DATABASE RESOURCES PRICING ABOUT US

{"id": "CVE-2016-9840", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2016-9840", "description": "inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.", "published": "2017-05-23T04:29:00", "modified": "2022-06-22T17:08:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.8}, "severity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9840", "reporter": "security@suse.com", "references": ["https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#zlib", "https://wiki.mozilla.org/images/0/09/Zlib-report.pdf", "https://security.gentoo.org/glsa/201701-56", "https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0", "https://bugzilla.redhat.com/show_bug.cgi?id=1402345", "http://www.securityfocus.com/bid/95131", "http://www.openwall.com/lists/oss-security/2016/12/05/21", "http://lists.opensuse.org/opensuse-updates/2017-01/msg00053.html", "http://lists.opensuse.org/opensuse-updates/2017-01/msg00050.html", "http://lists.opensuse.org/opensuse-updates/2016-12/msg00127.html", "http://www.securitytracker.com/id/1039427", "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", "https://support.apple.com/HT208144", "https://support.apple.com/HT208115", "https://support.apple.com/HT208113", "https://support.apple.com/HT208112", "https://access.redhat.com/errata/RHSA-2017:3047", "https://access.redhat.com/errata/RHSA-2017:3046", "https://access.redhat.com/errata/RHSA-2017:3453", "https://access.redhat.com/errata/RHSA-2017:2999", "https://access.redhat.com/errata/RHSA-2017:1222", "https://access.redhat.com/errata/RHSA-2017:1221", "https://access.redhat.com/errata/RHSA-2017:1220", "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "https://lists.debian.org/debian-lts-announce/2019/03/msg00027.html", "https://usn.ubuntu.com/4246-1/", "https://lists.debian.org/debian-lts-announce/2020/01/msg00030.html", "https://usn.ubuntu.com/4292-1/", "https://www.oracle.com/security-alerts/cpujul2020.html", "https://security.gentoo.org/glsa/202007-54"], "cvelist": ["CVE-2016-9840"], "immutableFields": [], "lastseen": "2022-06-22T19:09:46", "viewCount": 116, "enchantments": {"dependencies": {"references": [{"type": "aix", "idList": ["JAVA_APR2017_ADVISORY.ASC"]}, {"type": "apple", "idList": ["APPLE:064D138B51FD5A1569959D1A78DD6E63", "APPLE:5E58B6737BAA8A942A7E8E20FE61FF82", "APPLE:B6838750CA6086B150DDD58EB8FAE22A", "APPLE:DF08A53F8B130AC7A8FE4C422F2002C9", "APPLE:HT208112", "APPLE:HT208113", "APPLE:HT208115", "APPLE:HT208144"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:B80D5A9EB298D5042EE6C3A994BCD562", "CFOUNDRY:FE41CC36D8C9E189530E5F57AD3476B7"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1725-1:318DA", "DEBIAN:DLA-2085-1:566B5"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2016-9840"]}, {"type": "freebsd", "idList": ["085399AB-DFD7-11EA-96E4-80EE73BC7B66"]}, {"type": "gentoo", "idList": ["GLSA-201701-56", "GLSA-202007-54"]}, {"type": "ibm", "idList": ["0735E5DF8767B7D5408C2020CA8A0D290D4854ED84163C7660D4BD72A22FA095", "0BB0F39865741AB9E1AFB9CA3C5508F7FB9BEACECB805F04C6C6B336AA66617E", "153C8B988C1EC44C13B0535341913C2F66090DDDFC18D3C49268B9CA9BFFB899", "178BA37EC0E384C071E3C2ABDC8AA2080AA024B08ACEC18B79D283DF4E354DE2", "1C8642514B80CD34963C6F71980044917E14636767959F77FE5B38BC3F0358D3", "24BEC163EA3BD84B7E22E782C