CVE-2013-5887", "CVE-2013-5888", "CVE-2013-5889", "CVE-2013-5896", "CVE-2013-5898", "CVE-2013-5899", "CVE-2013-5907", "CVE-2013-5910", "CVE-2014-0368", "CVE-2014-0373", "CVE-2014-0375", "CVE-2014-0376", "CVE-2014-0387", "CVE-2014-0403", "CVE-2014-0410", "CVE-2014-0411", "CVE-2014-0415", "CVE-2014-0416", "CVE-2014-0417", "CVE-2014-0422", "CVE-2014-0423", "CVE-2014-0424", "CVE-2014-0428"], "description": "IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM\nJava Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Detailed\nvulnerability descriptions are linked from the IBM Security alerts\npage, listed in the References section. (CVE-2013-5878, CVE-2013-5884,\nCVE-2013-5887, CVE-2013-5888, CVE-2013-5889, CVE-2013-5896, CVE-2013-5898,\nCVE-2013-5899, CVE-2013-5907, CVE-2013-5910, CVE-2014-0368, CVE-2014-0373,\nCVE-2014-0375, CVE-2014-0376, CVE-2014-0387, CVE-2014-0403, CVE-2014-0410,\nCVE-2014-0411, CVE-2014-0415, CVE-2014-0416, CVE-2014-0417, CVE-2014-0422,\nCVE-2014-0423, CVE-2014-0424, CVE-2014-0428)\n\nAll users of java-1.7.0-ibm are advised to upgrade to these updated\npackages, containing the IBM Java SE 7 SR6-FP1 release. All running\ninstances of IBM Java must be restarted for the update to take effect.\n", "modified": "2018-06-07T09:04:33", "published": "2014-02-04T05:00:00", "id": "RHSA-2014:0134", "href": "https://access.redhat.com/errata/RHSA-2014:0134", "type": "redhat", "title": "(RHSA-2014:0134) Critical: java-1.7.0-ibm security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-11T13:33:05", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4578", "CVE-2013-5870", "CVE-2013-5878", "CVE-2013-5884", "CVE-2013-5887", "CVE-2013-5888", "CVE-2013-5889", "CVE-2013-5893", "CVE-2013-5895", "CVE-2013-5896", "CVE-2013-5898", "CVE-2013-5899", "CVE-2013-5902", "CVE-2013-5904", "CVE-2013-5905", "CVE-2013-5906", "CVE-2013-5907", "CVE-2013-5910", "CVE-2014-0368", "CVE-2014-0373", "CVE-2014-0375", "CVE-2014-0376", "CVE-2014-0382", "CVE-2014-0387", "CVE-2014-0403", "CVE-2014-0410", "CVE-2014-0411", "CVE-2014-0415", "CVE-2014-0416", "CVE-2014-0417", "CVE-2014-0418", "CVE-2014-0422", "CVE-2014-0423", "CVE-2014-0424", "CVE-2014-0428"], "description": "Oracle Java SE version 7 includes the Oracle Java Runtime Environment and\nthe Oracle Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the Oracle Java Runtime\nEnvironment and the Oracle Java Software Development Kit. Further\ninformation about these flaws can be found on the Oracle Java SE Critical\nPatch Update Advisory page, listed in the References section.\n(CVE-2013-5870, CVE-2013-5878, CVE-2013-5884, CVE-2013-5887, CVE-2013-5888,\nCVE-2013-5889, CVE-2013-5893, CVE-2013-5895, CVE-2013-5896, CVE-2013-5898,\nCVE-2013-5899, CVE-2013-5902, CVE-2013-5904, CVE-2013-5905, CVE-2013-5906,\nCVE-2013-5907, CVE-2013-5910, CVE-2014-0368, CVE-2014-0373, CVE-2014-0375,\nCVE-2014-0376, CVE-2014-0382, CVE-2014-0387, CVE-2014-0403, CVE-2014-0410,\nCVE-2014-0411, CVE-2014-0415, CVE-2014-0416, CVE-2014-0417, CVE-2014-0418,\nCVE-2014-0422, CVE-2014-0423, CVE-2014-0424, CVE-2014-0428)\n\nAll users of java-1.7.0-oracle are advised to upgrade to these updated\npackages, which provide Oracle Java 7 Update 51 and resolve these issues.\nAll running instances of Oracle Java must be restarted for the update to\ntake effect.\n", "modified": "2018-06-07T09:04:32", "published": "2014-01-15T05:00:00", "id": "RHSA-2014:0030", "href": "https://access.redhat.com/errata/RHSA-2014:0030", "type": "redhat", "title": "(RHSA-2014:0030) Critical: java-1.7.0-oracle security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:44:48", "bulletinFamily": "unix", "cvelist": ["CVE-2013-5878", "CVE-2013-5884", "CVE-2013-5887", "CVE-2013-5888", "CVE-2013-5889", "CVE-2013-5896", "CVE-2013-5898", "CVE-2013-5899", "CVE-2013-5907", "CVE-2013-5910", "CVE-2013-6629", "CVE-2013-6954", "CVE-2014-0368", "CVE-2014-0373", "CVE-2014-0375", "CVE-2014-0376", "CVE-2014-0387", "CVE-2014-0403", "CVE-2014-0410", "CVE-2014-0411", "CVE-2014-0415", "CVE-2014-0416", "CVE-2014-0417", "CVE-2014-0422", "CVE-2014-0423", "CVE-2014-0424", "CVE-2014-0428", "CVE-2014-0429", "CVE-2014-0446", "CVE-2014-0449", "CVE-2014-0451", "CVE-2014-0452", "CVE-2014-0453", "CVE-2014-0457", "CVE-2014-0458", "CVE-2014-0460", "CVE-2014-0461", "CVE-2014-0878", "CVE-2014-1876", "CVE-2014-2398", "CVE-2014-2401", "CVE-2014-2409", "CVE-2014-2412", "CVE-2014-2414", "CVE-2014-2420", "CVE-2014-2421", "CVE-2014-2423", "CVE-2014-2427", "CVE-2014-2428"], "description": "This update corrects several security vulnerabilities in the IBM Java\nRuntime Environment shipped as part of Red Hat Network Satellite Server\n5.4, 5.5, and 5.6. In a typical operating environment, these are of low\nsecurity risk as the runtime is not used on untrusted applets.\n\nSeveral flaws were fixed in the IBM Java 2 Runtime Environment.\n(CVE-2013-5878, CVE-2013-5884, CVE-2013-5887, CVE-2013-5888, CVE-2013-5889,\nCVE-2013-5896, CVE-2013-5898, CVE-2013-5899, CVE-2013-5907, CVE-2013-5910,\nCVE-2013-6629, CVE-2013-6954, CVE-2014-0368, CVE-2014-0373, CVE-2014-0375,\nCVE-2014-0376, CVE-2014-0387, CVE-2014-0403, CVE-2014-0410, CVE-2014-0411,\nCVE-2014-0415, CVE-2014-0416, CVE-2014-0417, CVE-2014-0422, CVE-2014-0423,\nCVE-2014-0424, CVE-2014-0428, CVE-2014-0429, CVE-2014-0446, CVE-2014-0449,\nCVE-2014-0451, CVE-2014-0452, CVE-2014-0453, CVE-2014-0457, CVE-2014-0458,\nCVE-2014-0460, CVE-2014-0461, CVE-2014-0878, CVE-2014-1876, CVE-2014-2398,\nCVE-2014-2401, CVE-2014-2409, CVE-2014-2412, CVE-2014-2414, CVE-2014-2420,\nCVE-2014-2421, CVE-2014-2423, CVE-2014-2427, CVE-2014-2428)\n\nUsers of Red Hat Network Satellite Server 5.4, 5.5, and 5.6 are advised to\nupgrade to these updated packages, which contain the IBM Java SE 6 SR16\nrelease. For this update to take effect, Red Hat Network Satellite Server\nmust be restarted (\"/usr/sbin/rhn-satellite restart\"), as well as all\nrunning instances of IBM Java.\n", "modified": "2018-06-07T09:02:27", "published": "2014-07-29T04:00:00", "id": "RHSA-2014:0982", "href": "https://access.redhat.com/errata/RHSA-2014:0982", "type": "redhat", "title": "(RHSA-2014:0982) Low: Red Hat Network Satellite server IBM Java Runtime security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-11T13:32:47", "bulletinFamily": "unix", "cvelist": ["CVE-2013-5878", "CVE-2013-5884", "CVE-2013-5887", "CVE-2013-5888", "CVE-2013-5889", "CVE-2013-5896", "CVE-2013-5898", "CVE-2013-5899", "CVE-2013-5907", "CVE-2013-5910", "CVE-2013-6629", "CVE-2013-6954", "CVE-2014-0368", "CVE-2014-0373", "CVE-2014-0375", "CVE-2014-0376", "CVE-2014-0387", "CVE-2014-0403", "CVE-2014-0410", "CVE-2014-0411", "CVE-2014-0415", "CVE-2014-0416", "CVE-2014-0417", "CVE-2014-0422", "CVE-2014-0423", "CVE-2014-0424", "CVE-2014-0428", "CVE-2014-0429", "CVE-2014-0446", "CVE-2014-0448", "CVE-2014-0449", "CVE-2014-0451", "CVE-2014-0452", "CVE-2014-0453", "CVE-2014-0454", "CVE-2014-0455", "CVE-2014-0457", "CVE-2014-0458", "CVE-2014-0459", "CVE-2014-0460", "CVE-2014-0461", "CVE-2014-0878", "CVE-2014-1876", "CVE-2014-2398", "CVE-2014-2401", "CVE-2014-2402", "CVE-2014-2409", "CVE-2014-2412", "CVE-2014-2414", "CVE-2014-2420", "CVE-2014-2421", "CVE-2014-2423", "CVE-2014-2427", "CVE-2014-2428"], "description": "IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment\nand the IBM Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Detailed\nvulnerability descriptions are linked from the IBM Security alerts\npage, listed in the References section. (CVE-2013-5878, CVE-2013-5884,\nCVE-2013-5887, CVE-2013-5888, CVE-2013-5889, CVE-2013-5896, CVE-2013-5898,\nCVE-2013-5899, CVE-2013-5907, CVE-2013-5910, CVE-2013-6629, CVE-2013-6954,\nCVE-2014-0368, CVE-2014-0373, CVE-2014-0375, CVE-2014-0376, CVE-2014-0387,\nCVE-2014-0403, CVE-2014-0410, CVE-2014-0411, CVE-2014-0415, CVE-2014-0416,\nCVE-2014-0417, CVE-2014-0422, CVE-2014-0423, CVE-2014-0424, CVE-2014-0428,\nCVE-2014-0429, CVE-2014-0446, CVE-2014-0448, CVE-2014-0449, CVE-2014-0451,\nCVE-2014-0452, CVE-2014-0453, CVE-2014-0454, CVE-2014-0455, CVE-2014-0457,\nCVE-2014-0458, CVE-2014-0459, CVE-2014-0460, CVE-2014-0461, CVE-2014-1876,\nCVE-2014-2398, CVE-2014-2401, CVE-2014-2402, CVE-2014-2409, CVE-2014-2412,\nCVE-2014-2414, CVE-2014-2420, CVE-2014-2421, CVE-2014-2423, CVE-2014-2427,\nCVE-2014-2428)\n\nAll users of java-1.7.1-ibm are advised to upgrade to these updated\npackages, containing the IBM Java SE 7R1 SR1 release. All running instances\nof IBM Java must be restarted for the update to take effect.\n", "modified": "2018-05-05T00:27:43", "published": "2014-06-10T04:00:00", "id": "RHSA-2014:0705", "href": "https://access.redhat.com/errata/RHSA-2014:0705", "type": "redhat", "title": "(RHSA-2014:0705) Critical: java-1.7.1-ibm security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-11T13:33:05", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1500", "CVE-2013-1571", "CVE-2013-2407", "CVE-2013-2412", "CVE-2013-2437", "CVE-2013-2442", "CVE-2013-2443", "CVE-2013-2444", "CVE-2013-2445", "CVE-2013-2446", "CVE-2013-2447", "CVE-2013-2448", "CVE-2013-2450", "CVE-2013-2451", "CVE-2013-2452", "CVE-2013-2453", "CVE-2013-2454", "CVE-2013-2455", "CVE-2013-2456", "CVE-2013-2457", "CVE-2013-2459", "CVE-2013-2461", "CVE-2013-2463", "CVE-2013-2464", "CVE-2013-2465", "CVE-2013-2466", "CVE-2013-2468", "CVE-2013-2469", "CVE-2013-2470", "CVE-2013-2471", "CVE-2013-2472", "CVE-2013-2473", "CVE-2013-3743", "CVE-2013-3829", "CVE-2013-4002", "CVE-2013-4578", "CVE-2013-5772", "CVE-2013-5774", "CVE-2013-5776", "CVE-2013-5778", "CVE-2013-5780", "CVE-2013-5782", "CVE-2013-5783", "CVE-2013-5784", "CVE-2013-5787", "CVE-2013-5789", "CVE-2013-5790", "CVE-2013-5797", "CVE-2013-5801", "CVE-2013-5802", "CVE-2013-5803", "CVE-2013-5804", "CVE-2013-5809", "CVE-2013-5812", "CVE-2013-5814", "CVE-2013-5817", "CVE-2013-5818", "CVE-2013-5819", "CVE-2013-5820", "CVE-2013-5823", "CVE-2013-5824", "CVE-2013-5825", "CVE-2013-5829", "CVE-2013-5830", "CVE-2013-5831", "CVE-2013-5832", "CVE-2013-5840", "CVE-2013-5842", "CVE-2013-5843", "CVE-2013-5848", "CVE-2013-5849", "CVE-2013-5850", "CVE-2013-5852", "CVE-2013-5878", "CVE-2013-5884", "CVE-2013-5887", "CVE-2013-5888", "CVE-2013-5889", "CVE-2013-5896", "CVE-2013-5898", "CVE-2013-5899", "CVE-2013-5902", "CVE-2013-5905", "CVE-2013-5906", "CVE-2013-5907", "CVE-2013-5910", "CVE-2013-6629", "CVE-2013-6954", "CVE-2014-0368", "CVE-2014-0373", "CVE-2014-0375", "CVE-2014-0376", "CVE-2014-0387", "CVE-2014-0403", "CVE-2014-0410", "CVE-2014-0411", "CVE-2014-0415", "CVE-2014-0416", "CVE-2014-0417", "CVE-2014-0418", "CVE-2014-0422", "CVE-2014-0423", "CVE-2014-0424", "CVE-2014-0428", "CVE-2014-0429", "CVE-2014-0446", "CVE-2014-0449", "CVE-2014-0451", "CVE-2014-0452", "CVE-2014-0453", "CVE-2014-0456", "CVE-2014-0457", "CVE-2014-0458", "CVE-2014-0460", "CVE-2014-0461", "CVE-2014-1876", "CVE-2014-2398", "CVE-2014-2401", "CVE-2014-2403", "CVE-2014-2409", "CVE-2014-2412", "CVE-2014-2414", "CVE-2014-2420", "CVE-2014-2421", "CVE-2014-2423", "CVE-2014-2427", "CVE-2014-2428"], "description": "Oracle Java SE version 6 includes the Oracle Java Runtime Environment and\nthe Oracle Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the Oracle Java Runtime\nEnvironment and the Oracle Java Software Development Kit. Further\ninformation about these flaws can be found on the Oracle Java SE Critical\nPatch Update Advisory pages, listed in the References section.\n(CVE-2013-1500, CVE-2013-1571, CVE-2013-2407, CVE-2013-2412, CVE-2013-2437,\nCVE-2013-2442, CVE-2013-2443, CVE-2013-2444, CVE-2013-2445, CVE-2013-2446,\nCVE-2013-2447, CVE-2013-2448, CVE-2013-2450, CVE-2013-2451, CVE-2013-2452,\nCVE-2013-2453, CVE-2013-2454, CVE-2013-2455, CVE-2013-2456, CVE-2013-2457,\nCVE-2013-2459, CVE-2013-2461, CVE-2013-2463, CVE-2013-2464, CVE-2013-2465,\nCVE-2013-2466, CVE-2013-2468, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471,\nCVE-2013-2472, CVE-2013-2473, CVE-2013-3743, CVE-2013-3829, CVE-2013-4002,\nCVE-2013-5772, CVE-2013-5774, CVE-2013-5776, CVE-2013-5778, CVE-2013-5780,\nCVE-2013-5782, CVE-2013-5783, CVE-2013-5784, CVE-2013-5787, CVE-2013-5789,\nCVE-2013-5790, CVE-2013-5797, CVE-2013-5801, CVE-2013-5802, CVE-2013-5803,\nCVE-2013-5804, CVE-2013-5809, CVE-2013-5812, CVE-2013-5814, CVE-2013-5817,\nCVE-2013-5818, CVE-2013-5819, CVE-2013-5820, CVE-2013-5823, CVE-2013-5824,\nCVE-2013-5825, CVE-2013-5829, CVE-2013-5830, CVE-2013-5831, CVE-2013-5832,\nCVE-2013-5840, CVE-2013-5842, CVE-2013-5843, CVE-2013-5848, CVE-2013-5849,\nCVE-2013-5850, CVE-2013-5852, CVE-2013-5878, CVE-2013-5884, CVE-2013-5887,\nCVE-2013-5888, CVE-2013-5889, CVE-2013-5896, CVE-2013-5898, CVE-2013-5899,\nCVE-2013-5902, CVE-2013-5905, CVE-2013-5906, CVE-2013-5907, CVE-2013-5910,\nCVE-2013-6629, CVE-2013-6954, CVE-2014-0368, CVE-2014-0373, CVE-2014-0375,\nCVE-2014-0376, CVE-2014-0387, CVE-2014-0403, CVE-2014-0410, CVE-2014-0411,\nCVE-2014-0415, CVE-2014-0416, CVE-2014-0417, CVE-2014-0418, CVE-2014-0422,\nCVE-2014-0423, CVE-2014-0424, CVE-2014-0428, CVE-2014-0429, CVE-2014-0446,\nCVE-2014-0449, CVE-2014-0451, CVE-2014-0452, CVE-2014-0453, CVE-2014-0456,\nCVE-2014-0457, CVE-2014-0458, CVE-2014-0460, CVE-2014-0461, CVE-2014-1876,\nCVE-2014-2398, CVE-2014-2401, CVE-2014-2403, CVE-2014-2409, CVE-2014-2412,\nCVE-2014-2414, CVE-2014-2420, CVE-2014-2421, CVE-2014-2423, CVE-2014-2427,\nCVE-2014-2428)\n\nAll users of java-1.6.0-sun are advised to upgrade to these updated\npackages, which provide Oracle Java 6 Update 75 and resolve these issues.\nAll running instances of Oracle Java must be restarted for the update to\ntake effect.", "modified": "2018-06-07T18:20:34", "published": "2014-04-17T15:19:24", "id": "RHSA-2014:0414", "href": "https://access.redhat.com/errata/RHSA-2014:0414", "type": "redhat", "title": "(RHSA-2014:0414) Important: java-1.6.0-sun security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-17T13:14:03", "description": "Updated java-1.5.0-ibm packages that fix several security issues are\nnow available for Red Hat Enterprise Linux 5 and 6 Supplementary.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nIBM J2SE version 5.0 includes the IBM Java Runtime Environment and the\nIBM Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Detailed\nvulnerability descriptions are linked from the IBM Security alerts\npage, listed in the References section. (CVE-2013-5907, CVE-2014-0368,\nCVE-2014-0373, CVE-2014-0376, CVE-2014-0411, CVE-2014-0416,\nCVE-2014-0417, CVE-2014-0422, CVE-2014-0423, CVE-2014-0428)\n\nAll users of java-1.5.0-ibm are advised to upgrade to these updated\npackages, containing the IBM J2SE 5.0 SR16-FP5 release. All running\ninstances of IBM Java must be restarted for this update to take\neffect.", "edition": 25, "cvss3": {"score": 5.3, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "published": "2014-02-05T00:00:00", "title": "RHEL 5 / 6 : java-1.5.0-ibm (RHSA-2014:0136)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4578", "CVE-2014-0373", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2014-0417", "CVE-2014-0428", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2014-0416"], "modified": "2014-02-05T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:5", "cpe:/o:redhat:enterprise_linux:6.5", "p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm", "cpe:/o:redhat:enterprise_linux:6.6", "p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-javacomm", "p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-devel", "p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-accessibility", "p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-src", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-jdbc", "p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-plugin"], "id": "REDHAT-RHSA-2014-0136.NASL", "href": "https://www.tenable.com/plugins/nessus/72321", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2014:0136. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(72321);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-4578\", \"CVE-2013-5907\", \"CVE-2014-0368\", \"CVE-2014-0373\", \"CVE-2014-0376\", \"CVE-2014-0411\", \"CVE-2014-0416\", \"CVE-2014-0417\", \"CVE-2014-0422\", \"CVE-2014-0423\", \"CVE-2014-0428\");\n script_bugtraq_id(64894, 64907, 64914, 64918, 64921, 64922, 64930, 64932, 64935, 64937);\n script_xref(name:\"RHSA\", value:\"2014:0136\");\n\n script_name(english:\"RHEL 5 / 6 : java-1.5.0-ibm (RHSA-2014:0136)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.5.0-ibm packages that fix several security issues are\nnow available for Red Hat Enterprise Linux 5 and 6 Supplementary.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nIBM J2SE version 5.0 includes the IBM Java Runtime Environment and the\nIBM Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Detailed\nvulnerability descriptions are linked from the IBM Security alerts\npage, listed in the References section. (CVE-2013-5907, CVE-2014-0368,\nCVE-2014-0373, CVE-2014-0376, CVE-2014-0411, CVE-2014-0416,\nCVE-2014-0417, CVE-2014-0422, CVE-2014-0423, CVE-2014-0428)\n\nAll users of java-1.5.0-ibm are advised to upgrade to these updated\npackages, containing the IBM J2SE 5.0 SR16-FP5 release. All running\ninstances of IBM Java must be restarted for this update to take\neffect.\"\n );\n # https://www.ibm.com/developerworks/java/jdk/alerts/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://developer.ibm.com/javasdk/support/security-vulnerabilities/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2014:0136\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-0417\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-0368\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-0411\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-0416\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-0373\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-5907\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-0428\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-0422\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-0376\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-0423\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-4578\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-javacomm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/01/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/02/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/02/05\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x / 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2014:0136\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", reference:\"java-1.5.0-ibm-1.5.0.16.5-1jpp.1.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.5.0-ibm-accessibility-1.5.0.16.5-1jpp.1.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"java-1.5.0-ibm-accessibility-1.5.0.16.5-1jpp.1.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.5.0-ibm-accessibility-1.5.0.16.5-1jpp.1.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", reference:\"java-1.5.0-ibm-demo-1.5.0.16.5-1jpp.1.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", reference:\"java-1.5.0-ibm-devel-1.5.0.16.5-1jpp.1.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.5.0-ibm-javacomm-1.5.0.16.5-1jpp.1.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.5.0-ibm-javacomm-1.5.0.16.5-1jpp.1.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.5.0-ibm-jdbc-1.5.0.16.5-1jpp.1.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390\", reference:\"java-1.5.0-ibm-jdbc-1.5.0.16.5-1jpp.1.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.5.0-ibm-plugin-1.5.0.16.5-1jpp.1.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", reference:\"java-1.5.0-ibm-src-1.5.0.16.5-1jpp.1.el5_10\")) flag++;\n\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.5.0-ibm-1.5.0.16.5-1jpp.1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.5.0-ibm-1.5.0.16.5-1jpp.1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.5.0-ibm-1.5.0.16.5-1jpp.1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.5.0-ibm-demo-1.5.0.16.5-1jpp.1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.5.0-ibm-demo-1.5.0.16.5-1jpp.1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.5.0-ibm-demo-1.5.0.16.5-1jpp.1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"java-1.5.0-ibm-devel-1.5.0.16.5-1jpp.1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.5.0-ibm-javacomm-1.5.0.16.5-1jpp.1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.5.0-ibm-javacomm-1.5.0.16.5-1jpp.1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.5.0-ibm-jdbc-1.5.0.16.5-1jpp.1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390\", reference:\"java-1.5.0-ibm-jdbc-1.5.0.16.5-1jpp.1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.5.0-ibm-plugin-1.5.0.16.5-1jpp.1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.5.0-ibm-src-1.5.0.16.5-1jpp.1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.5.0-ibm-src-1.5.0.16.5-1jpp.1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.5.0-ibm-src-1.5.0.16.5-1jpp.1.el6_5\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.5.0-ibm / java-1.5.0-ibm-accessibility / java-1.5.0-ibm-demo / etc\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T15:26:41", "description": "USN-2124-1 fixed vulnerabilities in OpenJDK 6. Due to an upstream\nregression, memory was not properly zeroed under certain circumstances\nwhich could lead to instability. This update fixes the problem.\n\nWe apologize for the inconvenience.\n\nA vulnerability was discovered in the OpenJDK JRE related to\ninformation disclosure and data integrity. An attacker could exploit\nthis to expose sensitive data over the network. (CVE-2014-0411)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE\nrelated to information disclosure, data integrity and\navailability. An attacker could exploit these to cause a\ndenial of service or expose sensitive data over the network.\n(CVE-2013-5878, CVE-2013-5907, CVE-2014-0373, CVE-2014-0422,\nCVE-2014-0428)\n\nTwo vulnerabilities were discovered in the OpenJDK JRE\nrelated to information disclosure. An attacker could exploit\nthese to expose sensitive data over the network.