3DC394F6DF7C93AF1345B97BF7B378DB6C0978E", "24DFABA5B2EC0AE6CB408AFF790D7F41BC7385C13B55076C79F5992C78869191", "2CE5E1CBE3AFA84EF6B6144C280719D2B5CB99A981541A17994F64EECC23CFE7", "2F9B8E7CD04F88375E7DA644A637018DCE889D492AB253B36AAC20CA2B0659B3", "31028229FDC1BB19DF989803B4A864D39E803812D894CCF9E11C53D6714A6D33", "31C5C404B579DE2227E0BA22189AEC840F35342C712186B73BB644D9F2A56FB6", "33998453A003DBEE91ADD9693A86AFA03B4197141BC03C7326ABC834DD122179", "3D812A2E5E1DE6B82054618E3EBB76C91CE2365FE982C3392DE97D4AEC269290", "3F639035BAB0EB875C9E9E808512F3E2A87A86BDD91C548658A2E7907F9A7846", "42B553A5257DBCE0553E09359217D9B58850595C4F83DD12BEB3762A7D09FF2D", "44FD06DF739AE850EF4B0FD8EDFD9F3CA1D49EF6D12D841D2F929127DE9A82D8", "4C98F5463E3FBB67682E7F864F699DD4A99514832D6E44999F6672401F35C8B0", "4CB34725F1E54FB000F6F431C0E55F2FC9A5C31FD2A568506AABE35E44D674CD", "57AD0C0FC8A00BEEF6E1F3C8A1E152181FB65DFF630150E0DA7D2BBD63A52DB2", "5C95F7FD81C7277396C5C8C67CBF1E290A8317D7AB2457C78D03EDAD50E3812E", "66E34F1F1268555AFF621DE0835CB61B63CC9DC4AC6ADFFFA92F33FAFD7C7E93", "6C5CA7A0756525376C7822618AC97C4C45E220AEABF472D45F8EB40E1DAA2ECD", "701FCAB3C800D9AB919F50251A3540E3B87060D18EDCC6A9FF0C96423F3804E0", "7D7C2F7950E4FCA765164EC739C1CE4D46C2BCAFE840312CE4E8D2D5364FD1D4", "7DA5BADAAAA106517C7E1A9DDFA3F2D244D760EB8E77D5BF4DA6A21044F50912", "8451DCEAC7362310C8EAA923574AFEAD09CA58D139A870AE0ED1E3D11764573B", "93E146998B94EC264E33E7B36FD946A69450033DA52EBD726834D95E2F65C29E", "9765CC2CD4E8CF43C86EE7859F7012EB2A38E6A4A80E55865CD6E4E883D3188A", "ADC40C69949A3E45DE7D3CD6F77443003EA61DEFE08BECAF5A431BAF9DFF8DD9", "B7E9CE33A8766104CBF43CF1EF0D10747A799C0A2ADF534A80658077B861D8FA", "C1DE62607E696F3135AA44A9ED964385998509307175EDF6F47BDAEC9E4F6C06", "C31436DA6C1FDD78E2ECB68688AFD20C432119CDF718A53729D0F429AE0174AA", "C6771A870A37ADA11D50A5F13962E90868941CD1B5E16CAD1FC321B24791BB0D", "CC37D743879D353458C1878FA8E2AB682D874D3B8E3BA1673A273FA4E6C58F25", "CD802469E7091F3B4C36A2C1558796086B9FF4A18435BCFD596F5D926EE2CF18", "CF2BF653951F57AA7BCC09D12353C414FBEE64EB71182AEEB1BD9B590AD53FF1", "DB88427B9B30E7BC27929575B10F1309F406508317076AB2CB83FCDD79124D3A", "DBD29332B6E297F25422EB8C28791AE3DD704B7B9FDB714ACE7016CEEC63D122", "DFBF8270196E2043086B670889FD4B25491E875B01506321C770B6282C5BD9F4", "E0253E0BCD2010E2BAB349C52FFCF23EDBB59CE53A5DADB8EB1D97663DFA2A6D", "E9F8D8D5FB66C431AFEE6576AA9B1D7020366F95234DFBF8766FADB1972A76F4", "EA291979EDD5CB544FAE11C3A7590423A575F4DF6481A402F8DD15EA9D3A7C93", "EB7E5FF079F0DCF484355C9F57FB847D7DF324153C1ED7D9153C9C78FB8F4298", "ED0C84C9C2A14A403946F4803D5C77695460A27DABCEF6B0B26DDD2D13563B0A", "EF15DBE9DF088EEA41E61AFA61E2908FA17CEBFD7F299E7B8954046C59CDBA62", "F1FCAD9702724B4983D6B5417FBF364CD19F0F19F7D722D5D70F3F75EFCA5438", "FB22228C0335EC32E22ECE7501256187C9DBD5B51755785F2596C8392A43AA22", "FBBDA7CB379F4EF8DCEBAF120EA12F80CCC30DE0F47FC9D7596617C5FA098440", "FEE75B41D176D343E68FBF3A86316A1A946E745F12AE67CB789F7746D1826A8E"]}, {"type": "nessus", "idList": ["700511.PRM", "700542.PRM", "AIX_JAVA_APR2017_ADVISORY.NASL", "APPLE_IOS_110_CHECK.NBIN", "DEBIAN_DLA-1725.NASL", "DEBIAN_DLA-2085.NASL", "EULEROS_SA-2019-1276.NASL", "EULEROS_SA-2019-2704.NASL", "EULEROS_SA-2020-1556.NASL", "EULEROS_SA-2020-1741.NASL", "FREEBSD_PKG_085399ABDFD711EA96E480EE73BC7B66.NASL", "GENTOO_GLSA-