\n(CVE-2013-5884, CVE-2014-0368)\n\nTwo vulnerabilities were discovered in the OpenJDK JRE\nrelated to availability. An attacker could exploit these to\ncause a denial of service. (CVE-2013-5896, CVE-2013-5910)\n\nTwo vulnerabilities were discovered in the OpenJDK JRE\nrelated to data integrity. (CVE-2014-0376, CVE-2014-0416)\n\nA vulnerability was discovered in the OpenJDK JRE related to\ninformation disclosure and availability. An attacker could\nexploit this to expose sensitive data over the network or\ncause a denial of service. (CVE-2014-0423)\n\nIn addition to the above, USN-2033-1 fixed several\nvulnerabilities and bugs in OpenJDK 6. This update\nintroduced a regression which caused an exception condition\nin javax.xml when instantiating encryption algorithms. This\nupdate fixes the problem. We apologize for the\ninconvenience.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "published": "2014-04-08T00:00:00", "title": "Ubuntu 10.04 LTS / 12.04 LTS : openjdk-6 regression (USN-2124-2)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5878", "CVE-2013-5884", "CVE-2014-0373", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5896", "CVE-2013-5910", "CVE-2014-0428", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2014-0416"], "modified": "2014-04-08T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:icedtea-6-jre-cacao", "p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre-zero", "cpe:/o:canonical:ubuntu_linux:10.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:icedtea-6-jre-jamvm", "p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre", "p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre-lib", "p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre-headless", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts"], "id": "UBUNTU_USN-2124-2.NASL", "href": "https://www.tenable.com/plugins/nessus/73398", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2124-2. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(73398);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2013-5878\", \"CVE-2013-5884\", \"CVE-2013-5896\", \"CVE-2013-5907\", \"CVE-2013-5910\", \"CVE-2014-0368\", \"CVE-2014-0373\", \"CVE-2014-0376\", \"CVE-2014-0411\", \"CVE-2014-0416\", \"CVE-2014-0422\", \"CVE-2014-0423\", \"CVE-2014-0428\");\n script_xref(name:\"USN\", value:\"2124-2\");\n\n script_name(english:\"Ubuntu 10.04 LTS / 12.04 LTS : openjdk-6 regression (USN-2124-2)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"USN-2124-1 fixed vulnerabilities in OpenJDK 6. Due to an upstream\nregression, memory was not properly zeroed under certain circumstances\nwhich could lead to instability. This update fixes the problem.\n\nWe apologize for the inconvenience.\n\nA vulnerability was discovered in the OpenJDK JRE related to\ninformation disclosure and data integrity. An attacker could exploit\nthis to expose sensitive data over the network. (CVE-2014-0411)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE\nrelated to information disclosure, data integrity and\navailability. An attacker could exploit these to cause a\ndenial of service or expose sensitive data over the network.\n(CVE-2013-5878, CVE-2013-5907, CVE-2014-0373, CVE-2014-0422,\nCVE-2014-0428)\n\nTwo vulnerabilities were discovered in the OpenJDK JRE\nrelated to information disclosure. An attacker could exploit\nthese to expose sensitive data over the network.\n(CVE-2013-5884, CVE-2014-0368)\n\nTwo vulnerabilities were discovered in the OpenJDK JRE\nrelated to availability. An attacker could exploit these to\ncause a denial of service. (CVE-2013-5896, CVE-2013-5910)\n\nTwo vulnerabilities were discovered in the OpenJDK JRE\nrelated to data integrity. (CVE-2014-0376, CVE-2014-0416)\n\nA vulnerability was discovered in the OpenJDK JRE related to\ninformation disclosure and availability. An attacker could\nexploit this to expose sensitive data over the network or\ncause a denial of service. (CVE-2014-0423)\n\nIn addition to the above, USN-2033-1 fixed several\nvulnerabilities and bugs in OpenJDK 6. This update\nintroduced a regression which caused an exception condition\nin javax.xml when instantiating encryption algorithms. This\nupdate fixes the problem. We apologize for the\ninconvenience.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2124-2/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:icedtea-6-jre-cacao\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:icedtea-6-jre-jamvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre-zero\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:10.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/01/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2014-2020 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(10\\.04|12\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 10.04 / 12.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"10.04\", pkgname:\"icedtea-6-jre-cacao\", pkgver:\"6b30-1.13.1-1ubuntu2~0.10.04.2\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"openjdk-6-jre\", pkgver:\"6b30-1.13.1-1ubuntu2~0.10.04.2\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"openjdk-6-jre-headless\", pkgver:\"6b30-1.13.1-1ubuntu2~0.10.04.2\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"openjdk-6-jre-lib\", pkgver:\"6b30-1.13.1-1ubuntu2~0.10.04.2\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"openjdk-6-jre-zero\", pkgver:\"6b30-1.13.1-1ubuntu2~0.10.04.2\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"icedtea-6-jre-cacao\", pkgver:\"6b30-1.13.1-1ubuntu2~0.12.04.3\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"icedtea-6-jre-jamvm\", pkgver:\"6b30-1.13.1-1ubuntu2~0.12.04.3\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"openjdk-6-jre\", pkgver:\"6b30-1.13.1-1ubuntu2~0.12.04.3\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"openjdk-6-jre-headless\", pkgver:\"6b30-1.13.1-1ubuntu2~0.12.04.3\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"openjdk-6-jre-lib\", pkgver:\"6b30-1.13.1-1ubuntu2~0.12.04.3\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"openjdk-6-jre-zero\", pkgver:\"6b30-1.13.1-1ubuntu2~0.12.04.3\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"icedtea-6-jre-cacao / icedtea-6-jre-jamvm / openjdk-6-jre / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T15:26:40", "description": "A vulnerability was discovered in the OpenJDK JRE related to\ninformation disclosure and data integrity. An attacker could exploit\nthis to expose sensitive data over the network. (CVE-2014-0411)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to\ninformation disclosure, data integrity and availability. An attacker\ncould exploit these to cause a denial of service or expose sensitive\ndata over the network. (CVE-2013-5878, CVE-2013-5907, CVE-2014-0373,\nCVE-2014-0422, CVE-2014-0428)\n\nTwo vulnerabilities were discovered in the OpenJDK JRE related to\ninformation disclosure. An attacker could exploit these to expose\nsensitive data over the network. (CVE-2013-5884, CVE-2014-0368)\n\nTwo vulnerabilities were discovered in the OpenJDK JRE related to\navailability. An attacker could exploit these to cause a denial of\nservice. (CVE-2013-5896, CVE-2013-5910)\n\nTwo vulnerabilities were discovered in the OpenJDK JRE related to data\nintegrity. (CVE-2014-0376, CVE-2014-0416)\n\nA vulnerability was discovered in the OpenJDK JRE related to\ninformation disclosure and availability. An attacker could exploit\nthis to expose sensitive data over the network or cause a denial of\nservice. (CVE-2014-0423)\n\nIn addition to the above, USN-2033-1 fixed several vulnerabilities and\nbugs in OpenJDK 6. This update introduced a regression which caused an\nexception condition in javax.xml when instantiating encryption\nalgorithms. This update fixes the problem. We apologize for the\ninconvenience.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "published": "2014-02-28T00:00:00", "title": "Ubuntu 10.04 LTS / 12.04 LTS : openjdk-6 vulnerabilities (USN-2124-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5878", "CVE-2013-5884", "CVE-2014-0373", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5896", "CVE-2013-5910", "CVE-2014-0428", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2014-0416"], "modified": "2014-02-28T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:icedtea-6-jre-cacao", "p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre-zero", "cpe:/o:canonical:ubuntu_linux:10.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:icedtea-6-jre-jamvm", "p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre", "p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre-lib", "p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre-headless", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts"], "id": "UBUNTU_USN-2124-1.NASL", "href": "https://www.tenable.com/plugins/nessus/72740", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2124-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(72740);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2013-5878\", \"CVE-2013-5884\", \"CVE-2013-5896\", \"CVE-2013-5907\", \"CVE-2013-5910\", \"CVE-2014-0368\", \"CVE-2014-0373\", \"CVE-2014-0376\", \"CVE-2014-0411\", \"CVE-2014-0416\", \"CVE-2014-0422\", \"CVE-2014-0423\", \"CVE-2014-0428\");\n script_bugtraq_id(64894, 64907, 64914, 64918, 64921, 64922, 64924, 64926, 64927, 64930, 64933, 64935, 64937);\n script_xref(name:\"USN\", value:\"2124-1\");\n\n script_name(english:\"Ubuntu 10.04 LTS / 12.04 LTS : openjdk-6 vulnerabilities (USN-2124-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A vulnerability was discovered in the OpenJDK JRE related to\ninformation disclosure and data integrity. An attacker could exploit\nthis to expose sensitive data over the network. (CVE-2014-0411)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to\ninformation disclosure, data integrity and availability. An attacker\ncould exploit these to cause a denial of service or expose sensitive\ndata over the network. (CVE-2013-5878, CVE-2013-5907, CVE-2014-0373,\nCVE-2014-0422, CVE-2014-0428)\n\nTwo vulnerabilities were discovered in the OpenJDK JRE related to\ninformation disclosure. An attacker could exploit these to expose\nsensitive data over the network. (CVE-2013-5884, CVE-2014-0368)\n\nTwo vulnerabilities were discovered in the OpenJDK JRE related to\navailability. An attacker could exploit these to cause a denial of\nservice. (CVE-2013-5896, CVE-2013-5910)\n\nTwo vulnerabilities were discovered in the OpenJDK JRE related to data\nintegrity. (CVE-2014-0376, CVE-2014-0416)\n\nA vulnerability was discovered in the OpenJDK JRE related to\ninformation disclosure and availability. An attacker could exploit\nthis to expose sensitive data over the network or cause a denial of\nservice. (CVE-2014-0423)\n\nIn addition to the above, USN-2033-1 fixed several vulnerabilities and\nbugs in OpenJDK 6. This update introduced a regression which caused an\nexception condition in javax.xml when instantiating encryption\nalgorithms. This update fixes the problem. We apologize for the\ninconvenience.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2124-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:icedtea-6-jre-cacao\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:icedtea-6-jre-jamvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre-zero\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:10.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/01/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/02/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/02/28\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2014-2020 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(10\\.04|12\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 10.04 / 12.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"10.04\", pkgname:\"icedtea-6-jre-cacao\", pkgver:\"6b30-1.13.1-1ubuntu2~0.10.04.1\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"openjdk-6-jre\", pkgver:\"6b30-1.13.1-1ubuntu2~0.10.04.1\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"openjdk-6-jre-headless\", pkgver:\"6b30-1.13.1-1ubuntu2~0.10.04.1\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"openjdk-6-jre-lib\", pkgver:\"6b30-1.13.1-1ubuntu2~0.10.04.1\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"openjdk-6-jre-zero\", pkgver:\"6b30-1.13.1-1ubuntu2~0.10.04.1\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"icedtea-6-jre-cacao\", pkgver:\"6b30-1.13.1-1ubuntu2~0.12.04.1\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"icedtea-6-jre-jamvm\", pkgver:\"6b30-1.13.1-1ubuntu2~0.12.04.1\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"openjdk-6-jre\", pkgver:\"6b30-1.13.1-1ubuntu2~0.12.04.1\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"openjdk-6-jre-headless\", pkgver:\"6b30-1.13.1-1ubuntu2~0.12.04.1\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"openjdk-6-jre-lib\", pkgver:\"6b30-1.13.1-1ubuntu2~0.12.04.1\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"openjdk-6-jre-zero\", pkgver:\"6b30-1.13.1-1ubuntu2~0.12.04.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"icedtea-6-jre-cacao / icedtea-6-jre-jamvm / openjdk-6-jre / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-01T01:23:07", "description": "An input validation flaw was discovered in the font layout engine in\nthe 2D component. A specially crafted font file could trigger a Java\nVirtual Machine memory corruption when processed. An untrusted Java\napplication or applet could possibly use this flaw to bypass Java\nsandbox restrictions. (CVE-2013-5907)\n\nMultiple improper permission check issues were discovered in the CORBA\nand JNDI components in OpenJDK. An untrusted Java application or\napplet could use these flaws to bypass Java sandbox restrictions.\n(CVE-2014-0428 , CVE-2014-0422)\n\nMultiple improper permission check issues were discovered in the\nServiceability, Security, CORBA, JAAS, JAXP, and Networking components\nin OpenJDK. An untrusted Java application or applet could use these\nflaws to bypass certain Java sandbox restrictions. (CVE-2014-0373 ,\nCVE-2013-5878 , CVE-2013-5910 , CVE-2013-5896 , CVE-2013-5884 ,\nCVE-2014-0416 , CVE-2014-0376 , CVE-2014-0368)\n\nIt was discovered that the Beans component did not restrict processing\nof XML external entities. This flaw could cause a Java application\nusing Beans to leak sensitive information, or affect application\navailability. (CVE-2014-0423)\n\nIt was discovered that the JSSE component could leak timing\ninformation during the TLS/SSL handshake. This could possibly lead to\na disclosure of information about the used encryption keys.\n(CVE-2014-0411)", "edition": 26, "published": "2014-02-05T00:00:00", "title": "Amazon Linux AMI : java-1.6.0-openjdk (ALAS-2014-283)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5878", "CVE-2013-5884", "CVE-2014-0373", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5896", "CVE-2013-5910", "CVE-2014-0428", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2014-0416"], "modified": "2021-04-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:java-1.6.0-openjdk-src", "p-cpe:/a:amazon:linux:java-1.6.0-openjdk-devel", "p-cpe:/a:amazon:linux:java-1.6.0-openjdk", "p-cpe:/a:amazon:linux:java-1.6.0-openjdk-demo", "p-cpe:/a:amazon:linux:java-1.6.0-openjdk-javadoc", "cpe:/o:amazon:linux", "p-cpe:/a:amazon:linux:java-1.6.0-openjdk-debuginfo"], "id": "ALA_ALAS-2014-283.NASL", "href": "https://www.tenable.com/plugins/nessus/72301", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2014-283.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(72301);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/04/18 15:09:35\");\n\n script_cve_id(\"CVE-2013-5878\", \"CVE-2013-5884\", \"CVE-2013-5896\", \"CVE-2013-5907\", \"CVE-2013-5910\", \"CVE-2014-0368\", \"CVE-2014-0373\", \"CVE-2014-0376\", \"CVE-2014-0411\", \"CVE-2014-0416\", \"CVE-2014-0422\", \"CVE-2014-0423\", \"CVE-2014-0428\");\n script_xref(name:\"ALAS\", value:\"2014-283\");\n script_xref(name:\"RHSA\", value:\"2014:0097\");\n\n script_name(english:\"Amazon Linux AMI : java-1.6.0-openjdk (ALAS-2014-283)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An input validation flaw was discovered in the font layout engine in\nthe 2D component. A specially crafted font file could trigger a Java\nVirtual Machine memory corruption when processed. An untrusted Java\napplication or applet could possibly use this flaw to bypass Java\nsandbox restrictions. (CVE-2013-5907)\n\nMultiple improper permission check issues were discovered in the CORBA\nand JNDI components in OpenJDK. An untrusted Java application or\napplet could use these flaws to bypass Java sandbox restrictions.\n(CVE-2014-0428 , CVE-2014-0422)\n\nMultiple improper permission check issues were discovered in the\nServiceability, Security, CORBA, JAAS, JAXP, and Networking components\nin OpenJDK. An untrusted Java application or applet could use these\nflaws to bypass certain Java sandbox restrictions. (CVE-2014-0373 ,\nCVE-2013-5878 , CVE-2013-5910 , CVE-2013-5896 , CVE-2013-5884 ,\nCVE-2014-0416 , CVE-2014-0376 , CVE-2014-0368)\n\nIt was discovered that the Beans component did not restrict processing\nof XML external entities. This flaw could cause a Java application\nusing Beans to leak sensitive information, or affect application\navailability. (CVE-2014-0423)\n\nIt was discovered that the JSSE component could leak timing\ninformation during the TLS/SSL handshake. This could possibly lead to\na disclosure of information about the used encryption keys.\n(CVE-2014-0411)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2014-283.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update java-1.6.0-openjdk' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.6.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.6.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.6.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.6.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.6.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.6.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/02/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/02/05\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"java-1.6.0-openjdk-1.6.0.0-66.1.13.1.62.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.6.0-openjdk-debuginfo-1.6.0.0-66.1.13.1.62.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.6.0-openjdk-demo-1.6.0.0-66.1.13.1.62.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.6.0-openjdk-devel-1.6.0.0-66.1.13.1.62.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.0-66.1.13.1.62.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.6.0-openjdk-src-1.6.0.0-66.1.13.1.62.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.6.0-openjdk / java-1.6.0-openjdk-debuginfo / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:48:07", "description": "An input validation flaw was discovered in the font layout engine in\nthe 2D component. A specially crafted font file could trigger a Java\nVirtual Machine memory corruption when processed. An untrusted Java\napplication or applet could possibly use this flaw to bypass Java\nsandbox restrictions. (CVE-2013-5907)\n\nMultiple improper permission check issues were discovered in the CORBA\nand JNDI components in OpenJDK. An untrusted Java application or\napplet could use these flaws to bypass Java sandbox restrictions.\n(CVE-2014-0428, CVE-2014-0422)\n\nMultiple improper permission check issues were discovered in the\nServiceability, Security, CORBA, JAAS, JAXP, and Networking components\nin OpenJDK. An untrusted Java application or applet could use these\nflaws to bypass certain Java sandbox restrictions. (CVE-2014-0373,\nCVE-2013-5878, CVE-2013-5910, CVE-2013-5896, CVE-2013-5884,\nCVE-2014-0416, CVE-2014-0376, CVE-2014-0368)\n\nIt was discovered that the Beans component did not restrict processing\nof XML external entities. This flaw could cause a Java application\nusing Beans to leak sensitive information, or affect application\navailability. (CVE-2014-0423)\n\nIt was discovered that the JSSE component could leak timing\ninformation during the TLS/SSL handshake. This could possibly lead to\na disclosure of information about the used encryption keys.\n(CVE-2014-0411)\n\nAll running instances of OpenJDK Java must be restarted for the update\nto take effect.", "edition": 14, "published": "2014-01-28T00:00:00", "title": "Scientific Linux Security Update : java-1.6.0-openjdk on SL5.x, SL6.x i386/x86_64 (20140127)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5878", "CVE-2013-5884", "CVE-2014-0373", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5896", "CVE-2013-5910", "CVE-2014-0428", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2014-0416"], "modified": "2014-01-28T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:java-1.6.0-openjdk", "p-cpe:/a:fermilab:scientific_linux:java-1.6.0-openjdk-demo", "p-cpe:/a:fermilab:scientific_linux:java-1.6.0-openjdk-src", "p-cpe:/a:fermilab:scientific_linux:java-1.6.0-openjdk-javadoc", "p-cpe:/a:fermilab:scientific_linux:java-1.6.0-openjdk-devel", "p-cpe:/a:fermilab:scientific_linux:java-1.6.0-openjdk-debuginfo", "x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20140127_JAVA_1_6_0_OPENJDK_ON_SL5_X.NASL", "href": "https://www.tenable.com/plugins/nessus/72162", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(72162);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-5878\", \"CVE-2013-5884\", \"CVE-2013-5896\", \"CVE-2013-5907\", \"CVE-2013-5910\", \"CVE-2014-0368\", \"CVE-2014-0373\", \"CVE-2014-0376\", \"CVE-2014-0411\", \"CVE-2014-0416\", \"CVE-2014-0422\", \"CVE-2014-0423\", \"CVE-2014-0428\");\n\n script_name(english:\"Scientific Linux Security Update : java-1.6.0-openjdk on SL5.x, SL6.x i386/x86_64 (20140127)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An input validation flaw was discovered in the font layout engine in\nthe 2D component. A specially crafted font file could trigger a Java\nVirtual Machine memory corruption when processed. An untrusted Java\napplication or applet could possibly use this flaw to bypass Java\nsandbox restrictions. (CVE-2013-5907)\n\nMultiple improper permission check issues were discovered in the CORBA\nand JNDI components in OpenJDK. An untrusted Java application or\napplet could use these flaws to bypass Java sandbox restrictions.\n(CVE-2014-0428, CVE-2014-0422)\n\nMultiple improper permission check issues were discovered in the\nServiceability, Security, CORBA, JAAS, JAXP, and Networking components\nin OpenJDK. An untrusted Java application or applet could use these\nflaws to bypass certain Java sandbox restrictions. (CVE-2014-0373,\nCVE-2013-5878, CVE-2013-5910, CVE-2013-5896, CVE-2013-5884,\nCVE-2014-0416, CVE-2014-0376, CVE-2014-0368)\n\nIt was discovered that the Beans component did not restrict processing\nof XML external entities. This flaw could cause a Java application\nusing Beans to leak sensitive information, or affect application\navailability. (CVE-2014-0423)\n\nIt was discovered that the JSSE component could leak timing\ninformation during the TLS/SSL handshake. This could possibly lead to\na disclosure of information about the used encryption keys.\n(CVE-2014-0411)\n\nAll running instances of OpenJDK Java must be restarted for the update\nto take effect.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1401&L=scientific-linux-errata&T=0&P=1210\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?61aa3128\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.6.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.6.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.6.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.6.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.6.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.6.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/01/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/01/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/01/28\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 6.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL5\", reference:\"java-1.6.0-openjdk-1.6.0.0-3.1.13.1.el5_10\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"java-1.6.0-openjdk-debuginfo-1.6.0.0-3.1.13.1.el5_10\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"java-1.6.0-openjdk-demo-1.6.0.0-3.1.13.1.el5_10\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"java-1.6.0-openjdk-devel-1.6.0.0-3.1.13.1.el5_10\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.0-3.1.13.1.el5_10\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"java-1.6.0-openjdk-src-1.6.0.0-3.1.13.1.el5_10\")) flag++;\n\nif (rpm_check(release:\"SL6\", reference:\"java-1.6.0-openjdk-1.6.0.0-3.1.13.1.el6_5\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.6.0-openjdk-debuginfo-1.6.0.0-3.1.13.1.el6_5\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.6.0-openjdk-demo-1.6.0.0-3.1.13.1.el6_5\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.6.0-openjdk-devel-1.6.0.0-3.1.13.1.el6_5\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.0-3.1.13.1.el6_5\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.6.0-openjdk-src-1.6.0.0-3.1.13.1.el6_5\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.6.0-openjdk / java-1.6.0-openjdk-debuginfo / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T12:48:43", "description": "From Red Hat Security Advisory 2014:0097 :\n\nUpdated java-1.6.0-openjdk packages that fix various security issues\nare now available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the\nOpenJDK 6 Java Software Development Kit.\n\nAn input validation flaw was discovered in the font layout engine in\nthe 2D component. A specially crafted font file could trigger a Java\nVirtual Machine memory corruption when processed. An untrusted Java\napplication or applet could possibly use this flaw to bypass Java\nsandbox restrictions. (CVE-2013-5907)\n\nMultiple improper permission check issues were discovered in the CORBA\nand JNDI components in OpenJDK. An untrusted Java application or\napplet could use these flaws to bypass Java sandbox restrictions.\n(CVE-2014-0428, CVE-2014-0422)\n\nMultiple improper permission check issues were discovered in the\nServiceability, Security, CORBA, JAAS, JAXP, and Networking components\nin OpenJDK. An untrusted Java application or applet could use these\nflaws to bypass certain Java sandbox restrictions. (CVE-2014-0373,\nCVE-2013-5878, CVE-2013-5910, CVE-2013-5896, CVE-2013-5884,\nCVE-2014-0416, CVE-2014-0376, CVE-2014-0368)\n\nIt was discovered that the Beans component did not restrict processing\nof XML external entities. This flaw could cause a Java application\nusing Beans to leak sensitive information, or affect application\navailability. (CVE-2014-0423)\n\nIt was discovered that the JSSE component could leak timing\ninformation during the TLS/SSL handshake. This could possibly lead to\na disclosure of information about the used encryption keys.\n(CVE-2014-0411)\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.", "edition": 21, "cvss3": {"score": 5.3, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "published": "2014-01-28T00:00:00", "title": "Oracle Linux 5 / 6 : java-1.6.0-openjdk (ELSA-2014-0097)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5878", "CVE-2013-5884", "CVE-2013-4578", "CVE-2014-0373", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5896", "CVE-2013-5910", "CVE-2014-0428", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2014-0416"], "modified": "2014-01-28T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:java-1.6.0-openjdk-devel", "cpe:/o:oracle:linux:5", "p-cpe:/a:oracle:linux:java-1.6.0-openjdk-src", "p-cpe:/a:oracle:linux:java-1.6.0-openjdk-demo", "p-cpe:/a:oracle:linux:java-1.6.0-openjdk", "p-cpe:/a:oracle:linux:java-1.6.0-openjdk-javadoc"], "id": "ORACLELINUX_ELSA-2014-0097.NASL", "href": "https://www.tenable.com/plugins/nessus/72160", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2014:0097 and \n# Oracle Linux Security Advisory ELSA-2014-0097 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(72160);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-4578\", \"CVE-2013-5878\", \"CVE-2013-5884\", \"CVE-2013-5896\", \"CVE-2013-5907\", \"CVE-2013-5910\", \"CVE-2014-0368\", \"CVE-2014-0373\", \"CVE-2014-0376\", \"CVE-2014-0411\", \"CVE-2014-0416\", \"CVE-2014-0422\", \"CVE-2014-0423\", \"CVE-2014-0428\");\n script_xref(name:\"RHSA\", value:\"2014:0097\");\n\n script_name(english:\"Oracle Linux 5 / 6 : java-1.6.0-openjdk (ELSA-2014-0097)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2014:0097 :\n\nUpdated java-1.6.0-openjdk packages that fix various security issues\nare now available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the\nOpenJDK 6 Java Software Development Kit.\n\nAn input validation flaw was discovered in the font layout engine in\nthe 2D component. A specially crafted font file could trigger a Java\nVirtual Machine memory corruption when processed. An untrusted Java\napplication or applet could possibly use this flaw to bypass Java\nsandbox restrictions. (CVE-2013-5907)\n\nMultiple improper permission check issues were discovered in the CORBA\nand JNDI components in OpenJDK. An untrusted Java application or\napplet could use these flaws to bypass Java sandbox restrictions.\n(CVE-2014-0428, CVE-2014-0422)\n\nMultiple improper permission check issues were discovered in the\nServiceability, Security, CORBA, JAAS, JAXP, and Networking components\nin OpenJDK. An untrusted Java application or applet could use these\nflaws to bypass certain Java sandbox restrictions. (CVE-2014-0373,\nCVE-2013-5878, CVE-2013-5910, CVE-2013-5896, CVE-2013-5884,\nCVE-2014-0416, CVE-2014-0376, CVE-2014-0368)\n\nIt was discovered that the Beans component did not restrict processing\nof XML external entities. This flaw could cause a Java application\nusing Beans to leak sensitive information, or affect application\navailability. (CVE-2014-0423)\n\nIt was discovered that the JSSE component could leak timing\ninformation during the TLS/SSL handshake. This could possibly lead to\na disclosure of information about the used encryption keys.\n(CVE-2014-0411)\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2014-January/003922.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2014-January/003923.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1.6.0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.6.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.6.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.6.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.6.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.6.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/01/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/01/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/01/28\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5 / 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL5\", reference:\"java-1.6.0-openjdk-1.6.0.0-3.1.13.1.0.1.el5_10\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"java-1.6.0-openjdk-demo-1.6.0.0-3.1.13.1.0.1.el5_10\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"java-1.6.0-openjdk-devel-1.6.0.0-3.1.13.1.0.1.el5_10\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.0-3.1.13.1.0.1.el5_10\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"java-1.6.0-openjdk-src-1.6.0.0-3.1.13.1.0.1.el5_10\")) flag++;\n\nif (rpm_check(release:\"EL6\", reference:\"java-1.6.0-openjdk-1.6.0.0-3.1.13.1.el6_5\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.6.0-openjdk-demo-1.6.0.0-3.1.13.1.el6_5\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.6.0-openjdk-devel-1.6.0.0-3.1.13.1.el6_5\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.0-3.1.13.1.el6_5\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.6.0-openjdk-src-1.6.0.0-3.1.13.1.el6_5\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.6.0-openjdk / java-1.6.0-openjdk-demo / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-01T01:23:07", "description": "An input validation flaw was discovered in the font layout engine in\nthe 2D component. A specially crafted font file could trigger Java\nVirtual Machine memory corruption when processed. An untrusted Java\napplication or applet could possibly use this flaw to bypass Java\nsandbox restrictions. (CVE-2013-5907)\n\nMultiple improper permission check issues were discovered in the\nCORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to bypass Java sandbox\nrestrictions. (CVE-2014-0428 , CVE-2014-0422 , CVE-2013-5893)\n\nMultiple improper permission check issues were discovered in the\nServiceability, Security, CORBA, JAAS, JAXP, and Networking components\nin OpenJDK. An untrusted Java application or applet could use these\nflaws to bypass certain Java sandbox restrictions. (CVE-2014-0373 ,\nCVE-2013-5878 , CVE-2013-5910 , CVE-2013-5896 , CVE-2013-5884 ,\nCVE-2014-0416 , CVE-2014-0376 , CVE-2014-0368)\n\nIt was discovered that the Beans component did not restrict processing\nof XML external entities. This flaw could cause a Java application\nusing Beans to leak sensitive information, or affect application\navailability. (CVE-2014-0423)\n\nIt was discovered that the JSSE component could leak timing\ninformation during the TLS/SSL handshake. This could possibly lead to\ndisclosure of information about the used encryption keys.\n(CVE-2014-0411)", "edition": 26, "published": "2014-02-05T00:00:00", "title": "Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2014-280)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5878", "CVE-2013-5884", "CVE-2013-5893", "CVE-2014-0373", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5896", "CVE-2013-5910", "CVE-2014-0428", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2014-0416"], "modified": "2021-04-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:java-1.7.0-openjdk", "p-cpe:/a:amazon:linux:java-1.7.0-openjdk-javadoc", "p-cpe:/a:amazon:linux:java-1.7.0-openjdk-debuginfo", "p-cpe:/a:amazon:linux:java-1.7.0-openjdk-demo", "p-cpe:/a:amazon:linux:java-1.7.0-openjdk-src", "p-cpe:/a:amazon:linux:java-1.7.0-openjdk-devel", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2014-280.NASL", "href": "https://www.tenable.com/plugins/nessus/72298", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2014-280.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(72298);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/04/18 15:09:35\");\n\n script_cve_id(\"CVE-2013-5878\", \"CVE-2013-5884\", \"CVE-2013-5893\", \"CVE-2013-5896\", \"CVE-2013-5907\", \"CVE-2013-5910\", \"CVE-2014-0368\", \"CVE-2014-0373\", \"CVE-2014-0376\", \"CVE-2014-0411\", \"CVE-2014-0416\", \"CVE-2014-0422\", \"CVE-2014-0423\", \"CVE-2014-0428\");\n script_xref(name:\"ALAS\", value:\"2014-280\");\n script_xref(name:\"RHSA\", value:\"2014:0026\");\n\n script_name(english:\"Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2014-280)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An input validation flaw was discovered in the font layout engine in\nthe 2D component. A specially crafted font file could trigger Java\nVirtual Machine memory corruption when processed. An untrusted Java\napplication or applet could possibly use this flaw to bypass Java\nsandbox restrictions. (CVE-2013-5907)\n\nMultiple improper permission check issues were discovered in the\nCORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to bypass Java sandbox\nrestrictions. (CVE-2014-0428 , CVE-2014-0422 , CVE-2013-5893)\n\nMultiple improper permission check issues were discovered in the\nServiceability, Security, CORBA, JAAS, JAXP, and Networking components\nin OpenJDK. An untrusted Java application or applet could use these\nflaws to bypass certain Java sandbox restrictions. (CVE-2014-0373 ,\nCVE-2013-5878 , CVE-2013-5910 , CVE-2013-5896 , CVE-2013-5884 ,\nCVE-2014-0416 , CVE-2014-0376 , CVE-2014-0368)\n\nIt was discovered that the Beans component did not restrict processing\nof XML external entities. This flaw could cause a Java application\nusing Beans to leak sensitive information, or affect application\navailability. (CVE-2014-0423)\n\nIt was discovered that the JSSE component could leak timing\ninformation during the TLS/SSL handshake. This could possibly lead to\ndisclosure of information about the used encryption keys.\n(CVE-2014-0411)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2014-280.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update java-1.7.0-openjdk' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/01/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/02/05\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-1.7.0.51-2.4.4.1.34.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.51-2.4.4.1.34.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-demo-1.7.0.51-2.4.4.1.34.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-devel-1.7.0.51-2.4.4.1.34.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.51-2.4.4.1.34.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-src-1.7.0.51-2.4.4.1.34.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-debuginfo / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:13:58", "description": "Updated java-1.7.0-openjdk packages that fix various security issues\nare now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nAn input validation flaw was discovered in the font layout engine in\nthe 2D component. A specially crafted font file could trigger Java\nVirtual Machine memory corruption when processed. An untrusted Java\napplication or applet could possibly use this flaw to bypass Java\nsandbox restrictions. (CVE-2013-5907)\n\nMultiple improper permission check issues were discovered in the\nCORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to bypass Java sandbox\nrestrictions. (CVE-2014-0428, CVE-2014-0422, CVE-2013-5893)\n\nMultiple improper permission check issues were discovered in the\nServiceability, Security, CORBA, JAAS, JAXP, and Networking components\nin OpenJDK. An untrusted Java application or applet could use these\nflaws to bypass certain Java sandbox restrictions. (CVE-2014-0373,\nCVE-2013-5878, CVE-2013-5910, CVE-2013-5896, CVE-2013-5884,\nCVE-2014-0416, CVE-2014-0376, CVE-2014-0368)\n\nIt was discovered that the Beans component did not restrict processing\nof XML external entities. This flaw could cause a Java application\nusing Beans to leak sensitive information, or affect application\navailability. (CVE-2014-0423)\n\nIt was discovered that the JSSE component could leak timing\ninformation during the TLS/SSL handshake. This could possibly lead to\ndisclosure of information about the used encryption keys.\n(CVE-2014-0411)\n\nNote: The java-1.7.0-openjdk package shipped with Red Hat Enterprise\nLinux 6.5 via RHBA-2013:1611 replaced 'java7' with 'java' in the\nprovides list. This update re-adds 'java7' to the provides list to\nmaintain backwards compatibility with releases prior to Red Hat\nEnterprise Linux 6.5.\n\nNote: If the web browser plug-in provided by the icedtea-web package\nwas installed, the issues exposed via Java applets could have been\nexploited without user interaction if a user visited a malicious\nwebsite.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.", "edition": 25, "published": "2014-01-15T00:00:00", "title": "RHEL 6 : java-1.7.0-openjdk (RHSA-2014:0026)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5878", "CVE-2013-5884", "CVE-2013-5893", "CVE-2014-0373", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5896", "CVE-2013-5910", "CVE-2014-0428", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2014-0416"], "modified": "2014-01-15T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-devel", "cpe:/o:redhat:enterprise_linux:6.5", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-src", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-debuginfo", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-javadoc"], "id": "REDHAT-RHSA-2014-0026.NASL", "href": "https://www.tenable.com/plugins/nessus/71962", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2014:0026. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(71962);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-5878\", \"CVE-2013-5884\", \"CVE-2013-5893\", \"CVE-2013-5896\", \"CVE-2013-5907\", \"CVE-2013-5910\", \"CVE-2014-0368\", \"CVE-2014-0373\", \"CVE-2014-0376\", \"CVE-2014-0411\", \"CVE-2014-0416\", \"CVE-2014-0422\", \"CVE-2014-0423\", \"CVE-2014-0428\");\n script_bugtraq_id(64863, 64894, 64907, 64914, 64918, 64921, 64922, 64924, 64926, 64927, 64930, 64933, 64935, 64937);\n script_xref(name:\"RHSA\", value:\"2014:0026\");\n\n script_name(english:\"RHEL 6 : java-1.7.0-openjdk (RHSA-2014:0026)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.7.0-openjdk packages that fix various security issues\nare now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nAn input validation flaw was discovered in the font layout engine in\nthe 2D component. A specially crafted font file could trigger Java\nVirtual Machine memory corruption when processed. An untrusted Java\napplication or applet could possibly use this flaw to bypass Java\nsandbox restrictions. (CVE-2013-5907)\n\nMultiple improper permission check issues were discovered in the\nCORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to bypass Java sandbox\nrestrictions. (CVE-2014-0428, CVE-2014-0422, CVE-2013-5893)\n\nMultiple improper permission check issues were discovered in the\nServiceability, Security, CORBA, JAAS, JAXP, and Networking components\nin OpenJDK. An untrusted Java application or applet could use these\nflaws to bypass certain Java sandbox restrictions. (CVE-2014-0373,\nCVE-2013-5878, CVE-2013-5910, CVE-2013-5896, CVE-2013-5884,\nCVE-2014-0416, CVE-2014-0376, CVE-2014-0368)\n\nIt was discovered that the Beans component did not restrict processing\nof XML external entities. This flaw could cause a Java application\nusing Beans to leak sensitive information, or affect application\navailability. (CVE-2014-0423)\n\nIt was discovered that the JSSE component could leak timing\ninformation during the TLS/SSL handshake. This could possibly lead to\ndisclosure of information about the used encryption keys.\n(CVE-2014-0411)\n\nNote: The java-1.7.0-openjdk package shipped with Red Hat Enterprise\nLinux 6.5 via RHBA-2013:1611 replaced 'java7' with 'java' in the\nprovides list. This update re-adds 'java7' to the provides list to\nmaintain backwards compatibility with releases prior to Red Hat\nEnterprise Linux 6.5.\n\nNote: If the web browser plug-in provided by the icedtea-web package\nwas installed, the issues exposed via Java applets could have been\nexploited without user interaction if a user visited a malicious\nwebsite.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\"\n );\n # http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?17c46362\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2014:0026\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-0368\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-0411\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-5878\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-5910\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-0416\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-0373\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-5893\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-5907\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-5884\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-5896\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-0428\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-0422\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-0376\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-0423\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/01/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/01/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/01/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2014:0026\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-openjdk-1.7.0.51-2.4.4.1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-1.7.0.51-2.4.4.1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.51-2.4.4.1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.51-2.4.4.1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-openjdk-demo-1.7.0.51-2.4.4.1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-demo-1.7.0.51-2.4.4.1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-openjdk-devel-1.7.0.51-2.4.4.1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-devel-1.7.0.51-2.4.4.1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.51-2.4.4.1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-openjdk-src-1.7.0.51-2.4.4.1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-src-1.7.0.51-2.4.4.1.el6_5\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:14:00", "description": "Updated java-1.6.0-openjdk packages that fix various security issues\nare now available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the\nOpenJDK 6 Java Software Development Kit.