201701-56.NASL", "GENTOO_GLSA-202007-54.NASL", "IBM_TEM_9_2_11_19.NASL", "MACOS_10_13.NASL", "OPENSUSE-2016-1499.NASL", "OPENSUSE-2017-1269.NASL", "OPENSUSE-2017-46.NASL", "OPENSUSE-2017-47.NASL", "OPENSUSE-2018-14.NASL", "REDHAT-RHSA-2017-1220.NASL", "REDHAT-RHSA-2017-1221.NASL", "REDHAT-RHSA-2017-1222.NASL", "REDHAT-RHSA-2017-2999.NASL", "REDHAT-RHSA-2017-3046.NASL", "REDHAT-RHSA-2017-3047.NASL", "REDHAT-RHSA-2017-3453.NASL", "SUSE_SU-2016-3209-1.NASL", "SUSE_SU-2017-0003-1.NASL", "SUSE_SU-2017-0004-1.NASL", "SUSE_SU-2017-1384-1.NASL", "SUSE_SU-2017-1385-1.NASL", "SUSE_SU-2017-1386-1.NASL", "SUSE_SU-2017-1387-1.NASL", "SUSE_SU-2017-1389-1.NASL", "SUSE_SU-2017-1444-1.NASL", "SUSE_SU-2017-2989-1.NASL", "SUSE_SU-2018-0005-1.NASL", "UBUNTU_USN-4246-1.NASL", "UBUNTU_USN-4292-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106979", "OPENVAS:1361412562310811790", "OPENVAS:1361412562310813437", "OPENVAS:1361412562310844303", "OPENVAS:1361412562310844353", "OPENVAS:1361412562310851646", "OPENVAS:1361412562310851679", "OPENVAS:1361412562310891725", "OPENVAS:1361412562310892085", "OPENVAS:1361412562311220191276", "OPENVAS:1361412562311220192704", "OPENVAS:1361412562311220201556", "OPENVAS:1361412562311220201741"]}, {"type": "oracle", "idList": ["ORACLE:CPUJUL2020", "ORACLE:CPUOCT2017", "ORACLE:CPUOCT2017-3236626", "ORACLE:CPUOCT2018", "ORACLE:CPUOCT2018-4428296"]}, {"type": "photon", "idList": ["PHSA-2017-0051"]}, {"type": "redhat", "idList": ["RHSA-2017:1220", "RHSA-2017:1221", "RHSA-2017:1222", "RHSA-2017:2999", "RHSA-2017:3046", "RHSA-2017:3047", "RHSA-2017:3453"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2017:2998-1", "OPENSUSE-SU-2018:0042-1", "SUSE-SU-2017:1384-1", "SUSE-SU-2017:1386-1", "SUSE-SU-2017:1387-1", "SUSE-SU-2017:1444-1", "SUSE-SU-2017:2699-1", "SUSE-SU-2017:2700-1", "SUSE-SU-2017:2701-1", "SUSE-SU-2017:2989-1", "SUSE-SU-2018:0005-1"]}, {"type": "thn", "idList": ["THN:AD7F6FD3974449B33F35DBF67FA683D5"]}, {"type": "ubuntu", "idList": ["USN-4246-1", "USN-4292-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2016-9840"]}], "rev": 4}, "score": {"value": 7.9, "vector": "NONE"}, "backreferences": {"references": [{"type": "aix", "idList": ["JAVA_APR2017_ADVISORY.ASC"]}, {"type": "apple", "idList": ["APPLE:064D138B51FD5A1569959D1A78DD6E63"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:B80D5A9EB298D5042EE6C3A994BCD562"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1725-1:318DA", "DEBIAN:DLA-2085-1:566B5"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2016-9840"]}, {"type": "freebsd", "idList": ["085399AB-DFD7-11EA-96E4-80EE73BC7B66"]}, {"type": "gentoo", "idList": ["GLSA-201701-56"]}, {"type": "ibm", "idList": ["153C8B988C1EC44C13B0535341913C2F66090DDDFC18D3C49268B9CA9BFFB899", "178BA37EC0E384C071E3C2ABDC8AA2080AA024B08ACEC18B79D283DF4E354DE2", "31028229FDC1BB19DF989803B4A864D39E803812D894CCF9E11C53D6714A6D33", "B7E9CE33A8766104CBF43CF1EF0D10747A799C0A2ADF534A80658077B861D8FA", "E9F8D8D5FB66C431AFEE6576AA9B1D7020366F95234DFBF8766FADB1972A76F4"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-2085.NASL", "EULEROS_SA-2020-1556.NASL", "GENTOO_GLSA-201701-56.NASL", "OPENSUSE-2016-1499.NASL", "OPENSUSE-2017-46.NASL", "OPENSUSE-2017-47.NASL", "SUSE_SU-2016-3209-1.NASL", "SUSE_SU-2017-0003-1.NASL", "SUSE_SU-2017-0004-1.NASL", "SUSE_SU-2017-1384-1.NASL", "SUSE_SU-2017-1385-1.NASL", "SUSE_SU-2017-1386-1.NASL", "SUSE_SU-2017-1387-1.NASL", "UBUNTU_USN-4246-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106979", "OPENVAS:1361412562310844303", "OPENVAS:1361412562310891725", "OPENVAS:1361412562310892085", "OPENVAS:1361412562311220191276", "OPENVAS:1361412562311220192704", "OPENVAS:1361412562311220201556"]}, {"type": "oracle", "idList": ["ORACLE:CPUOCT2017-3236626"]}, {"type": "photon", "idList": ["PHSA-2017-0051"]}, {"type": "redhat", "idList": ["RHSA-2017:3047"]}, {"type": "suse", "idList": ["SUSE-SU-2017:1384-1", "SUSE-SU-2017:1386-1", "SUSE-SU-2017:1387-1", "SUSE-SU-2017:1444-1"]}, {"type": "thn", "idList": ["THN:AD7F6FD3974449B33F35DBF67FA683D5"]}, {"type": "ubuntu", "idList": ["USN-4246-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2016-9840"]}]}, "exploitation": null, "twitter": {"counter": 3, "tweets": [{"link": "https://twitter.com/threatintelctr/status/1539657789135626240", "text": " NEW: CVE-2016-9840 inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic. Severity: HIGH https://t.co/2tX45N1To9", "author": "threatintelctr", "author_photo": "https://pbs.twimg.com/profile_images/904224973987840000/dMy1x9Ho_400x400.jpg"}, {"link": "https://twitter.com/LinInfoSec/status/1539700622676590592", "text": "Mysql - CVE-2016-9840: https://t.co/LCvCeJNTxn", "author": "LinInfoSec", "author_photo": "https://pbs.twimg.com/profile_images/806629896705507328/nxrtXOrp_400x400.jpg"}]}, "vulnersScore": 7.9}, "_state": {"dependencies": 0, "score": 0, "twitter": 1655932634}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": ["cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/a:oracle:mysql:5.7.23", "cpe:/o:opensuse:leap:42.2", "cpe:/o:redhat:enterprise_linux_workstation:6.0", "cpe:/o:opensuse:opensuse:13.2", "cpe:/a:oracle:mysql:5.5.61", "cpe:/a:oracle:jdk:1.8.0", "cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/a:oracle:database_server:18c", "cpe:/o:debian:debian_linux:8.0", "cpe:/a:redhat:satellite:5.8", "cpe:/a:oracle:jdk:1.7.0", "cpe:/o:redhat:enterprise_linux_desktop:6.0", "cpe:/a:oracle:mysql:5.6.41", "cpe:/a:oracle:mysql:8.0.12", "cpe:/a:oracle:jre:1.6.0", "cpe:/o:redhat:enterprise_linux_eus:7.5", "cpe:/a:oracle:jdk:1.6.0", "cpe:/o:redhat:enterprise_linux_desktop:7.0", "cpe:/o:redhat:enterprise_linux_eus:7.4", "cpe:/o:opensuse:leap:42.1", "cpe:/a:oracle:jre:1.8.0", "cpe:/o:redhat:enterprise_linux_server:7.0", "cpe:/o:redhat:enterprise_linux_workstation:7.0", "cpe:/o:redhat:enterprise_linux_server:6.0", "cpe:/a:oracle:jre:1.7.0"], "cpe23": ["cpe:2.3:a:oracle:database_server:18c:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.8.0:update144:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update161:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update151:*:*:*:*:*:*", "cpe:2.3:a:oracle:mysql:5.7.23:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_eus:7.5:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update151:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:mysql:8.0.12:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:mysql:5.5.61:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:leap:42.2:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:satellite:5.8:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_eus:7.