\n\nAn input validation flaw was discovered in the font layout engine in\nthe 2D component. A specially crafted font file could trigger a Java\nVirtual Machine memory corruption when processed. An untrusted Java\napplication or applet could possibly use this flaw to bypass Java\nsandbox restrictions. (CVE-2013-5907)\n\nMultiple improper permission check issues were discovered in the CORBA\nand JNDI components in OpenJDK. An untrusted Java application or\napplet could use these flaws to bypass Java sandbox restrictions.\n(CVE-2014-0428, CVE-2014-0422)\n\nMultiple improper permission check issues were discovered in the\nServiceability, Security, CORBA, JAAS, JAXP, and Networking components\nin OpenJDK. An untrusted Java application or applet could use these\nflaws to bypass certain Java sandbox restrictions. (CVE-2014-0373,\nCVE-2013-5878, CVE-2013-5910, CVE-2013-5896, CVE-2013-5884,\nCVE-2014-0416, CVE-2014-0376, CVE-2014-0368)\n\nIt was discovered that the Beans component did not restrict processing\nof XML external entities. This flaw could cause a Java application\nusing Beans to leak sensitive information, or affect application\navailability. (CVE-2014-0423)\n\nIt was discovered that the JSSE component could leak timing\ninformation during the TLS/SSL handshake. This could possibly lead to\na disclosure of information about the used encryption keys.\n(CVE-2014-0411)\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.", "edition": 23, "cvss3": {"score": 5.3, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "published": "2014-01-28T00:00:00", "title": "RHEL 5 / 6 : java-1.6.0-openjdk (RHSA-2014:0097)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5878", "CVE-2013-5884", "CVE-2013-4578", "CVE-2014-0373", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5896", "CVE-2013-5910", "CVE-2014-0428", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2014-0416"], "modified": "2014-01-28T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-devel", "cpe:/o:redhat:enterprise_linux:5", "cpe:/o:redhat:enterprise_linux:6.5", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-src", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-javadoc", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-debuginfo"], "id": "REDHAT-RHSA-2014-0097.NASL", "href": "https://www.tenable.com/plugins/nessus/72161", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2014:0097. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(72161);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-4578\", \"CVE-2013-5878\", \"CVE-2013-5884\", \"CVE-2013-5896\", \"CVE-2013-5907\", \"CVE-2013-5910\", \"CVE-2014-0368\", \"CVE-2014-0373\", \"CVE-2014-0376\", \"CVE-2014-0411\", \"CVE-2014-0416\", \"CVE-2014-0422\", \"CVE-2014-0423\", \"CVE-2014-0428\");\n script_xref(name:\"RHSA\", value:\"2014:0097\");\n\n script_name(english:\"RHEL 5 / 6 : java-1.6.0-openjdk (RHSA-2014:0097)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.6.0-openjdk packages that fix various security issues\nare now available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the\nOpenJDK 6 Java Software Development Kit.\n\nAn input validation flaw was discovered in the font layout engine in\nthe 2D component. A specially crafted font file could trigger a Java\nVirtual Machine memory corruption when processed. An untrusted Java\napplication or applet could possibly use this flaw to bypass Java\nsandbox restrictions. (CVE-2013-5907)\n\nMultiple improper permission check issues were discovered in the CORBA\nand JNDI components in OpenJDK. An untrusted Java application or\napplet could use these flaws to bypass Java sandbox restrictions.\n(CVE-2014-0428, CVE-2014-0422)\n\nMultiple improper permission check issues were discovered in the\nServiceability, Security, CORBA, JAAS, JAXP, and Networking components\nin OpenJDK. An untrusted Java application or applet could use these\nflaws to bypass certain Java sandbox restrictions. (CVE-2014-0373,\nCVE-2013-5878, CVE-2013-5910, CVE-2013-5896, CVE-2013-5884,\nCVE-2014-0416, CVE-2014-0376, CVE-2014-0368)\n\nIt was discovered that the Beans component did not restrict processing\nof XML external entities. This flaw could cause a Java application\nusing Beans to leak sensitive information, or affect application\navailability. (CVE-2014-0423)\n\nIt was discovered that the JSSE component could leak timing\ninformation during the TLS/SSL handshake. This could possibly lead to\na disclosure of information about the used encryption keys.\n(CVE-2014-0411)\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2014:0097\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-0368\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-0411\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-5878\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-5910\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-0416\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-0373\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-5907\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-5884\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-5896\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-0428\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-0422\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-0376\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-0423\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-4578\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/01/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/01/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/01/28\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x / 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2014:0097\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.6.0-openjdk-1.6.0.0-3.1.13.1.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-1.6.0.0-3.1.13.1.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.6.0-openjdk-debuginfo-1.6.0.0-3.1.13.1.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-debuginfo-1.6.0.0-3.1.13.1.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.6.0-openjdk-demo-1.6.0.0-3.1.13.1.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-demo-1.6.0.0-3.1.13.1.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.6.0-openjdk-devel-1.6.0.0-3.1.13.1.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-devel-1.6.0.0-3.1.13.1.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.0-3.1.13.1.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.0-3.1.13.1.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.6.0-openjdk-src-1.6.0.0-3.1.13.1.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-src-1.6.0.0-3.1.13.1.el5_10\")) flag++;\n\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-openjdk-1.6.0.0-3.1.13.1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-1.6.0.0-3.1.13.1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-openjdk-debuginfo-1.6.0.0-3.1.13.1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-debuginfo-1.6.0.0-3.1.13.1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-openjdk-demo-1.6.0.0-3.1.13.1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-demo-1.6.0.0-3.1.13.1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-openjdk-devel-1.6.0.0-3.1.13.1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-devel-1.6.0.0-3.1.13.1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.0-3.1.13.1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.0-3.1.13.1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-openjdk-src-1.6.0.0-3.1.13.1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-src-1.6.0.0-3.1.13.1.el6_5\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.6.0-openjdk / java-1.6.0-openjdk-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:29:15", "description": "Updated java-1.7.0-openjdk packages that fix various security issues\nare now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nAn input validation flaw was discovered in the font layout engine in\nthe 2D component. A specially crafted font file could trigger Java\nVirtual Machine memory corruption when processed. An untrusted Java\napplication or applet could possibly use this flaw to bypass Java\nsandbox restrictions. (CVE-2013-5907)\n\nMultiple improper permission check issues were discovered in the\nCORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to bypass Java sandbox\nrestrictions. (CVE-2014-0428, CVE-2014-0422, CVE-2013-5893)\n\nMultiple improper permission check issues were discovered in the\nServiceability, Security, CORBA, JAAS, JAXP, and Networking components\nin OpenJDK. An untrusted Java application or applet could use these\nflaws to bypass certain Java sandbox restrictions. (CVE-2014-0373,\nCVE-2013-5878, CVE-2013-5910, CVE-2013-5896, CVE-2013-5884,\nCVE-2014-0416, CVE-2014-0376, CVE-2014-0368)\n\nIt was discovered that the Beans component did not restrict processing\nof XML external entities. This flaw could cause a Java application\nusing Beans to leak sensitive information, or affect application\navailability. (CVE-2014-0423)\n\nIt was discovered that the JSSE component could leak timing\ninformation during the TLS/SSL handshake. This could possibly lead to\ndisclosure of information about the used encryption keys.\n(CVE-2014-0411)\n\nNote: The java-1.7.0-openjdk package shipped with Red Hat Enterprise\nLinux 6.5 via RHBA-2013:1611 replaced 'java7' with 'java' in the\nprovides list. This update re-adds 'java7' to the provides list to\nmaintain backwards compatibility with releases prior to Red Hat\nEnterprise Linux 6.5.\n\nNote: If the web browser plug-in provided by the icedtea-web package\nwas installed, the issues exposed via Java applets could have been\nexploited without user interaction if a user visited a malicious\nwebsite.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.", "edition": 25, "published": "2014-01-16T00:00:00", "title": "CentOS 6 : java-1.7.0-openjdk (CESA-2014:0026)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5878", "CVE-2013-5884", "CVE-2013-5893", "CVE-2014-0373", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5896", "CVE-2013-5910", "CVE-2014-0428", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2014-0416"], "modified": "2014-01-16T00:00:00", "cpe": ["cpe:/o:centos:centos:6", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-devel", "p-cpe:/a:centos:centos:java-1.7.0-openjdk", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-demo", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-src", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-javadoc"], "id": "CENTOS_RHSA-2014-0026.NASL", "href": "https://www.tenable.com/plugins/nessus/71978", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2014:0026 and \n# CentOS Errata and Security Advisory 2014:0026 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(71978);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2013-5878\", \"CVE-2013-5884\", \"CVE-2013-5893\", \"CVE-2013-5896\", \"CVE-2013-5907\", \"CVE-2013-5910\", \"CVE-2014-0368\", \"CVE-2014-0373\", \"CVE-2014-0376\", \"CVE-2014-0411\", \"CVE-2014-0416\", \"CVE-2014-0422\", \"CVE-2014-0423\", \"CVE-2014-0428\");\n script_bugtraq_id(64863, 64894, 64907, 64914, 64918, 64921, 64922, 64924, 64926, 64927, 64930, 64933, 64935, 64937);\n script_xref(name:\"RHSA\", value:\"2014:0026\");\n\n script_name(english:\"CentOS 6 : java-1.7.0-openjdk (CESA-2014:0026)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.7.0-openjdk packages that fix various security issues\nare now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nAn input validation flaw was discovered in the font layout engine in\nthe 2D component. A specially crafted font file could trigger Java\nVirtual Machine memory corruption when processed. An untrusted Java\napplication or applet could possibly use this flaw to bypass Java\nsandbox restrictions. (CVE-2013-5907)\n\nMultiple improper permission check issues were discovered in the\nCORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to bypass Java sandbox\nrestrictions. (CVE-2014-0428, CVE-2014-0422, CVE-2013-5893)\n\nMultiple improper permission check issues were discovered in the\nServiceability, Security, CORBA, JAAS, JAXP, and Networking components\nin OpenJDK. An untrusted Java application or applet could use these\nflaws to bypass certain Java sandbox restrictions. (CVE-2014-0373,\nCVE-2013-5878, CVE-2013-5910, CVE-2013-5896, CVE-2013-5884,\nCVE-2014-0416, CVE-2014-0376, CVE-2014-0368)\n\nIt was discovered that the Beans component did not restrict processing\nof XML external entities. This flaw could cause a Java application\nusing Beans to leak sensitive information, or affect application\navailability. (CVE-2014-0423)\n\nIt was discovered that the JSSE component could leak timing\ninformation during the TLS/SSL handshake. This could possibly lead to\ndisclosure of information about the used encryption keys.\n(CVE-2014-0411)\n\nNote: The java-1.7.0-openjdk package shipped with Red Hat Enterprise\nLinux 6.5 via RHBA-2013:1611 replaced 'java7' with 'java' in the\nprovides list. This update re-adds 'java7' to the provides list to\nmaintain backwards compatibility with releases prior to Red Hat\nEnterprise Linux 6.5.\n\nNote: If the web browser plug-in provided by the icedtea-web package\nwas installed, the issues exposed via Java applets could have been\nexploited without user interaction if a user visited a malicious\nwebsite.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2014-January/020107.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?17d0e96d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1.7.0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-5907\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/01/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/01/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/01/16\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 6.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-1.7.0.51-2.4.4.1.el6_5\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-demo-1.7.0.51-2.4.4.1.el6_5\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-devel-1.7.0.51-2.4.4.1.el6_5\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.51-2.4.4.1.el6_5\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-src-1.7.0.51-2.4.4.1.el6_5\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-demo / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntu": [{"lastseen": "2020-07-15T01:32:35", "bulletinFamily": "unix", "cvelist": ["CVE-2013-5878", "CVE-2013-5884", "CVE-2014-0373", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5896", "CVE-2013-5910", "CVE-2014-0428", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2014-0416"], "description": "USN-2124-1 fixed vulnerabilities in OpenJDK 6. Due to an upstream \nregression, memory was not properly zeroed under certain circumstances \nwhich could lead to instability. This update fixes the problem.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\nA vulnerability was discovered in the OpenJDK JRE related to information \ndisclosure and data integrity. An attacker could exploit this to expose \nsensitive data over the network. (CVE-2014-0411)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to \ninformation disclosure, data integrity and availability. An attacker could \nexploit these to cause a denial of service or expose sensitive data over \nthe network. (CVE-2013-5878, CVE-2013-5907, CVE-2014-0373, CVE-2014-0422, \nCVE-2014-0428)\n\nTwo vulnerabilities were discovered in the OpenJDK JRE related to \ninformation disclosure. An attacker could exploit these to expose sensitive \ndata over the network. (CVE-2013-5884, CVE-2014-0368)\n\nTwo vulnerabilities were discovered in the OpenJDK JRE related to \navailability. An attacker could exploit these to cause a denial of service. \n(CVE-2013-5896, CVE-2013-5910)\n\nTwo vulnerabilities were discovered in the OpenJDK JRE related to data \nintegrity. (CVE-2014-0376, CVE-2014-0416)\n\nA vulnerability was discovered in the OpenJDK JRE related to information \ndisclosure and availability. An attacker could exploit this to expose \nsensitive data over the network or cause a denial of service. \n(CVE-2014-0423)\n\nIn addition to the above, USN-2033-1 fixed several vulnerabilities and bugs \nin OpenJDK 6. This update introduced a regression which caused an exception \ncondition in javax.xml when instantiating encryption algorithms. This \nupdate fixes the problem. We apologize for the inconvenience.", "edition": 6, "modified": "2014-04-08T00:00:00", "published": "2014-04-08T00:00:00", "id": "USN-2124-2", "href": "https://ubuntu.com/security/notices/USN-2124-2", "title": "OpenJDK 6 regression", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:38:54", "bulletinFamily": "unix", "cvelist": ["CVE-2013-5878", "CVE-2013-5884", "CVE-2014-0373", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5896", "CVE-2013-5910", "CVE-2014-0428", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2014-0416"], "description": "A vulnerability was discovered in the OpenJDK JRE related to information \ndisclosure and data integrity. An attacker could exploit this to expose \nsensitive data over the network. (CVE-2014-0411)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to \ninformation disclosure, data integrity and availability. An attacker could \nexploit these to cause a denial of service or expose sensitive data over \nthe network. (CVE-2013-5878, CVE-2013-5907, CVE-2014-0373, CVE-2014-0422, \nCVE-2014-0428)\n\nTwo vulnerabilities were discovered in the OpenJDK JRE related to \ninformation disclosure. An attacker could exploit these to expose sensitive \ndata over the network. (CVE-2013-5884, CVE-2014-0368)\n\nTwo vulnerabilities were discovered in the OpenJDK JRE related to \navailability. An attacker could exploit these to cause a denial of service. \n(CVE-2013-5896, CVE-2013-5910)\n\nTwo vulnerabilities were discovered in the OpenJDK JRE related to data \nintegrity. (CVE-2014-0376, CVE-2014-0416)\n\nA vulnerability was discovered in the OpenJDK JRE related to information \ndisclosure and availability. An attacker could exploit this to expose \nsensitive data over the network or cause a denial of service. \n(CVE-2014-0423)\n\nIn addition to the above, USN-2033-1 fixed several vulnerabilities and bugs \nin OpenJDK 6. This update introduced a regression which caused an exception \ncondition in javax.xml when instantiating encryption algorithms. This \nupdate fixes the problem. We apologize for the inconvenience.", "edition": 5, "modified": "2014-02-27T00:00:00", "published": "2014-02-27T00:00:00", "id": "USN-2124-1", "href": "https://ubuntu.com/security/notices/USN-2124-1", "title": "OpenJDK 6 vulnerabilities", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-09T00:35:16", "bulletinFamily": "unix", "cvelist": ["CVE-2013-5782", "CVE-2013-4002", "CVE-2013-5878", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5884", "CVE-2013-5893", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2013-5817", "CVE-2014-0373", "CVE-2013-5806", "CVE-2013-5805", "CVE-2014-0408", "CVE-2013-5825", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5823", "CVE-2013-5849", "CVE-2013-5896", "CVE-2013-5780", "CVE-2013-5910", "CVE-2014-0428", "CVE-2013-5814", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5907", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5800", "CVE-2013-5820", "CVE-2013-5790", "CVE-2013-5840", "CVE-2014-0416", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "description": "Several vulnerabilities were discovered in the OpenJDK JRE related to \ninformation disclosure and data integrity. An attacker could exploit these \nto expose sensitive data over the network. (CVE-2013-3829, CVE-2013-5783, \nCVE-2013-5804, CVE-2014-0411)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to \navailability. An attacker could exploit these to cause a denial of service. \n(CVE-2013-4002, CVE-2013-5803, CVE-2013-5823, CVE-2013-5825, CVE-2013-5896, \nCVE-2013-5910)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to data \nintegrity. (CVE-2013-5772, CVE-2013-5774, CVE-2013-5784, CVE-2013-5797, \nCVE-2013-5820, CVE-2014-0376, CVE-2014-0416)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to \ninformation disclosure. An attacker could exploit these to expose sensitive \ndata over the network. (CVE-2013-5778, CVE-2013-5780, CVE-2013-5790, \nCVE-2013-5800, CVE-2013-5840, CVE-2013-5849, CVE-2013-5851, CVE-2013-5884, \nCVE-2014-0368)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to \ninformation disclosure, data integrity and availability. An attacker could \nexploit these to cause a denial of service or expose sensitive data over \nthe network. (CVE-2013-5782, CVE-2013-5802, CVE-2013-5809, CVE-2013-5829, \nCVE-2013-5814, CVE-2013-5817, CVE-2013-5830, CVE-2013-5842, CVE-2013-5850, \nCVE-2013-5878, CVE-2013-5893, CVE-2013-5907, CVE-2014-0373, CVE-2014-0408, \nCVE-2014-0422, CVE-2014-0428)\n\nA vulnerability was discovered in the OpenJDK JRE related to information \ndisclosure and availability. An attacker could exploit this to expose \nsensitive data over the network or cause a denial of service. \n(CVE-2014-0423)", "edition": 5, "modified": "2014-01-23T00:00:00", "published": "2014-01-23T00:00:00", "id": "USN-2089-1", "href": "https://ubuntu.com/security/notices/USN-2089-1", "title": "OpenJDK 7 vulnerabilities", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "amazon": [{"lastseen": "2020-11-10T12:35:25", "bulletinFamily": "unix", "cvelist": ["CVE-2013-5878", "CVE-2013-5884", "CVE-2014-0373", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5896", "CVE-2013-5910", "CVE-2014-0428", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2014-0416"], "description": "**Issue Overview:**\n\nAn input validation flaw was discovered in the font layout engine in the 2D component. A specially crafted font file could trigger a Java Virtual Machine memory corruption when processed. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. ([CVE-2013-5907 __](<https://access.redhat.com/security/cve/CVE-2013-5907>))\n\nMultiple improper permission check issues were discovered in the CORBA and JNDI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. ([CVE-2014-0428 __](<https://access.redhat.com/security/cve/CVE-2014-0428>), [CVE-2014-0422 __](<https://access.redhat.com/security/cve/CVE-2014-0422>))\n\nMultiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. ([CVE-2014-0373 __](<https://access.redhat.com/security/cve/CVE-2014-0373>), [CVE-2013-5878 __](<https://access.redhat.com/security/cve/CVE-2013-5878>), [CVE-2013-5910 __](<https://access.redhat.com/security/cve/CVE-2013-5910>), [CVE-2013-5896 __](<https://access.redhat.com/security/cve/CVE-2013-5896>), [CVE-2013-5884 __](<https://access.redhat.com/security/cve/CVE-2013-5884>), [CVE-2014-0416 __](<https://access.redhat.com/security/cve/CVE-2014-0416>), [CVE-2014-0376 __](<https://access.redhat.com/security/cve/CVE-2014-0376>), [CVE-2014-0368 __](<https://access.redhat.com/security/cve/CVE-2014-0368>))\n\nIt was discovered that the Beans component did not restrict processing of XML external entities. This flaw could cause a Java application using Beans to leak sensitive information, or affect application availability. ([CVE-2014-0423 __](<https://access.redhat.com/security/cve/CVE-2014-0423>))\n\nIt was discovered that the JSSE component could leak timing information during the TLS/SSL handshake. This could possibly lead to a disclosure of information about the used encryption keys. ([CVE-2014-0411 __](<https://access.redhat.com/security/cve/CVE-2014-0411>))\n\n \n**Affected Packages:** \n\n\njava-1.6.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.6.0-openjdk_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n java-1.6.0-openjdk-src-1.6.0.0-66.1.13.1.62.amzn1.i686 \n java-1.6.0-openjdk-devel-1.6.0.0-66.1.13.1.62.amzn1.i686 \n java-1.6.0-openjdk-1.6.0.0-66.1.13.1.62.amzn1.i686 \n java-1.6.0-openjdk-debuginfo-1.6.0.0-66.1.13.1.62.amzn1.i686 \n java-1.6.0-openjdk-javadoc-1.6.0.0-66.1.13.1.62.amzn1.i686 \n java-1.6.0-openjdk-demo-1.6.0.0-66.1.13.1.62.amzn1.i686 \n \n src: \n java-1.6.0-openjdk-1.6.0.0-66.1.13.1.62.amzn1.src \n \n x86_64: \n java-1.6.0-openjdk-debuginfo-1.6.0.0-66.1.13.1.62.amzn1.x86_64 \n java-1.6.0-openjdk-demo-1.6.0.0-66.1.13.1.62.amzn1.x86_64 \n java-1.6.0-openjdk-src-1.6.0.0-66.1.13.1.62.amzn1.x86_64 \n java-1.6.0-openjdk-1.6.0.0-66.1.13.1.62.amzn1.x86_64 \n java-1.6.0-openjdk-devel-1.6.0.0-66.1.13.1.62.amzn1.x86_64 \n java-1.6.0-openjdk-javadoc-1.6.0.0-66.1.13.1.62.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2014-02-03T15:27:00", "published": "2014-02-03T15:27:00", "id": "ALAS-2014-283", "href": "https://alas.aws.amazon.com/ALAS-2014-283.html", "title": "Important: java-1.6.0-openjdk", "type": "amazon", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-10T12:36:48", "bulletinFamily": "unix", "cvelist": ["CVE-2013-5878", "CVE-2013-5884", "CVE-2013-5893", "CVE-2014-0373", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5896", "CVE-2013-5910", "CVE-2014-0428", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2014-0416"], "description": "**Issue Overview:**\n\nAn input validation flaw was discovered in the font layout engine in the 2D component. A specially crafted font file could trigger Java Virtual Machine memory corruption when processed. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. ([CVE-2013-5907 __](<https://access.redhat.com/security/cve/CVE-2013-5907>))\n\nMultiple improper permission check issues were discovered in the CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. ([CVE-2014-0428 __](<https://access.redhat.com/security/cve/CVE-2014-0428>), [CVE-2014-0422 __](<https://access.redhat.com/security/cve/CVE-2014-0422>), [CVE-2013-5893 __](<https://access.redhat.com/security/cve/CVE-2013-5893>))\n\nMultiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. ([CVE-2014-0373 __](<https://access.redhat.com/security/cve/CVE-2014-0373>), [CVE-2013-5878 __](<https://access.redhat.com/security/cve/CVE-2013-5878>), [CVE-2013-5910 __](<https://access.redhat.com/security/cve/CVE-2013-5910>), [CVE-2013-5896 __](<https://access.redhat.com/security/cve/CVE-2013-5896>), [CVE-2013-5884 __](<https://access.redhat.com/security/cve/CVE-2013-5884>), [CVE-2014-0416 __](<https://access.redhat.com/security/cve/CVE-2014-0416>), [CVE-2014-0376 __](<https://access.redhat.com/security/cve/CVE-2014-0376>), [CVE-2014-0368 __](<https://access.redhat.com/security/cve/CVE-2014-0368>))\n\nIt was discovered that the Beans component did not restrict processing of XML external entities. This flaw could cause a Java application using Beans to leak sensitive information, or affect application availability. ([CVE-2014-0423 __](<https://access.redhat.com/security/cve/CVE-2014-0423>))\n\nIt was discovered that the JSSE component could leak timing information during the TLS/SSL handshake. This could possibly lead to disclosure of information about the used encryption keys. ([CVE-2014-0411 __](<https://access.redhat.com/security/cve/CVE-2014-0411>))\n\n \n**Affected Packages:** \n\n\njava-1.7.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.7.0-openjdk_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n java-1.7.0-openjdk-debuginfo-1.7.0.51-2.4.4.1.34.amzn1.i686 \n java-1.7.0-openjdk-1.7.0.51-2.4.4.1.34.amzn1.i686 \n java-1.7.0-openjdk-src-1.7.0.51-2.4.4.1.34.amzn1.i686 \n java-1.7.0-openjdk-demo-1.7.0.51-2.4.4.1.34.amzn1.i686 \n java-1.7.0-openjdk-devel-1.7.0.51-2.4.4.1.34.amzn1.i686 \n \n noarch: \n java-1.7.0-openjdk-javadoc-1.7.0.51-2.4.4.1.34.amzn1.noarch \n \n src: \n java-1.7.0-openjdk-1.7.0.51-2.4.4.1.34.amzn1.src \n \n x86_64: \n java-1.7.0-openjdk-devel-1.7.0.51-2.4.4.1.34.amzn1.x86_64 \n java-1.7.0-openjdk-debuginfo-1.7.0.51-2.4.4.1.34.amzn1.x86_64 \n java-1.7.0-openjdk-demo-1.7.0.51-2.4.4.1.34.amzn1.x86_64 \n java-1.7.0-openjdk-1.7.0.51-2.4.4.1.34.amzn1.x86_64 \n java-1.7.0-openjdk-src-1.7.0.51-2.4.4.1.34.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2014-01-15T10:28:00", "published": "2014-01-15T10:28:00", "id": "ALAS-2014-280", "href": "https://alas.aws.amazon.com/ALAS-2014-280.html", "title": "Critical: java-1.7.0-openjdk", "type": "amazon", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:34:39", "bulletinFamily": "unix", "cvelist": ["CVE-2013-5878", "CVE-2013-5884", "CVE-2014-0373", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5896", "CVE-2013-5910", "CVE-2014-0428", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2014-0416"], "description": "[1:1.6.0.1-3.1.13.0]\n- updated to icedtea 1.13.1\n - http://blog.fuseyism.com/index.php/2014/01/23/security-icedtea-1-12-8-1-13-1-for-openjdk-6-released/\n- updated to jdk6, b30, 21_jan_2014\n - https://openjdk6.java.net/OpenJDK6-B30-Changes.html\n- adapted patch7 1.13_fixes.patch\n- pre 2011 changelog moved to (till now wrong) pre-2009-spec-changelog (rh1043611)\n- added --disable-system-lcms to configure options to pass build\n- adapted patch3 java-1.6.0-openjdk-java-access-bridge-security.patch\n- Resolves: rhbz#1050190", "edition": 4, "modified": "2014-01-27T00:00:00", "published": "2014-01-27T00:00:00", "id": "ELSA-2014-0097", "href": "http://linux.oracle.com/errata/ELSA-2014-0097.html", "title": "java-1.6.0-openjdk security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:22", "bulletinFamily": "unix", "cvelist": ["CVE-2013-5878", "CVE-2013-5884", "CVE-2013-5893", "CVE-2014-0373", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5896", "CVE-2013-5910", "CVE-2014-0428", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2014-0416"], "description": "[1.7.0.51-2.4.4.1.0.1.el6_5]\n- Update DISTRO_NAME in specfile\n[1.7.0.51-2.4.4.1.el6]\n- restored java7 provides\n- bumped release (builds exists)\n- Resolves: rhbz#1050935\n[1.7.0.51-2.4.4.0.el6]\n- updated to security icedtea 2.4.4\n - icedtea_version set to 2.4.4\n - updatever bumped to 51\n - release reset to 0\n- sync with fedora\n - added and applied patch411 1029588.patch (rh 1029588)\n - added aand applied patch410, 1015432 (rh 1015432)\n- Resolves: rhbz#1050935", "edition": 4, "modified": "2014-01-14T00:00:00", "published": "2014-01-14T00:00:00", "id": "ELSA-2014-0026", "href": "http://linux.oracle.com/errata/ELSA-2014-0026.html", "title": "java-1.7.0-openjdk security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:21", "bulletinFamily": "unix", "cvelist": ["CVE-2013-5878", "CVE-2013-5884", "CVE-2013-5893", "CVE-2014-0373", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5896", "CVE-2013-5910", "CVE-2014-0428", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2014-0416"], "description": "[1.7.0.51-2.4.4.1.0.1.el5_10]\n- Add oracle-enterprise.patch\n- Fix DISTRO_NAME to 'Enterprise Linux'\n[1.7.0.51-2.4.4.1.el5]\n- updated to security icedtea 2.4.4\n - icedtea_version set to 2.4.4\n - updatever bumped to 51\n - release reset to 1\n- build requires: java-devel >= 1:1.6.0 changed java7-devel\n- Resolves: rhbz#1050192", "edition": 4, "modified": "2014-01-14T00:00:00", "published": "2014-01-14T00:00:00", "id": "ELSA-2014-0027", "href": "http://linux.oracle.com/errata/ELSA-2014-0027.html", "title": "java-1.7.0-openjdk security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2017-07-27T10:48:49", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5878", "CVE-2013-5884", "CVE-2014-0373", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5896", "CVE-2013-5910", "CVE-2014-0428", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2014-0416"], "description": "Check for the Version of java-1.6.0-openjdk", "modified": "2017-07-12T00:00:00", "published": "2014-01-30T00:00:00", "id": "OPENVAS:871117", "href": "http://plugins.openvas.org/nasl.php?oid=871117", "type": "openvas", "title": "RedHat Update for java-1.6.0-openjdk RHSA-2014:0097-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for java-1.6.0-openjdk RHSA-2014:0097-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(871117);\n script_version(\"$Revision: 6688 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-12 11:49:31 +0200 (Wed, 12 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2014-01-30 10:46:17 +0530 (Thu, 30 Jan 2014)\");\n script_cve_id(\"CVE-2013-5878\", \"CVE-2013-5884\", \"CVE-2013-5896\", \"CVE-2013-5907\",\n \"CVE-2013-5910\", \"CVE-2014-0368\", \"CVE-2014-0373\", \"CVE-2014-0376\",\n \"CVE-2014-0411\", \"CVE-2014-0416\", \"CVE-2014-0422\", \"CVE-2014-0423\",\n \"CVE-2014-0428\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"RedHat Update for java-1.6.0-openjdk RHSA-2014:0097-01\");\n\n tag_insight = \"These packages provide the OpenJDK 6 Java Runtime Environment and the\nOpenJDK 6 Java Software Development Kit.\n\nAn input validation flaw was discovered in the font layout engine in the 2D\ncomponent. A specially crafted font file could trigger a Java Virtual\nMachine memory corruption when processed. An untrusted Java application or\napplet could possibly use this flaw to bypass Java sandbox restrictions.\n(CVE-2013-5907)\n\nMultiple improper permission check issues were discovered in the CORBA and\nJNDI components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass Java sandbox restrictions. (CVE-2014-0428,\nCVE-2014-0422)\n\nMultiple improper permission check issues were discovered in the\nServiceability, Security, CORBA, JAAS, JAXP, and Networking components in\nOpenJDK. An untrusted Java application or applet could use these flaws to\nbypass certain Java sandbox restrictions. (CVE-2014-0373, CVE-2013-5878,\nCVE-2013-5910, CVE-2013-5896, CVE-2013-5884, CVE-2014-0416, CVE-2014-0376,\nCVE-2014-0368)\n\nIt was discovered that the Beans component did not restrict processing of\nXML external entities. This flaw could cause a Java application using Beans\nto leak sensitive information, or affect application availability.\n(CVE-2014-0423)\n\nIt was discovered that the JSSE component could leak timing information\nduring the TLS/SSL handshake. This could possibly lead to a disclosure of\ninformation about the used encryption keys. (CVE-2014-0411)\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\";\n\n tag_affected = \"java-1.6.0-openjdk on Red Hat Enterprise Linux (v. 5 server),\n Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"RHSA\", value: \"2014:0097-01\");\n script_xref(name: \"URL\" , value: \"https://www.redhat.com/archives/rhsa-announce/2014-January/msg00022.html\");\n script_summary(\"Check for the Version of java-1.6.0-openjdk\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk\", rpm:\"java-1.6.0-openjdk~1.6.0.0~3.1.13.1.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-debuginfo\", rpm:\"java-1.6.0-openjdk-debuginfo~1.6.0.0~3.1.13.1.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-devel\", rpm:\"java-1.6.0-openjdk-devel~1.6.0.0~3.1.13.1.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-javadoc\", rpm:\"java-1.6.0-openjdk-javadoc~1.6.0.0~3.1.13.1.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk\", rpm:\"java-1.6.0-openjdk~1.6.0.0~3.1.13.1.el5_10\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-debuginfo\", rpm:\"java-1.6.0-openjdk-debuginfo~1.6.0.0~3.1.13.1.el5_10\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-demo\", rpm:\"java-1.6.0-openjdk-demo~1.6.0.0~3.1.13.1.el5_10\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-devel\", rpm:\"java-1.6.0-openjdk-devel~1.6.0.0~3.1.13.1.el5_10\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-javadoc\", rpm:\"java-1.6.0-openjdk-javadoc~1.6.0.0~3.1.13.1.el5_10\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-src\", rpm:\"java-1.6.0-openjdk-src~1.6.0.0~3.1.13.1.el5_10\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-04T11:16:30", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5878", "CVE-2013-5884", "CVE-2014-0373", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5896", "CVE-2013-5910", "CVE-2014-0428", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2014-0416"], "description": "Check for the Version of openjdk-6", "modified": "2017-12-01T00:00:00", "published": "2014-04-08T00:00:00", "id": "OPENVAS:841768", "href": "http://plugins.openvas.org/nasl.php?oid=841768", "type": "openvas", "title": "Ubuntu Update for openjdk-6 USN-2124-2", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_2124_2.nasl 7957 2017-12-01 06:40:08Z santu $\n#\n# Ubuntu Update for openjdk-6 USN-2124-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(841768);\n script_version(\"$Revision: 7957 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-01 07:40:08 +0100 (Fri, 01 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2014-04-08 11:46:00 +0530 (Tue, 08 Apr 2014)\");\n script_cve_id(\"CVE-2014-0411\", \"CVE-2013-5878\", \"CVE-2013-5907\", \"CVE-2014-0373\",\n \"CVE-2014-0422\", \"CVE-2014-0428\", \"CVE-2013-5884\", \"CVE-2014-0368\",\n \"CVE-2013-5896\", \"CVE-2013-5910\", \"CVE-2014-0376\", \"CVE-2014-0416\",\n \"CVE-2014-0423\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Ubuntu Update for openjdk-6 USN-2124-2\");\n\n tag_insight = \"USN-2124-1 fixed vulnerabilities in OpenJDK 6. Due to an\nupstream regression, memory was not properly zeroed under certain circumstances\nwhich could lead to instability. This update fixes the problem.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\nA vulnerability was discovered in the OpenJDK JRE related to information\ndisclosure and data integrity. An attacker could exploit this to expose\nsensitive data over the network. (CVE-2014-0411)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to\ninformation disclosure, data integrity and availability. An attacker could\nexploit these to cause a denial of service or expose sensitive data over\nthe network. (CVE-2013-5878, CVE-2013-5907, CVE-2014-0373, CVE-2014-0422,\nCVE-2014-0428)\n\nTwo vulnerabilities were discovered in the OpenJDK JRE related to\ninformation disclosure. An attacker could exploit these to expose sensitive\ndata over the network. (CVE-2013-5884, CVE-2014-0368)\n\nTwo vulnerabilities were discovered in the OpenJDK JRE related to\navailability. An attacker could exploit these to cause a denial of service.\n(CVE-2013-5896, CVE-2013-5910)\n\nTwo vulnerabilities were discovered in the OpenJDK JRE related to data\nintegrity. (CVE-2014-0376, CVE-2014-0416)\n\nA vulnerability was discovered in the OpenJDK JRE related to information\ndisclosure and availability. An attacker could exploit this to expose\nsensitive data over the network or cause a denial of service.\n(CVE-2014-0423)\n\nIn addition to the above, USN-2033-1 fixed several vulnerabilities and bugs\nin OpenJDK 6. This update introduced a regression which caused an exception\ncondition in javax.xml when instantiating encryption algorithms. This\nupdate fixes the problem. We apologize for the inconvenience.\";\n\n tag_affected = \"openjdk-6 on Ubuntu 12.04 LTS ,\n Ubuntu 10.04 LTS\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"USN\", value: \"2124-2\");\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-2124-2/\");\n script_summary(\"Check for the Version of openjdk-6\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"icedtea-6-jre-cacao\", ver:\"6b30-1.13.1-1ubuntu2~0.12.04.3\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"icedtea-6-jre-jamvm\", ver:\"6b30-1.13.1-1ubuntu2~0.12.04.3\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"openjdk-6-jre\", ver:\"6b30-1.13.1-1ubuntu2~0.12.04.3\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"openjdk-6-jre-headless\", ver:\"6b30-1.13.1-1ubuntu2~0.12.04.3\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"openjdk-6-jre-lib\", ver:\"6b30-1.13.1-1ubuntu2~0.12.04.3\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"openjdk-6-jre-zero\", ver:\"6b30-1.13.1-1ubuntu2~0.12.04.3\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU10.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"icedtea-6-jre-cacao\", ver:\"6b30-1.13.1-1ubuntu2~0.10.04.2\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"openjdk-6-jre\", ver:\"6b30-1.13.1-1ubuntu2~0.10.04.2\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"openjdk-6-jre-headless\", ver:\"6b30-1.13.1-1ubuntu2~0.10.04.2\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"openjdk-6-jre-lib\", ver:\"6b30-1.13.1-1ubuntu2~0.10.04.2\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"openjdk-6-jre-zero\", ver:\"6b30-1.13.1-1ubuntu2~0.10.04.2\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:37:45", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5878", "CVE-2013-5884", "CVE-2014-0373", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5896", "CVE-2013-5910", "CVE-2014-0428", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2014-0416"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2014-01-30T00:00:00", "id": "OPENVAS:1361412562310881867", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881867", "type": "openvas", "title": "CentOS Update for java CESA-2014:0097 centos5", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for java CESA-2014:0097 centos5\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.881867\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-01-30 10:44:41 +0530 (Thu, 30 Jan 2014)\");\n script_cve_id(\"CVE-2013-5878\", \"CVE-2013-5884\", \"CVE-2013-5896\", \"CVE-2013-5907\",\n \"CVE-2013-5910\", \"CVE-2014-0368\", \"CVE-2014-0373\", \"CVE-2014-0376\",\n \"CVE-2014-0411\", \"CVE-2014-0416\", \"CVE-2014-0422\", \"CVE-2014-0423\",\n \"CVE-2014-0428\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"CentOS Update for java CESA-2014:0097 centos5\");\n\n script_tag(name:\"affected\", value:\"java on CentOS 5\");\n script_tag(name:\"insight\", value:\"These packages provide the OpenJDK 6 Java Runtime Environment and the\nOpenJDK 6 Java Software Development Kit.\n\nAn input validation flaw was discovered in the font layout engine in the 2D\ncomponent. A specially crafted font file could trigger a Java Virtual\nMachine memory corruption when processed. An untrusted Java application or\napplet could possibly use this flaw to bypass Java sandbox restrictions.\n(CVE-2013-5907)\n\nMultiple improper permission check issues were discovered in the CORBA and\nJNDI components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass Java sandbox restrictions. (CVE-2014-0428,\nCVE-2014-0422)\n\nMultiple improper permission check issues were discovered in the\nServiceability, Security, CORBA, JAAS, JAXP, and Networking components in\nOpenJDK. An untrusted Java application or applet could use these flaws to\nbypass certain Java sandbox restrictions. (CVE-2014-0373, CVE-2013-5878,\nCVE-2013-5910, CVE-2013-5896, CVE-2013-5884, CVE-2014-0416, CVE-2014-0376,\nCVE-2014-0368)\n\nIt was discovered that the Beans component did not restrict processing of\nXML external entities. This flaw could cause a Java application using Beans\nto leak sensitive information, or affect application availability.\n(CVE-2014-0423)\n\nIt was discovered that the JSSE component could leak timing information\nduring the TLS/SSL handshake. This could possibly lead to a disclosure of\ninformation about the used encryption keys. (CVE-2014-0411)\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"CESA\", value:\"2014:0097\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2014-January/020121.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS5\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk\", rpm:\"java-1.6.0-openjdk~1.6.0.0~3.1.13.1.el5_10\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-demo\", rpm:\"java-1.6.0-openjdk-demo~1.6.0.0~3.1.13.1.el5_10\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-devel\", rpm:\"java-1.6.0-openjdk-devel~1.6.0.0~3.1.13.1.el5_10\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-javadoc\", rpm:\"java-1.6.0-openjdk-javadoc~1.6.0.0~3.1.13.1.el5_10\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-src\", rpm:\"java-1.6.0-openjdk-src~1.6.0.0~3.1.13.1.el5_10\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:21", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5878", "CVE-2013-5884", "CVE-2014-0373", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5896", "CVE-2013-5910", "CVE-2014-0428", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2014-0416"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2014-04-08T00:00:00", "id": "OPENVAS:1361412562310841768", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310841768", "type": "openvas", "title": "Ubuntu Update for openjdk-6 USN-2124-2", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_2124_2.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for openjdk-6 USN-2124-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.841768\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-04-08 11:46:00 +0530 (Tue, 08 Apr 2014)\");\n script_cve_id(\"CVE-2014-0411\", \"CVE-2013-5878\", \"CVE-2013-5907\", \"CVE-2014-0373\",\n \"CVE-2014-0422\", \"CVE-2014-0428\", \"CVE-2013-5884\", \"CVE-2014-0368\",\n \"CVE-2013-5896\", \"CVE-2013-5910\", \"CVE-2014-0376\", \"CVE-2014-0416\",\n \"CVE-2014-0423\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Ubuntu Update for openjdk-6 USN-2124-2\");\n\n script_tag(name:\"affected\", value:\"openjdk-6 on Ubuntu 12.04 LTS,\n Ubuntu 10.04 LTS\");\n script_tag(name:\"insight\", value:\"USN-2124-1 fixed vulnerabilities in OpenJDK 6. Due to an\nupstream regression, memory was not properly zeroed under certain circumstances\nwhich could lead to instability. This update fixes the problem.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\nA vulnerability was discovered in the OpenJDK JRE related to information\ndisclosure and data integrity. An attacker could exploit this to expose\nsensitive data over the network. (CVE-2014-0411)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to\ninformation disclosure, data integrity and availability. An attacker could\nexploit these to cause a denial of service or expose sensitive data over\nthe network. (CVE-2013-5878, CVE-2013-5907, CVE-2014-0373, CVE-2014-0422,\nCVE-2014-0428)\n\nTwo vulnerabilities were discovered in the OpenJDK JRE related to\ninformation disclosure. An attacker could exploit these to expose sensitive\ndata over the network. (CVE-2013-5884, CVE-2014-0368)\n\nTwo vulnerabilities were discovered in the OpenJDK JRE related to\navailability. An attacker could exploit these to cause a denial of service.\n(CVE-2013-5896, CVE-2013-5910)\n\nTwo vulnerabilities were discovered in the OpenJDK JRE related to data\nintegrity. (CVE-2014-0376, CVE-2014-0416)\n\nA vulnerability was discovered in the OpenJDK JRE related to information\ndisclosure and availability. An attacker could exploit this to expose\nsensitive data over the network or cause a denial of service.\n(CVE-2014-0423)\n\nIn addition to the above, USN-2033-1 fixed several vulnerabilities and bugs\nin OpenJDK 6. This update introduced a regression which caused an exception\ncondition in javax.xml when instantiating encryption algorithms. This\nupdate fixes the problem. We apologize for the inconvenience.\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"USN\", value:\"2124-2\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2124-2/\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'openjdk-6'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(12\\.04 LTS|10\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"icedtea-6-jre-cacao\", ver:\"6b30-1.13.1-1ubuntu2~0.12.04.3\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"icedtea-6-jre-jamvm\", ver:\"6b30-1.13.1-1ubuntu2~0.12.04.3\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"openjdk-6-jre\", ver:\"6b30-1.13.1-1ubuntu2~0.12.04.3\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"openjdk-6-jre-headless\", ver:\"6b30-1.13.1-1ubuntu2~0.12.04.3\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"openjdk-6-jre-lib\", ver:\"6b30-1.13.1-1ubuntu2~0.12.04.3\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"openjdk-6-jre-zero\", ver:\"6b30-1.13.1-1ubuntu2~0.12.04.3\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU10.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"icedtea-6-jre-cacao\", ver:\"6b30-1.13.1-1ubuntu2~0.10.04.2\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"openjdk-6-jre\", ver:\"6b30-1.13.1-1ubuntu2~0.10.04.2\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"openjdk-6-jre-headless\", ver:\"6b30-1.13.1-1ubuntu2~0.10.04.2\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"openjdk-6-jre-lib\", ver:\"6b30-1.13.1-1ubuntu2~0.10.04.2\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"openjdk-6-jre-zero\", ver:\"6b30-1.13.1-1ubuntu2~0.10.04.2\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:38", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5878", "CVE-2013-5884", "CVE-2014-0373", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5896", "CVE-2013-5910", "CVE-2014-0428", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2014-0416"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2014-01-30T00:00:00", "id": "OPENVAS:1361412562310871117", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871117", "type": "openvas", "title": "RedHat Update for java-1.6.0-openjdk RHSA-2014:0097-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for java-1.6.0-openjdk RHSA-2014:0097-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871117\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-01-30 10:46:17 +0530 (Thu, 30 Jan 2014)\");\n script_cve_id(\"CVE-2013-5878\", \"CVE-2013-5884\", \"CVE-2013-5896\", \"CVE-2013-5907\",\n \"CVE-2013-5910\", \"CVE-2014-0368\", \"CVE-2014-0373\", \"CVE-2014-0376\",\n \"CVE-2014-0411\", \"CVE-2014-0416\", \"CVE-2014-0422\", \"CVE-2014-0423\",\n \"CVE-2014-0428\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"RedHat Update for java-1.6.0-openjdk RHSA-2014:0097-01\");\n\n\n script_tag(name:\"affected\", value:\"java-1.6.0-openjdk on Red Hat Enterprise Linux (v. 5 server),\n Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"insight\", value:\"These packages provide the OpenJDK 6 Java Runtime Environment and the\nOpenJDK 6 Java Software Development Kit.\n\nAn input validation flaw was discovered in the font layout engine in the 2D\ncomponent. A specially crafted font file could trigger a Java Virtual\nMachine memory corruption when processed. An untrusted Java application or\napplet could possibly use this flaw to bypass Java sandbox restrictions.\n(CVE-2013-5907)\n\nMultiple improper permission check issues were discovered in the CORBA and\nJNDI components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass Java sandbox restrictions. (CVE-2014-0428,\nCVE-2014-0422)\n\nMultiple improper permission check issues were discovered in the\nServiceability, Security, CORBA, JAAS, JAXP, and Networking components in\nOpenJDK. An untrusted Java application or applet could use these flaws to\nbypass certain Java sandbox restrictions. (CVE-2014-0373, CVE-2013-5878,\nCVE-2013-5910, CVE-2013-5896, CVE-2013-5884, CVE-2014-0416, CVE-2014-0376,\nCVE-2014-0368)\n\nIt was discovered that the Beans component did not restrict processing of\nXML external entities. This flaw could cause a Java application using Beans\nto leak sensitive information, or affect application availability.\n(CVE-2014-0423)\n\nIt was discovered that the JSSE component could leak timing information\nduring the TLS/SSL handshake. This could possibly lead to a disclosure of\ninformation about the used encryption keys. (CVE-2014-0411)\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"RHSA\", value:\"2014:0097-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2014-January/msg00022.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java-1.6.0-openjdk'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_(6|5)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk\", rpm:\"java-1.6.0-openjdk~1.6.0.0~3.1.13.1.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-debuginfo\", rpm:\"java-1.6.0-openjdk-debuginfo~1.6.0.0~3.1.13.1.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-devel\", rpm:\"java-1.6.0-openjdk-devel~1.6.0.0~3.1.13.1.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-javadoc\", rpm:\"java-1.6.0-openjdk-javadoc~1.6.0.0~3.1.13.1.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk\", rpm:\"java-1.6.0-openjdk~1.6.0.0~3.1.13.1.el5_10\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-debuginfo\", rpm:\"java-1.6.0-openjdk-debuginfo~1.6.0.0~3.1.13.1.el5_10\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-demo\", rpm:\"java-1.6.0-openjdk-demo~1.6.0.0~3.1.13.1.el5_10\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-devel\", rpm:\"java-1.6.0-openjdk-devel~1.6.0.0~3.1.13.1.el5_10\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-javadoc\", rpm:\"java-1.6.0-openjdk-javadoc~1.6.0.0~3.1.13.1.el5_10\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-src\", rpm:\"java-1.6.0-openjdk-src~1.6.0.0~3.1.13.1.el5_10\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-17T23:01:23", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5878", "CVE-2013-5884", "CVE-2014-0373", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5896", "CVE-2013-5910", "CVE-2014-0428", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2014-0416"], "description": "The remote host is missing an update announced via the referenced Security Advisory.", "modified": "2020-03-13T00:00:00", "published": "2015-09-08T00:00:00", "id": "OPENVAS:1361412562310120002", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120002", "type": "openvas", "title": "Amazon Linux: Security Advisory (ALAS-2014-283)", "sourceData": "# Copyright (C) 2015 Eero Volotinen\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120002\");\n script_version(\"2020-03-13T13:19:50+0000\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 13:14:37 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 13:19:50 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Amazon Linux: Security Advisory (ALAS-2014-283)\");\n script_tag(name:\"insight\", value:\"Multiple flaws were found in OpenJDK. Please see the references for more information.\");\n script_tag(name:\"solution\", value:\"Run yum update java-1.6.0-openjdk to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2014-283.html\");\n script_cve_id(\"CVE-2014-0368\", \"CVE-2014-0411\", \"CVE-2013-5878\", \"CVE-2013-5910\", \"CVE-2014-0416\", \"CVE-2014-0373\", \"CVE-2013-5907\", \"CVE-2013-5884\", \"CVE-2013-5896\", \"CVE-2014-0428\", \"CVE-2014-0422\", \"CVE-2014-0376\", \"CVE-2014-0423\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"The remote host is missing an update announced via the referenced Security Advisory.\");\n script_copyright(\"Copyright (C) 2015 Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"AMAZON\") {\n if(!isnull(res = isrpmvuln(pkg:\"java-1.6.0-openjdk-src\", rpm:\"java-1.6.0-openjdk-src~1.6.0.0~66.1.13.1.62.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.6.0-openjdk-devel\", rpm:\"java-1.6.0-openjdk-devel~1.6.0.0~66.1.13.1.62.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.6.0-openjdk\", rpm:\"java-1.6.0-openjdk~1.6.0.0~66.1.13.1.62.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.6.0-openjdk-debuginfo\", rpm:\"java-1.6.0-openjdk-debuginfo~1.6.0.0~66.1.13.1.62.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.6.0-openjdk-javadoc\", rpm:\"java-1.6.0-openjdk-javadoc~1.6.0.0~66.1.13.1.62.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.6.0-openjdk-demo\", rpm:\"java-1.6.0-openjdk-demo~1.6.0.0~66.1.13.1.62.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:30", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5878", "CVE-2013-5884", "CVE-2014-0373", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5896", "CVE-2013-5910", "CVE-2014-0428", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2014-0416"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2014-01-30T00:00:00", "id": "OPENVAS:1361412562310881865", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881865", "type": "openvas", "title": "CentOS Update for java CESA-2014:0097 centos6", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for java CESA-2014:0097 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.881865\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-01-30 10:43:46 +0530 (Thu, 30 Jan 2014)\");\n script_cve_id(\"CVE-2013-5878\", \"CVE-2013-5884\", \"CVE-2013-5896\", \"CVE-2013-5907\",\n \"CVE-2013-5910\", \"CVE-2014-0368\", \"CVE-2014-0373\", \"CVE-2014-0376\",\n \"CVE-2014-0411\", \"CVE-2014-0416\", \"CVE-2014-0422\", \"CVE-2014-0423\",\n \"CVE-2014-0428\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"CentOS Update for java CESA-2014:0097 centos6\");\n\n script_tag(name:\"affected\", value:\"java on CentOS 6\");\n script_tag(name:\"insight\", value:\"These packages provide the OpenJDK 6 Java Runtime Environment and the\nOpenJDK 6 Java Software Development Kit.\n\nAn input validation flaw was discovered in the font layout engine in the 2D\ncomponent. A specially crafted font file could trigger a Java Virtual\nMachine memory corruption when processed. An untrusted Java application or\napplet could possibly use this flaw to bypass Java sandbox restrictions.\n(CVE-2013-5907)\n\nMultiple improper permission check issues were discovered in the CORBA and\nJNDI components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass Java sandbox restrictions. (CVE-2014-0428,\nCVE-2014-0422)\n\nMultiple improper permission check issues were discovered in the\nServiceability, Security, CORBA, JAAS, JAXP, and Networking components in\nOpenJDK. An untrusted Java application or applet could use these flaws to\nbypass certain Java sandbox restrictions. (CVE-2014-0373, CVE-2013-5878,\nCVE-2013-5910, CVE-2013-5896, CVE-2013-5884, CVE-2014-0416, CVE-2014-0376,\nCVE-2014-0368)\n\nIt was discovered that the Beans component did not restrict processing of\nXML external entities. This flaw could cause a Java application using Beans\nto leak sensitive information, or affect application availability.\n(CVE-2014-0423)\n\nIt was discovered that the JSSE component could leak timing information\nduring the TLS/SSL handshake. This could possibly lead to a disclosure of\ninformation about the used encryption keys. (CVE-2014-0411)\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"CESA\", value:\"2014:0097\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2014-January/020120.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk\", rpm:\"java-1.6.0-openjdk~1.6.0.0~3.1.13.1.el6_5\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-demo\", rpm:\"java-1.6.0-openjdk-demo~1.6.0.0~3.1.13.1.el6_5\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-devel\", rpm:\"java-1.6.0-openjdk-devel~1.6.0.0~3.1.13.1.el6_5\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-javadoc\", rpm:\"java-1.6.0-openjdk-javadoc~1.6.0.0~3.1.13.1.el6_5\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-src\", rpm:\"java-1.6.0-openjdk-src~1.6.0.0~3.1.13.1.el6_5\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:31", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5878", "CVE-2013-5884", "CVE-2014-0373", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5896", "CVE-2013-5910", "CVE-2014-0428", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2014-0416"], "description": "Oracle Linux Local Security Checks ELSA-2014-0097", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123480", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123480", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2014-0097", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2014-0097.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123480\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:04:26 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2014-0097\");\n script_tag(name:\"insight\", value:\"ELSA-2014-0097 - java-1.6.0-openjdk security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2014-0097\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2014-0097.html\");\n script_cve_id(\"CVE-2013-5878\", \"CVE-2013-5884\", \"CVE-2013-5896\", \"CVE-2013-5907\", \"CVE-2013-5910\", \"CVE-2014-0368\", \"CVE-2014-0373\", \"CVE-2014-0376\", \"CVE-2014-0411\", \"CVE-2014-0416\", \"CVE-2014-0422\", \"CVE-2014-0423\", \"CVE-2014-0428\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux(5|6)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk\", rpm:\"java-1.6.0-openjdk~1.6.0.0~3.1.13.1.0.1.el5_10\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-demo\", rpm:\"java-1.6.0-openjdk-demo~1.6.0.0~3.1.13.1.0.1.el5_10\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-devel\", rpm:\"java-1.6.0-openjdk-devel~1.6.0.0~3.1.13.1.0.1.el5_10\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-javadoc\", rpm:\"java-1.6.0-openjdk-javadoc~1.6.0.0~3.1.13.1.0.1.el5_10\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-src\", rpm:\"java-1.6.0-openjdk-src~1.6.0.0~3.1.13.1.0.1.el5_10\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk\", rpm:\"java-1.6.0-openjdk~1.6.0.0~3.1.13.1.el6_5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-demo\", rpm:\"java-1.6.0-openjdk-demo~1.6.0.0~3.1.13.1.el6_5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-devel\", rpm:\"java-1.6.0-openjdk-devel~1.6.0.0~3.1.13.1.el6_5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-javadoc\", rpm:\"java-1.6.0-openjdk-javadoc~1.6.0.0~3.1.13.1.el6_5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-src\", rpm:\"java-1.6.0-openjdk-src~1.6.0.0~3.1.13.1.el6_5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-12-04T11:17:23", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5878", "CVE-2013-5884", "CVE-2014-0373", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5896", "CVE-2013-5910", "CVE-2014-0428", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2014-0416"], "description": "Check for the Version of openjdk-6", "modified": "2017-12-01T00:00:00", "published": "2014-03-04T00:00:00", "id": "OPENVAS:841732", "href": "http://plugins.openvas.org/nasl.php?oid=841732", "type": "openvas", "title": "Ubuntu Update for openjdk-6 USN-2124-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_2124_1.nasl 7957 2017-12-01 06:40:08Z santu $\n#\n# Ubuntu Update for openjdk-6 USN-2124-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(841732);\n script_version(\"$Revision: 7957 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-01 07:40:08 +0100 (Fri, 01 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2014-03-04 10:49:25 +0530 (Tue, 04 Mar 2014)\");\n script_cve_id(\"CVE-2014-0411\", \"CVE-2013-5878\", \"CVE-2013-5907\", \"CVE-2014-0373\",\n \"CVE-2014-0422\", \"CVE-2014-0428\", \"CVE-2013-5884\", \"CVE-2014-0368\",\n \"CVE-2013-5896\", \"CVE-2013-5910\", \"CVE-2014-0376\", \"CVE-2014-0416\",\n \"CVE-2014-0423\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Ubuntu Update for openjdk-6 USN-2124-1\");\n\n tag_insight = \"A vulnerability was discovered in the OpenJDK JRE related to\ninformation disclosure and data integrity. An attacker could exploit this to\nexpose sensitive data over the network. (CVE-2014-0411)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to\ninformation disclosure, data integrity and availability. An attacker could\nexploit these to cause a denial of service or expose sensitive data over\nthe network. (CVE-2013-5878, CVE-2013-5907, CVE-2014-0373, CVE-2014-0422,\nCVE-2014-0428)\n\nTwo vulnerabilities were discovered in the OpenJDK JRE related to\ninformation disclosure. An attacker could exploit these to expose sensitive\ndata over the network. (CVE-2013-5884, CVE-2014-0368)\n\nTwo vulnerabilities were discovered in the OpenJDK JRE related to\navailability. An attacker could exploit these to cause a denial of service.\n(CVE-2013-5896, CVE-2013-5910)\n\nTwo vulnerabilities were discovered in the OpenJDK JRE related to data\nintegrity. (CVE-2014-0376, CVE-2014-0416)\n\nA vulnerability was discovered in the OpenJDK JRE related to information\ndisclosure and availability. An attacker could exploit this to expose\nsensitive data over the network or cause a denial of service.\n(CVE-2014-0423)\n\nIn addition to the above, USN-2033-1 fixed several vulnerabilities and bugs\nin OpenJDK 6. This update introduced a regression which caused an exception\ncondition in javax.xml when instantiating encryption algorithms. This\nupdate fixes the problem. We apologize for the inconvenience.\";\n\n tag_affected = \"openjdk-6 on Ubuntu 12.04 LTS ,\n Ubuntu 10.04 LTS\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"USN\", value: \"2124-1\");\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-2124-1/\");\n script_summary(\"Check for the Version of openjdk-6\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"icedtea-6-jre-cacao\", ver:\"6b30-1.13.1-1ubuntu2~0.12.04.1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"icedtea-6-jre-jamvm\", ver:\"6b30-1.13.1-1ubuntu2~0.12.04.1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"openjdk-6-jre\", ver:\"6b30-1.13.1-1ubuntu2~0.12.04.1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"openjdk-6-jre-headless\", ver:\"6b30-1.13.1-1ubuntu2~0.12.04.1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"openjdk-6-jre-lib\", ver:\"6b30-1.13.1-1ubuntu2~0.12.04.1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"openjdk-6-jre-zero\", ver:\"6b30-1.13.1-1ubuntu2~0.12.04.1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU10.