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.8.0:update144:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:mysql:5.6.41:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update161:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*"], "cwe": ["NVD-CWE-noinfo"], "affectedSoftware": [{"cpeName": "zlib:zlib", "version": "1.2.9", "operator": "lt", "name": "zlib"}, {"cpeName": "opensuse:leap", "version": "42.2", "operator": "eq", "name": "opensuse leap"}, {"cpeName": "opensuse:leap", "version": "42.1", "operator": "eq", "name": "opensuse leap"}, {"cpeName": "opensuse:opensuse", "version": "13.2", "operator": "eq", "name": "opensuse"}, {"cpeName": "debian:debian_linux", "version": "8.0", "operator": "eq", "name": "debian debian linux"}, {"cpeName": "canonical:ubuntu_linux", "version": "18.04", "operator": "eq", "name": "canonical ubuntu linux"}, {"cpeName": "canonical:ubuntu_linux", "version": "16.04", "operator": "eq", "name": "canonical ubuntu linux"}, {"cpeName": "oracle:mysql", "version": "5.7.23", "operator": "le", "name": "oracle mysql"}, {"cpeName": "oracle:mysql", "version": "8.0.12", "operator": "le", "name": "oracle mysql"}, {"cpeName": "oracle:mysql", "version": "5.5.61", "operator": "le", "name": "oracle mysql"}, {"cpeName": "oracle:mysql", "version": "5.6.41", "operator": "le", "name": "oracle mysql"}, {"cpeName": "oracle:database_server", "version": "18c", "operator": "eq", "name": "oracle database server"}, {"cpeName": "oracle:jdk", "version": "1.8.0", "operator": "eq", "name": "oracle jdk"}, {"cpeName": "oracle:jdk", "version": "1.7.0", "operator": "eq", "name": "oracle jdk"}, {"cpeName": "oracle:jdk", "version": "1.6.0", "operator": "eq", "name": "oracle jdk"}, {"cpeName": "oracle:jre", "version": "1.6.0", "operator": "eq", "name": "oracle jre"}, {"cpeName": "oracle:jre", "version": "1.7.0", "operator": "eq", "name": "oracle jre"}, {"cpeName": "oracle:jre", "version": "1.8.0", "operator": "eq", "name": "oracle jre"}, {"cpeName": "redhat:enterprise_linux_desktop", "version": "7.0", "operator": "eq", "name": "redhat enterprise linux desktop"}, {"cpeName": "redhat:enterprise_linux_workstation", "version": "7.0", "operator": "eq", "name": "redhat enterprise linux workstation"}, {"cpeName": "redhat:enterprise_linux_server", "version": "7.0", "operator": "eq", "name": "redhat enterprise linux server"}, {"cpeName": "redhat:enterprise_linux_desktop", "version": "6.0", "operator": "eq", "name": "redhat enterprise linux desktop"}, {"cpeName": "redhat:enterprise_linux_server", "version": "6.0", "operator": "eq", "name": "redhat enterprise linux server"}, {"cpeName": "redhat:enterprise_linux_workstation", "version": "6.0", "operator": "eq", "name": "redhat enterprise linux workstation"}, {"cpeName": "redhat:enterprise_linux_eus", "version": "7.4", "operator": "eq", "name": "redhat enterprise linux eus"}, {"cpeName": "redhat:enterprise_linux_eus", "version": "7.5", "operator": "eq", "name": "redhat enterprise linux eus"}, {"cpeName": "redhat:satellite", "version": "5.8", "operator": "eq", "name": "redhat satellite"}, {"cpeName": "apple:tvos", "version": "11.0", "operator": "lt", "name": "apple tvos"}, {"cpeName": "apple:iphone_os", "version": "11", "operator": "lt", "name": "apple iphone os"}, {"cpeName": "apple:watchos", "version": "4", "operator": "lt", "name": "apple