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"icedtea-6-jre-cacao\", ver:\"6b30-1.13.1-1ubuntu2~0.10.04.1\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"openjdk-6-jre\", ver:\"6b30-1.13.1-1ubuntu2~0.10.04.1\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"openjdk-6-jre-headless\", ver:\"6b30-1.13.1-1ubuntu2~0.10.04.1\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"openjdk-6-jre-lib\", ver:\"6b30-1.13.1-1ubuntu2~0.10.04.1\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"openjdk-6-jre-zero\", ver:\"6b30-1.13.1-1ubuntu2~0.10.04.1\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-25T10:48:48", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5878", "CVE-2013-5884", "CVE-2014-0373", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5896", "CVE-2013-5910", "CVE-2014-0428", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2014-0416"], "description": "Check for the Version of java", "modified": "2017-07-10T00:00:00", "published": "2014-01-30T00:00:00", "id": "OPENVAS:881867", "href": "http://plugins.openvas.org/nasl.php?oid=881867", "type": "openvas", "title": "CentOS Update for java CESA-2014:0097 centos5 ", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for java CESA-2014:0097 centos5 \n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(881867);\n script_version(\"$Revision: 6656 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 13:49:38 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2014-01-30 10:44:41 +0530 (Thu, 30 Jan 2014)\");\n script_cve_id(\"CVE-2013-5878\", \"CVE-2013-5884\", \"CVE-2013-5896\", \"CVE-2013-5907\",\n \"CVE-2013-5910\", \"CVE-2014-0368\", \"CVE-2014-0373\", \"CVE-2014-0376\",\n \"CVE-2014-0411\", \"CVE-2014-0416\", \"CVE-2014-0422\", \"CVE-2014-0423\",\n \"CVE-2014-0428\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"CentOS Update for java CESA-2014:0097 centos5 \");\n\n tag_insight = \"These packages provide the OpenJDK 6 Java Runtime Environment and the\nOpenJDK 6 Java Software Development Kit.\n\nAn input validation flaw was discovered in the font layout engine in the 2D\ncomponent. A specially crafted font file could trigger a Java Virtual\nMachine memory corruption when processed. An untrusted Java application or\napplet could possibly use this flaw to bypass Java sandbox restrictions.\n(CVE-2013-5907)\n\nMultiple improper permission check issues were discovered in the CORBA and\nJNDI components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass Java sandbox restrictions. (CVE-2014-0428,\nCVE-2014-0422)\n\nMultiple improper permission check issues were discovered in the\nServiceability, Security, CORBA, JAAS, JAXP, and Networking components in\nOpenJDK. An untrusted Java application or applet could use these flaws to\nbypass certain Java sandbox restrictions. (CVE-2014-0373, CVE-2013-5878,\nCVE-2013-5910, CVE-2013-5896, CVE-2013-5884, CVE-2014-0416, CVE-2014-0376,\nCVE-2014-0368)\n\nIt was discovered that the Beans component did not restrict processing of\nXML external entities. This flaw could cause a Java application using Beans\nto leak sensitive information, or affect application availability.\n(CVE-2014-0423)\n\nIt was discovered that the JSSE component could leak timing information\nduring the TLS/SSL handshake. This could possibly lead to a disclosure of\ninformation about the used encryption keys. (CVE-2014-0411)\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\";\n\n tag_affected = \"java on CentOS 5\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"CESA\", value: \"2014:0097\");\n script_xref(name: \"URL\" , value: \"http://lists.centos.org/pipermail/centos-announce/2014-January/020121.html\");\n script_summary(\"Check for the Version of java\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk\", rpm:\"java-1.6.0-openjdk~1.6.0.0~3.1.13.1.el5_10\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-demo\", rpm:\"java-1.6.0-openjdk-demo~1.6.0.0~3.1.13.1.el5_10\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-devel\", rpm:\"java-1.6.0-openjdk-devel~1.6.0.0~3.1.13.1.el5_10\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-javadoc\", rpm:\"java-1.6.0-openjdk-javadoc~1.6.0.0~3.1.13.1.el5_10\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-src\", rpm:\"java-1.6.0-openjdk-src~1.6.0.0~3.1.13.1.el5_10\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "centos": [{"lastseen": "2019-12-20T18:29:02", "bulletinFamily": "unix", "cvelist": ["CVE-2013-5878", "CVE-2013-5884", "CVE-2013-5893", "CVE-2014-0373", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5896", "CVE-2013-5910", "CVE-2014-0428", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2014-0416"], "description": "**CentOS Errata and Security Advisory** CESA-2014:0026\n\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nAn input validation flaw was discovered in the font layout engine in the 2D\ncomponent. A specially crafted font file could trigger Java Virtual Machine\nmemory corruption when processed. An untrusted Java application or applet\ncould possibly use this flaw to bypass Java sandbox restrictions.\n(CVE-2013-5907)\n\nMultiple improper permission check issues were discovered in the CORBA,\nJNDI, and Libraries components in OpenJDK. An untrusted Java application or\napplet could use these flaws to bypass Java sandbox restrictions.\n(CVE-2014-0428, CVE-2014-0422, CVE-2013-5893)\n\nMultiple improper permission check issues were discovered in the\nServiceability, Security, CORBA, JAAS, JAXP, and Networking components in\nOpenJDK. An untrusted Java application or applet could use these flaws to\nbypass certain Java sandbox restrictions. (CVE-2014-0373, CVE-2013-5878,\nCVE-2013-5910, CVE-2013-5896, CVE-2013-5884, CVE-2014-0416, CVE-2014-0376,\nCVE-2014-0368)\n\nIt was discovered that the Beans component did not restrict processing of\nXML external entities. This flaw could cause a Java application using Beans\nto leak sensitive information, or affect application availability.\n(CVE-2014-0423)\n\nIt was discovered that the JSSE component could leak timing information\nduring the TLS/SSL handshake. This could possibly lead to disclosure of\ninformation about the used encryption keys. (CVE-2014-0411)\n\nNote: The java-1.7.0-openjdk package shipped with Red Hat Enterprise Linux\n6.5 via RHBA-2013:1611 replaced \"java7\" with \"java\" in the provides list.\nThis update re-adds \"java7\" to the provides list to maintain backwards\ncompatibility with releases prior to Red Hat Enterprise Linux 6.5.\n\nNote: If the web browser plug-in provided by the icedtea-web package was\ninstalled, the issues exposed via Java applets could have been exploited\nwithout user interaction if a user visited a malicious website.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2014-January/032145.html\n\n**Affected packages:**\njava-1.7.0-openjdk\njava-1.7.0-openjdk-demo\njava-1.7.0-openjdk-devel\njava-1.7.0-openjdk-javadoc\njava-1.7.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2014-0026.html", "edition": 3, "modified": "2014-01-15T11:04:23", "published": "2014-01-15T11:04:23", "href": "http://lists.centos.org/pipermail/centos-announce/2014-January/032145.html", "id": "CESA-2014:0026", "title": "java security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-20T18:25:47", "bulletinFamily": "unix", "cvelist": ["CVE-2013-5878", "CVE-2013-5884", "CVE-2013-4578", "CVE-2014-0373", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5896", "CVE-2013-5910", "CVE-2014-0428", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2014-0416"], "description": "**CentOS Errata and Security Advisory** CESA-2014:0097\n\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the\nOpenJDK 6 Java Software Development Kit.\n\nAn input validation flaw was discovered in the font layout engine in the 2D\ncomponent. A specially crafted font file could trigger a Java Virtual\nMachine memory corruption when processed. An untrusted Java application or\napplet could possibly use this flaw to bypass Java sandbox restrictions.\n(CVE-2013-5907)\n\nMultiple improper permission check issues were discovered in the CORBA and\nJNDI components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass Java sandbox restrictions. (CVE-2014-0428,\nCVE-2014-0422)\n\nMultiple improper permission check issues were discovered in the\nServiceability, Security, CORBA, JAAS, JAXP, and Networking components in\nOpenJDK. An untrusted Java application or applet could use these flaws to\nbypass certain Java sandbox restrictions. (CVE-2014-0373, CVE-2013-5878,\nCVE-2013-5910, CVE-2013-5896, CVE-2013-5884, CVE-2014-0416, CVE-2014-0376,\nCVE-2014-0368)\n\nIt was discovered that the Beans component did not restrict processing of\nXML external entities. This flaw could cause a Java application using Beans\nto leak sensitive information, or affect application availability.\n(CVE-2014-0423)\n\nIt was discovered that the JSSE component could leak timing information\nduring the TLS/SSL handshake. This could possibly lead to a disclosure of\ninformation about the used encryption keys. (CVE-2014-0411)\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2014-January/032158.html\nhttp://lists.centos.org/pipermail/centos-announce/2014-January/032159.html\n\n**Affected packages:**\njava-1.6.0-openjdk\njava-1.6.0-openjdk-demo\njava-1.6.0-openjdk-devel\njava-1.6.0-openjdk-javadoc\njava-1.6.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2014-0097.html", "edition": 7, "modified": "2014-01-28T00:15:19", "published": "2014-01-27T22:53:27", "href": "http://lists.centos.org/pipermail/centos-announce/2014-January/032158.html", "id": "CESA-2014:0097", "title": "java security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-20T18:25:22", "bulletinFamily": "unix", "cvelist": ["CVE-2013-5878", "CVE-2013-5884", "CVE-2013-5893", "CVE-2013-4578", "CVE-2014-0373", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5896", "CVE-2013-5910", "CVE-2014-0428", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2014-0416"], "description": "**CentOS Errata and Security Advisory** CESA-2014:0027\n\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nAn input validation flaw was discovered in the font layout engine in the 2D\ncomponent. A specially crafted font file could trigger Java Virtual Machine\nmemory corruption when processed. An untrusted Java application or applet\ncould possibly use this flaw to bypass Java sandbox restrictions.\n(CVE-2013-5907)\n\nMultiple improper permission check issues were discovered in the CORBA,\nJNDI, and Libraries components in OpenJDK. An untrusted Java application or\napplet could use these flaws to bypass Java sandbox restrictions.\n(CVE-2014-0428, CVE-2014-0422, CVE-2013-5893)\n\nMultiple improper permission check issues were discovered in the\nServiceability, Security, CORBA, JAAS, JAXP, and Networking components in\nOpenJDK. An untrusted Java application or applet could use these flaws to\nbypass certain Java sandbox restrictions. (CVE-2014-0373, CVE-2013-5878,\nCVE-2013-5910, CVE-2013-5896, CVE-2013-5884, CVE-2014-0416, CVE-2014-0376,\nCVE-2014-0368)\n\nIt was discovered that the Beans component did not restrict processing of\nXML external entities. This flaw could cause a Java application using Beans\nto leak sensitive information, or affect application availability.\n(CVE-2014-0423)\n\nIt was discovered that the JSSE component could leak timing information\nduring the TLS/SSL handshake. This could possibly lead to disclosure of\ninformation about the used encryption keys. (CVE-2014-0411)\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2014-January/032146.html\n\n**Affected packages:**\njava-1.7.0-openjdk\njava-1.7.0-openjdk-demo\njava-1.7.0-openjdk-devel\njava-1.7.0-openjdk-javadoc\njava-1.7.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2014-0027.html", "edition": 5, "modified": "2014-01-15T11:16:34", "published": "2014-01-15T11:16:34", "href": "http://lists.centos.org/pipermail/centos-announce/2014-January/032146.html", "id": "CESA-2014:0027", "title": "java security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2016-09-04T11:56:37", "bulletinFamily": "unix", "cvelist": ["CVE-2013-5889", "CVE-2013-5878", "CVE-2014-0410", "CVE-2014-0415", "CVE-2013-5884", "CVE-2013-5888", "CVE-2014-0387", "CVE-2013-5898", "CVE-2014-0375", "CVE-2014-0373", "CVE-2013-5887", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5899", "CVE-2013-5896", "CVE-2014-0417", "CVE-2013-5910", "CVE-2014-0428", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2014-0424", "CVE-2014-0403", "CVE-2014-0416"], "edition": 1, "description": "IBM Java 6 was updated to version SR15-FP1 which received\n security and bug fixes.\n\n More information at:\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/#Oracle_Ja\">http://www.ibm.com/developerworks/java/jdk/alerts/#Oracle_Ja</a>\n nuary_14_2014_CPU\n &lt;<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/#Oracle_J\">http://www.ibm.com/developerworks/java/jdk/alerts/#Oracle_J</a>\n anuary_14_2014_CPU&gt;\n", "modified": "2014-02-21T15:04:13", "published": "2014-02-21T15:04:13", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00013.html", "id": "SUSE-SU-2014:0266-2", "type": "suse", "title": "Security update for IBM Java 6 (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:03:49", "bulletinFamily": "unix", "cvelist": ["CVE-2013-5889", "CVE-2013-5878", "CVE-2014-0410", "CVE-2014-0415", "CVE-2013-5884", "CVE-2013-5888", "CVE-2014-0387", "CVE-2013-5898", "CVE-2014-0375", "CVE-2014-0373", "CVE-2013-5887", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5899", "CVE-2013-5896", "CVE-2014-0417", "CVE-2013-5910", "CVE-2014-0428", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2014-0424", "CVE-2014-0403", "CVE-2014-0416"], "description": "IBM Java 6 was updated to version SR15-FP1 which received\n security and bug fixes.\n\n More information at:\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/#Oracle_Ja\">http://www.ibm.com/developerworks/java/jdk/alerts/#Oracle_Ja</a>\n nuary_14_2014_CPU\n &lt;<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/#Oracle_J\">http://www.ibm.com/developerworks/java/jdk/alerts/#Oracle_J</a>\n anuary_14_2014_CPU&gt;\n", "edition": 1, "modified": "2014-03-26T18:04:12", "published": "2014-03-26T18:04:12", "id": "SUSE-SU-2014:0451-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00024.html", "title": "Security update for IBM Java 6 (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:08:46", "bulletinFamily": "unix", "cvelist": ["CVE-2013-5889", "CVE-2013-5878", "CVE-2014-0410", "CVE-2014-0415", "CVE-2013-5884", "CVE-2013-5888", "CVE-2014-0387", "CVE-2013-5898", "CVE-2014-0375", "CVE-2014-0373", "CVE-2013-5887", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5899", "CVE-2013-5896", "CVE-2014-0417", "CVE-2013-5910", "CVE-2014-0428", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2014-0424", "CVE-2014-0403", "CVE-2014-0416"], "description": "IBM Java 6 was updated to version SR15-FP1 which received\n security and bugfixes.\n\n This release fixes the following problems:\n\n * CVE-2014-0428, CVE-2014-0422, CVE-2013-5907,\n CVE-2014-0415,\n * CVE-2014-0410, CVE-2013-5889, CVE-2014-0417,\n CVE-2014-0387,\n * CVE-2014-0424, CVE-2013-5878, CVE-2014-0373,\n CVE-2014-0375,\n * CVE-2014-0403, CVE-2014-0423, CVE-2014-0376,\n CVE-2013-5910,\n * CVE-2013-5884, CVE-2013-5896, CVE-2014-0376,\n CVE-2013-5899,\n * CVE-2014-0416, CVE-2013-5887, CVE-2014-0368,\n CVE-2013-5888,\n * CVE-2013-5898, CVE-2014-0411\n\n More information at:\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/#Oracle_Ja\">http://www.ibm.com/developerworks/java/jdk/alerts/#Oracle_Ja</a>\n nuary_14_2014_CPU\n &lt;<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/#Oracle_J\">http://www.ibm.com/developerworks/java/jdk/alerts/#Oracle_J</a>\n anuary_14_2014_CPU&gt;\n", "edition": 1, "modified": "2014-02-20T20:04:38", "published": "2014-02-20T20:04:38", "id": "SUSE-SU-2014:0266-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00012.html", "type": "suse", "title": "Security update for IBM Java 6 (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:49:41", "bulletinFamily": "unix", "cvelist": ["CVE-2013-5889", "CVE-2013-5878", "CVE-2014-0410", "CVE-2014-0415", "CVE-2013-5884", "CVE-2013-5888", "CVE-2014-0387", "CVE-2013-5898", "CVE-2014-0375", "CVE-2014-0373", "CVE-2013-5887", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5899", "CVE-2013-5896", "CVE-2014-0417", "CVE-2013-5910", "CVE-2014-0428", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2014-0424", "CVE-2014-0403", "CVE-2014-0416"], "description": "IBM Java 6 was updated to version SR15-FP1 which received\n security and bug fixes.\n\n More information at:\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/#Oracle_Ja\">http://www.ibm.com/developerworks/java/jdk/alerts/#Oracle_Ja</a>\n nuary_14_2014_CPU\n &lt;<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/#Oracle_J\">http://www.ibm.com/developerworks/java/jdk/alerts/#Oracle_J</a>\n anuary_14_2014_CPU&gt;\n", "edition": 1, "modified": "2014-02-24T22:04:17", "published": "2014-02-24T22:04:17", "id": "SUSE-SU-2014:0266-3", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00016.html", "type": "suse", "title": "Security update for IBM Java 6 (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:03:49", "bulletinFamily": "unix", "cvelist": ["CVE-2013-5889", "CVE-2013-5878", "CVE-2014-0410", "CVE-2014-0415", "CVE-2013-5884", "CVE-2013-5888", "CVE-2014-0387", "CVE-2013-5898", "CVE-2014-0375", "CVE-2014-0373", "CVE-2013-5887", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5899", "CVE-2013-5896", "CVE-2014-0417", "CVE-2013-5910", "CVE-2014-0428", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2014-0424", "CVE-2014-0403", "CVE-2014-0416"], "description": "This update contains the Oracle January 14 2014 CPU for\n java-1_7_0-ibm.\n\n Find more information at:\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/#Oracle_Ja\">http://www.ibm.com/developerworks/java/jdk/alerts/#Oracle_Ja</a>\n nuary_14_2014_CPU\n &lt;<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/#Oracle_J\">http://www.ibm.com/developerworks/java/jdk/alerts/#Oracle_J</a>\n anuary_14_2014_CPU&gt;\n", "edition": 1, "modified": "2014-02-18T13:04:15", "published": "2014-02-18T13:04:15", "id": "SUSE-SU-2014:0246-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00009.html", "type": "suse", "title": "Security update for IBM Java (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "aix": [{"lastseen": "2019-05-29T19:19:13", "bulletinFamily": "unix", "cvelist": ["CVE-2013-5889", "CVE-2013-5878", "CVE-2014-0410", "CVE-2014-0415", "CVE-2013-5884", "CVE-2013-5888", "CVE-2014-0387", "CVE-2013-5898", "CVE-2014-0375", "CVE-2014-0373", "CVE-2013-5887", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5899", "CVE-2013-5896", "CVE-2014-0417", "CVE-2013-5910", "CVE-2014-0428", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2014-0424", "CVE-2014-0403", "CVE-2014-0416"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\nIBM SECURITY ADVISORY\n\nFirst Issued: Thu Mar 6 13:24:59 CST 2014\n\nThe most recent version of this document is available here:\n\nhttp://aix.software.ibm.com/aix/efixes/security/java_jan2014_advisory.asc\nhttps://aix.software.ibm.com/aix/efixes/security/java_jan2014_advisory.asc\nftp://aix.software.ibm.com/aix/efixes/security/java_jan2014_advisory.asc\n===============================================================================\n VULNERABILITY SUMMARY\n\nVULNERABILITY: Multiple vulnerabilities in current releases of the IBM\u00ae SDK,\n\t\t\t\t Java Technology Edition.\n\nPLATFORMS: PowerSC and AIX 5.3, 6.1 and 7.1.\n VIOS 2.2.x\n\nSOLUTION: Apply the fix as described below.\n\nTHREAT: Varies threats described below.\n\nCERT VU Number: n/a\nCVE Numbers: \n\nReboot required? NO\nWorkarounds? NO\n \n===============================================================================\n DETAILED INFORMATION\n\nI. DESCRIPTION\n\n This bulletin covers all applicable Java SE CVEs published by Oracle as part of their \n January 2014 Critical Patch Update. For more information please refer to Oracle's January\n 2014 CPU Advisory and the X-Force database entries referenced below.\n\nII. CVSS\n\n CVEID: CVE-2014-0428\n CVSS Base Score: 10\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90325 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)\n\n CVEID: CVE-2014-0422\n CVSS Base Score: 10\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90326 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)\n\n CVEID: CVE-2013-5907\n CVSS Base Score: 10\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90324 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)\n\n CVEID: CVE-2014-0415\n CVSS Base Score: 10\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90323 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)\n\n CVEID: CVE-2014-0410\n CVSS Base Score: 10\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90322 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)\n\n CVEID: CVE-2013-5889\n CVSS Base Score: 9.3\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90328 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/M:Au/N:C/C:I/C:A/C)\n\n CVEID: CVE-2014-0417\n CVSS Base Score: 9.3\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90331 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/M:Au/N:C/C:I/C:A/C)\n\n CVEID: CVE-2014-0387\n CVSS Base Score: 7.6\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90332 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/H:Au/N:C/C:I/C:A/C)\n\n CVEID: CVE-2014-0424\n CVSS Base Score: 7.5\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90333 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/P)\n\n CVEID: CVE-2013-5878\n CVSS Base Score: 7.5\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90335 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/P)\n\n CVEID: CVE-2014-0373\n CVSS Base Score: 7.5\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90334 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/P)\n\n CVEID: CVE-2014-0375\n CVSS Base Score: 5.8\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90339 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/M:Au/N:C/P:I/P:A/N)\n\n CVEID: CVE-2014-0403\n CVSS Base Score: 5.8\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90338 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/M:Au/N:C/P:I/P:A/N)\n\n CVEID: CVE-2014-0423\n CVSS Base Score: 5.5\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90340 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/S:C/P:I/N:A/P)\n\n CVEID: CVE-2014-0376\n CVSS Base Score: 5\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90350 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)\n\n CVEID: CVE-2013-5910\n CVSS Base Score: 5\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90352 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)\n\n CVEID: CVE-2013-5884\n CVSS Base Score: 5\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90348 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/N)\n\n CVEID: CVE-2013-5896\n CVSS Base Score: 5\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90347 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/N:A/P)\n\n CVEID: CVE-2013-5899\n CVSS Base Score: 5\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90346 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/N)\n\n CVEID: CVE-2014-0416\n CVSS Base Score: 5\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90349 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)\n\n CVEID: CVE-2013-5887\n CVSS Base Score: 5\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90345 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/N:A/P)\n\n CVEID: CVE-2014-0368\n CVSS Base Score: 5\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90351 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/N)\n\n CVEID: CVE-2013-5888\n CVSS Base Score: 4.6\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90354 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/L:AC/L:Au/N:C/P:I/P:A/P)\n\n CVEID: CVE-2013-5898\n CVSS Base Score: 4\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90356 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/H:Au/N:C/P:I/P:A/N)\n\n CVEID: CVE-2014-0411\n CVSS Base Score: 4\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90357 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/H:Au/N:C/P:I/P:A/N)\n\nIII. PLATFORM VULNERABILITY ASSESSMENT\n\n The following fileset levels (VRMF) are vulnerable, if the respective Java version is installed:\n For Java5: Less than 5.0.0.560\n For Java6: Less than 6.0.0.435\n For Java7: Less than 7.0.0.110\n\n Java7 Release 1: 7.1.0.000 is NOT vulnerable\n\n Note: To find out whether the affected filesets are installed on your\n systems, refer to the lslpp command found in AIX user's guide.\n\nIV. FIXES\n\n AFFECTED PRODUCTS AND VERSIONS:\n AIX 5.3\n AIX 6.1\n AIX 7.1\n PowerSC \n VIOS 2.2.x\n\n REMEDIATION:\n IBM SDK, Java 2 Technology Edition, Version 5.0 Service Refresh 16 Fix Pack 4 and later\n 32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j5b&S_TACT=105AGX05&S_CMP=JDK\n 64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j5b&S_TACT=105AGX05&S_CMP=JDK\n\n IBM SDK, Java Technology Edition, Version 6 Service Refresh 15 and later\n 32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j6b&S_TACT=105AGX05&S_CMP=JDK\n 64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j6b&S_TACT=105AGX05&S_CMP=JDK\n\n IBM SDK, Java Technology Edition, Version 7 Service Refresh 6 and later\n 32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j7b&S_TACT=105AGX05&S_CMP=JDK\n 64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j7b&S_TACT=105AGX05&S_CMP=JDK\n\n To learn more about AIX support levels and Java service releases, see the following:\n http://www.ibm.com/developerworks/java/jdk/aix/service.html#levels\n\nV. WORKAROUNDS\n\n None\n\nVI. CONTACT INFORMATION\n\n If you would like to receive AIX Security Advisories via email,\n please visit:\n\n http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq \n\n Comments regarding the content of this announcement can be\n directed to:\n\n security-alert@austin.ibm.com\n\n To request the PGP public key that can be used to communicate\n securely with the AIX Security Team you can either:\n\n A. Send an email with \"get key\" in the subject line to:\n\n security-alert@austin.ibm.com\n\n B. Download the key from a PGP Public Key Server. The key ID is:\n\n 0x28BFAA12\n\n Please contact your local IBM AIX support center for any\n assistance.\n\n eServer is a trademark of International Business Machines\n Corporation. IBM, AIX and pSeries are registered trademarks of\n International Business Machines Corporation. All other trademarks\n are property of their respective holders.\n\nVII. REFERENCES:\n\n Complete CVSS Guide: http://www.first.org/cvss/cvss-guide.html\n On-line Calculator V2: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2\n CVE-2014-0428: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0428\n CVE-2014-0422: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0422\n CVE-2013-5907: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5907\n CVE-2014-0415: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0415\n CVE-2014-0410: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0410\n CVE-2013-5889: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5889\n CVE-2014-0417: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0417\n CVE-2014-0387: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0387\n CVE-2014-0424: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0424\n CVE-2013-5878: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5878\n CVE-2014-0373: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0373\n CVE-2014-0375: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0375\n CVE-2014-0403: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0403\n CVE-2014-0423: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0423\n CVE-2014-0376: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0376\n CVE-2013-5910: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5910\n CVE-2013-5884: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5884\n CVE-2013-5896: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5896\n CVE-2013-5899: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5899\n CVE-2014-0416: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0416\n CVE-2013-5887: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5887\n CVE-2014-0368: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0368\n CVE-2013-5888: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5888\n CVE-2013-5898: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5898\n CVE-2014-0411: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0411\n\n *The CVSS Environment Score is customer environment specific and will\n ultimately impact the Overall CVSS Score. Customers can evaluate the\n impact of this vulnerability in their environments by accessing the links\n in the Reference section of this Flash.\n\n Note: According to the Forum of Incident Response and Security Teams\n (FIRST), the Common Vulnerability Scoring System ( CVSS) is an \"industry\n open standard designed to convey vulnerability severity and help to\n determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES\n \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF\n MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE\n RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY\n VULNERABILITY.\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.13 (AIX)\n\niEYEARECAAYFAlMYy6AACgkQ4fmd+Ci/qhLrvQCfSkQgF0adnlWKbbbrvdOG0w/z\nBFIAoIDQstKVbu6E1akdCK5nyBahObEy\n=TWLW\n-----END PGP SIGNATURE-----\n", "edition": 4, "modified": "2014-03-06T13:24:59", "published": "2014-03-06T13:24:59", "id": "JAVA_JAN2014_ADVISORY.ASC", "href": "https://aix.software.ibm.com/aix/efixes/security/java_jan2014_advisory.asc", "title": "AIX Java Multiple Vulnerabilities (Oracle Java 2014 CPU)", "type": "aix", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2020-09-02T11:44:57", "bulletinFamily": "info", "cvelist": ["CVE-2013-5889", "CVE-2014-0385", "CVE-2013-5878", "CVE-2014-0410", "CVE-2014-0415", "CVE-2013-5884", "CVE-2013-5870", "CVE-2013-5905", "CVE-2013-5904", "CVE-2013-5888", "CVE-2013-5893", "CVE-2014-0387", "CVE-2013-5898", "CVE-2014-0375", "CVE-2014-0418", "CVE-2014-0373", "CVE-2013-5887", "CVE-2014-0408", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5895", "CVE-2013-5899", "CVE-2013-5896", "CVE-2014-0417", "CVE-2013-5910", "CVE-2013-5906", "CVE-2014-0428", "CVE-2014-0382", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2013-5902", "CVE-2014-0424", "CVE-2014-0403", "CVE-2014-0416"], "description": "### *Detect date*:\n01/15/2014\n\n### *Severity*:\nCritical\n\n### *Description*:\nAn unspecified vulnerabilities were found in Oracle products. By exploiting this vulnerability malicious users can affect integrity, confidentiality and availability. This vulnerability can be exploited remotely via an unknown vectors related to 2D, Beans, CORBA, Deployment, Hotspot, Install, JAAS, JavaFX, JAXP, JNDI, JSSE, Libraries, Networking, Security and Serviceability.\n\n### *Affected products*:\nOracle Java SE versions 5u55, 6u65, 7u45 \nOracle JRockit R27.7.7, R28.2.9\n\n### *Solution*:\nUpdate to the latest version\n\n### *Original advisories*:\n[Oracle advisory](<http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html#AppendixJAVA>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[Sun Java JRE](<https://threats.kaspersky.com/en/product/Sun-Java-JRE/>)\n\n### *CVE-IDS*:\n[CVE-2013-5870](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5870>)6.8High \n[CVE-2014-0428](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0428>)10.0Critical \n[CVE-2014-0423](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0423>)5.5High \n[CVE-2013-5895](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5895>)5.0Critical \n[CVE-2013-5878](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5878>)7.5Critical \n[CVE-2014-0422](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0422>)10.0Critical \n[CVE-2014-0424](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0424>)7.5Critical \n[CVE-2013-5910](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5910>)5.0Critical \n[CVE-2014-0382](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0382>)4.3Warning \n[CVE-2014-0385](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0385>)9.3Critical \n[CVE-2013-5899](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5899>)5.0Critical \n[CVE-2014-0416](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0416>)5.0Critical \n[CVE-2014-0415](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0415>)10.0Critical \n[CVE-2013-5907](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5907>)10.0Critical \n[CVE-2014-0418](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0418>)5.1High \n[CVE-2014-0387](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0387>)7.6Critical \n[CVE-2013-5906](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5906>)5.1High \n[CVE-2013-5905](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5905>)5.1High \n[CVE-2013-5904](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5904>)6.8High \n[CVE-2014-0368](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0368>)5.0Critical \n[CVE-2013-5896](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5896>)5.0Critical \n[CVE-2013-5889](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5889>)9.3Critical \n[CVE-2013-5888](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5888>)4.6Warning \n[CVE-2013-5884](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5884>)5.0Critical \n[CVE-2013-5887](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5887>)5.0Critical \n[CVE-2014-0411](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0411>)4.0Warning \n[CVE-2013-5902](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5902>)5.1High \n[CVE-2014-0417](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0417>)9.3Critical \n[CVE-2014-0410](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0410>)10.0Critical \n[CVE-2014-0376](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0376>)5.0Critical \n[CVE-2013-5893](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5893>)9.3Critical \n[CVE-2014-0373](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0373>)7.5Critical \n[CVE-2013-5898](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5898>)4.0Warning \n[CVE-2014-0403](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0403>)5.8High \n[CVE-2014-0408](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0408>)9.3Critical \n[CVE-2014-0375](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0375>)5.8High", "edition": 43, "modified": "2020-05-22T00:00:00", "published": "2014-01-15T00:00:00", "id": "KLA10511", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10511", "title": "\r KLA10511Multiple vulnerabilities in Oracle products ", "type": "kaspersky", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "f5": [{"lastseen": "2016-11-09T00:09:37", "bulletinFamily": "software", "cvelist": ["CVE-2013-5889", "CVE-2014-0385", "CVE-2013-5878", "CVE-2014-0410", "CVE-2014-0415", "CVE-2013-5884", "CVE-2013-5870", "CVE-2013-5905", "CVE-2013-5904", "CVE-2013-5888", "CVE-2013-5893", "CVE-2014-0387", "CVE-2013-5898", "CVE-2014-0375", "CVE-2014-0418", "CVE-2014-0373", "CVE-2013-5887", "CVE-2014-0408", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5895", "CVE-2013-5899", "CVE-2013-5896", "CVE-2014-0417", "CVE-2013-5910", "CVE-2013-5906", "CVE-2014-0428", "CVE-2014-0382", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2013-5902", "CVE-2014-0424", "CVE-2014-0403", "CVE-2014-0416"], "edition": 1, "description": "Vulnerability Recommended Actions\n\nNone\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n", "modified": "2015-12-30T00:00:00", "published": "2015-12-30T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/k/53/sol53146535.html", "id": "SOL53146535", "title": "SOL53146535 - Multiple Sun Java vulnerabilities", "type": "f5", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-20T21:07:42", "bulletinFamily": "software", "cvelist": ["CVE-2013-5889", "CVE-2014-0385", "CVE-2013-5878", "CVE-2014-0410", "CVE-2014-0415", "CVE-2013-5884", "CVE-2013-5870", "CVE-2013-5905", "CVE-2013-5904", "CVE-2013-5888", "CVE-2013-5893", "CVE-2014-0387", "CVE-2013-5898", "CVE-2014-0375", "CVE-2014-0418", "CVE-2014-0373", "CVE-2013-5887", "CVE-2014-0408", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5895", "CVE-2013-5899", "CVE-2013-5896", "CVE-2014-0417", "CVE-2013-5910", "CVE-2013-5906", "CVE-2014-0428", "CVE-2014-0382", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5907", "CVE-2013-5902", "CVE-2014-0424", "CVE-2014-0403", "CVE-2014-0416"], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 \n11.4.0 - 11.6.0| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 \n11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 \n11.0.0 - 11.6.0| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 \n11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP PSM| None| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nARX| None| 6.0.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.0.0 - 3.1.1| Not vulnerable| None \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| None| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| Not vulnerable| None\n\nNone\n\n * K9970: Subscribing to email notifications regarding F5 products\n * K9957: Creating a custom RSS feed to view new and updated documents\n * K4602: Overview of the F5 security vulnerability response policy\n * K4918: Overview of the F5 critical issue hotfix policy\n", "edition": 1, "modified": "2016-01-09T02:32:00", "published": "2015-12-31T04:57:00", "id": "F5:K53146535", "href": "https://support.f5.com/csp/article/K53146535", "title": "Multiple Sun Java vulnerabilities", "type": "f5", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:54", "bulletinFamily": "software", "cvelist": ["CVE-2014-0371", "CVE-2012-3544", "CVE-2014-0400", "CVE-2013-5879", "CVE-2013-5876", "CVE-2013-5889", "CVE-2013-5909", "CVE-2014-0392", "CVE-2013-5873", "CVE-2013-5858", "CVE-2014-0405", "CVE-2013-5860", "CVE-2014-0367", "CVE-2014-0385", "CVE-2013-5878", "CVE-2014-0410", "CVE-2014-0398", "CVE-2013-5897", "CVE-2013-2071", "CVE-2014-0404", "CVE-2014-0415", "CVE-2014-0434", "CVE-2013-5884", "CVE-2014-0435", "CVE-2014-0443", "CVE-2013-5870", "CVE-2014-0390", "CVE-2013-5905", "CVE-2013-5880", "CVE-2013-5904", "CVE-2014-0391", "CVE-2013-5888", "CVE-2013-5893", "CVE-2014-0387", "CVE-2014-0393", "CVE-2014-0399", "CVE-2012-4605", "CVE-2013-5821", "CVE-2014-0431", "CVE-2013-5898", "CVE-2014-0427", "CVE-2014-0441", "CVE-2013-5900", "CVE-2013-1654", "CVE-2014-0433", "CVE-2014-0375", "CVE-2013-5886", "CVE-2014-0401", "CVE-2014-0396", "CVE-2014-0406", "CVE-2013-5872", "CVE-2014-0440", "CVE-2014-0425", "CVE-2013-5883", "CVE-2013-1862", "CVE-2013-5834", "CVE-2014-0418", "CVE-2014-0373", "CVE-2013-5877", "CVE-2013-5874", "CVE-2014-0439", "CVE-2014-0394", "CVE-2013-5887", "CVE-2014-0408", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0419", "CVE-2014-0411", "CVE-2014-0369", "CVE-2014-0366", "CVE-2013-5882", "CVE-2013-5895", "CVE-2003-1067", "CVE-2014-0437", "CVE-2013-5885", "CVE-2013-5901", "CVE-2013-5881", "CVE-2013-2067", "CVE-2014-0389", "CVE-2014-0388", "CVE-2013-5899", "CVE-2014-0412", "CVE-2013-5896", "CVE-2013-3830", "CVE-2014-0417", "CVE-2014-0372", "CVE-2014-0407", "CVE-2013-5910", "CVE-2013-5906", "CVE-2014-0428", "CVE-2013-5891", "CVE-2014-0382", "CVE-2014-0370", "CVE-2013-5808", "CVE-2013-5871", "CVE-2014-0402", "CVE-2013-2924", "CVE-2014-0368", "CVE-2014-0420", "CVE-2013-5853", "CVE-2014-0423", "CVE-2013-5868", "CVE-2014-0430", "CVE-2014-0374", "CVE-2013-5875", "CVE-2013-5869", "CVE-2013-5907", "CVE-2014-0377", "CVE-2012-3499", "CVE-2013-5902", "CVE-2013-5894", "CVE-2013-5795", "CVE-2007-0009", "CVE-2013-5892", "CVE-2014-0381", "CVE-2014-0383", "CVE-2014-0424", "CVE-2014-0395", "CVE-2013-4316", "CVE-2014-0379", "CVE-2014-0403", "CVE-2013-5908", "CVE-2014-0386", "CVE-2007-1858", "CVE-2013-5785", "CVE-2014-0445", "CVE-2013-5764", "CVE-2014-0444", "CVE-2014-0378", "CVE-2013-5833", "CVE-2013-1620", "CVE-2013-5890", "CVE-2014-0416", "CVE-2014-0380", "CVE-2014-0438"], "description": "Quarterly update fixes 144 different vulnerabilities.", "edition": 1, "modified": "2014-05-05T00:00:00", "published": "2014-05-05T00:00:00", "id": "SECURITYVULNS:VULN:13537", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13537", "title": "Oracle / Sun / MySQL / PeopleSoft / OpenJDK applications multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "oracle": [{"lastseen": "2019-05-29T18:21:09", "bulletinFamily": "software", "cvelist": ["CVE-2014-0371", "CVE-2012-3544", "CVE-2014-0400", "CVE-2013-5879", "CVE-2013-5876", "CVE-2013-5889", "CVE-2013-2248", "CVE-2013-5909", "CVE-2007-0008", "CVE-2014-0392", "CVE-2013-5873", "CVE-2013-5858", "CVE-2014-0405", "CVE-2013-5860", "CVE-2014-0367", "CVE-2014-0385", "CVE-2013-5878", "CVE-2006-0999", "CVE-2014-0410", "CVE-2012-4558", "CVE-2014-0398", "CVE-2013-5897", "CVE-2013-2071", "CVE-2014-0404", "CVE-2014-0415", "CVE-2014-0434", "CVE-2013-5884", "CVE-2014-0435", "CVE-2014-0443", "CVE-2013-5870", "CVE-2014-0390", "CVE-2013-5905", "CVE-2013-5880", "CVE-2013-5904", "CVE-2014-0391", "CVE-2013-5888", "CVE-2013-5893", "CVE-2014-0387", "CVE-2013-2251", "CVE-2014-0393", "CVE-2014-0399", "CVE-2012-4605", "CVE-2013-5821", "CVE-2014-0431", "CVE-2013-5898", "CVE-2014-0427", "CVE-2014-0441", "CVE-2013-5900", "CVE-2013-1654", "CVE-2014-0433", "CVE-2014-0375", "CVE-2013-5886", "CVE-2014-0401", "CVE-2014-0396", "CVE-2014-0406", "CVE-2013-5872", "CVE-2014-0440", "CVE-2014-0425", "CVE-2013-5883", "CVE-2013-1862", "CVE-2013-5834", "CVE-2014-0418", "CVE-2014-0373", "CVE-2013-5877", "CVE-2013-5874", "CVE-2014-0439", "CVE-2014-0394", "CVE-2013-5887", "CVE-2014-0408", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0419", "CVE-2014-0411", "CVE-2014-0369", "CVE-2014-0366", "CVE-2013-5882", "CVE-2013-5895", "CVE-2003-1067", "CVE-2014-0437", "CVE-2013-5885", "CVE-2013-5901", "CVE-2013-5881", "CVE-2013-2067", "CVE-2014-0389", "CVE-2014-0388", "CVE-2013-5899", "CVE-2014-0412", "CVE-2013-5896", "CVE-2013-3830", "CVE-2014-0417", "CVE-2014-0372", "CVE-2014-0407", "CVE-2013-5910", "CVE-2013-5906", "CVE-2014-0428", "CVE-2013-5891", "CVE-2014-0382", "CVE-2014-0370", "CVE-2013-5808", "CVE-2006-0998", "CVE-2013-2134", "CVE-2013-5871", "CVE-2014-0402", "CVE-2013-2924", "CVE-2013-4310", "CVE-2014-0368", "CVE-2014-0420", "CVE-2013-5853", "CVE-2014-0423", "CVE-2013-2135", "CVE-2013-5868", "CVE-2014-0430", "CVE-2014-0374", "CVE-2013-5875", "CVE-2013-5869", "CVE-2013-5907", "CVE-2014-0377", "CVE-2012-3499", "CVE-2013-5902", "CVE-2013-5894", "CVE-2013-5795", "CVE-2007-0009", "CVE-2013-5892", "CVE-2014-0381", "CVE-2014-0383", "CVE-2014-0424", "CVE-2014-0395", "CVE-2013-4316", "CVE-2014-0379", "CVE-2014-0403", "CVE-2013-5908", "CVE-2014-0386", "CVE-2007-1858", "CVE-2013-5785", "CVE-2014-0445", "CVE-2013-5764", "CVE-2014-0444", "CVE-2014-0378", "CVE-2013-5833", "CVE-2013-1620", "CVE-2013-5890", "CVE-2014-0416", "CVE-2014-0380", "CVE-2014-0438"], "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n**Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible.** This Critical Patch Update contains 144 new security fixes across the product families listed below.\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n", "modified": "2014-01-14T00:00:00", "published": "2014-01-14T00:00:00", "id": "ORACLE:CPUJAN2014-1972949", "href": "", "type": "oracle", "title": "Oracle Critical Patch Update - January 2014", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}