watchos"}, {"cpeName": "apple:mac_os_x", "version": "10.13.0", "operator": "lt", "name": "apple mac os x"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:zlib:zlib:1.2.9:*:*:*:*:*:*:*", "versionStartIncluding": "1.2.0.6", "versionEndExcluding": "1.2.9", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:opensuse:leap:42.2:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:mysql:5.7.23:*:*:*:*:*:*:*", "versionStartIncluding": "5.7.0", "versionEndIncluding": "5.7.23", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:mysql:8.0.12:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndIncluding": "8.0.12", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:mysql:5.5.61:*:*:*:*:*:*:*", "versionStartIncluding": "5.5.0", "versionEndIncluding": "5.5.61", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:mysql:5.6.41:*:*:*:*:*:*:*", "versionStartIncluding": "5.6.0", "versionEndIncluding": "5.6.41", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:database_server:18c:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:jdk:1.8.0:update144:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:jdk:1.7.0:update151:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:jdk:1.6.0:update161:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:jre:1.6.0:update161:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:jre:1.7.0:update151:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:jre:1.8.0:update144:*:*:*:*:*:*", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux_eus:7.4:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux_eus:7.5:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:redhat:satellite:5.8:*:*:*:*:*:*:*", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:apple:tvos:11.0:*:*:*:*:*:*:*", "versionEndExcluding": "11.0", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:apple:iphone_os:11:*:*:*:*:*:*:*", "versionEndExcluding": "11", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:apple:watchos:4:*:*:*:*:*:*:*", "versionEndExcluding": "4", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:apple:mac_os_x:10.13.0:*:*:*:*:*:*:*", "versionStartIncluding": "10.0.0", "versionEndExcluding": "10.13.0", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#zlib", "name": "https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#zlib", "refsource": "MISC", "tags": ["Third Party Advisory"]}, {"url": "https://wiki.mozilla.org/images/0/09/Zlib-report.pdf", "name": "https://wiki.mozilla.org/images/0/09/Zlib-report.pdf", "refsource": "MISC", "tags": ["Exploit", "Technical Description", "Third Party Advisory"]}, {"url": "https://security.gentoo.org/glsa/201701-56", "name": "GLSA-201701-56", "refsource": "GENTOO", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0", "name": "https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0", "refsource": "CONFIRM", "tags": ["Patch", "Third Party Advisory"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1402345", "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1402345", "refsource": "CONFIRM", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"]}, {"url": "http://www.securityfocus.com/bid/95131", "name": "95131", "refsource": "BID", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "http://www.openwall.com/lists/oss-security/2016/12/05/21", "name": "[oss-security] 20161205 Re: CVE Request: zlib security issues found during audit", "refsource": "MLIST", "tags": ["Mailing List", "Patch", "Third Party Advisory"]}, {"url": "http://lists.opensuse.org/opensuse-updates/2017-01/msg00053.html", "name": "openSUSE-SU-2017:0080", "refsource": "SUSE", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "http://lists.opensuse.org/opensuse-updates/2017-01/msg00050.html", "name": "openSUSE-SU-2017:0077", "refsource": "SUSE", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "http://lists.opensuse.org/opensuse-updates/2016-12/msg00127.html", "name": "openSUSE-SU-2016:3202", "refsource": "SUSE", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "http://www.securitytracker.com/id/1039427", "name": "1039427", "refsource": "SECTRACK", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"]}, {"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", "refsource": "CONFIRM", "tags": ["Patch", "Third Party Advisory"]}, {"url": "https://support.apple.com/HT208144", "name": "https://support.apple.com/HT208144", "refsource": "CONFIRM", "tags": ["Third Party Advisory"]}, {"url": "https://support.apple.com/HT208115", "name": "https://support.apple.com/HT208115", "refsource": "CONFIRM", "tags": ["Third Party Advisory"]}, {"url": "https://support.apple.com/HT208113", "name": "https://support.apple.com/HT208113", "refsource": "CONFIRM", "tags": ["Third Party Advisory"]}, {"url": "https://support.apple.com/HT208112", "name": "https://support.apple.com/HT208112", "refsource": "CONFIRM", "tags": ["Third Party Advisory"]}, {"url": "https://access.redhat.com/errata/RHSA-2017:3047", "name": "RHSA-2017:3047", "refsource": "REDHAT", "tags": ["Third Party Advisory"]}, {"url": "https://access.redhat.com/errata/RHSA-2017:3046", "name": "RHSA-2017:3046", "refsource": "REDHAT", "tags": ["Third Party Advisory"]}, {"url": "https://access.redhat.com/errata/RHSA-2017:3453", "name": "RHSA-2017:3453", "refsource": "REDHAT", "tags": ["Third Party Advisory"]}, {"url": "https://access.redhat.com/errata/RHSA-2017:2999", "name": "RHSA-2017:2999", "refsource": "REDHAT", "tags": ["Third Party Advisory"]}, {"url": "https://access.redhat.com/errata/RHSA-2017:1222", "name": "RHSA-2017:1222", "refsource": "REDHAT", "tags": ["Third Party Advisory"]}, {"url": "https://access.redhat.com/errata/RHSA-2017:1221", "name": "RHSA-2017:1221", "refsource": "REDHAT", "tags": ["Third Party Advisory"]}, {"url": "https://access.redhat.com/errata/RHSA-2017:1220", "name": "RHSA-2017:1220", "refsource": "REDHAT", "tags": ["Third Party Advisory"]}, {"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "refsource": "CONFIRM", "tags": ["Patch", "Third Party Advisory"]}, {"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00027.html", "name": "[debian-lts-announce] 20190324 [SECURITY] [DLA 1725-1] rsync security update", "refsource": "MLIST", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://usn.ubuntu.com/4246-1/", "name": "USN-4246-1", "refsource": "UBUNTU", "tags": ["Third Party Advisory"]}, {"url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00030.html", "name": "[debian-lts-announce] 20200129 [SECURITY] [DLA 2085-1] zlib security update", "refsource": "MLIST", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://usn.ubuntu.com/4292-1/", "name": "USN-4292-1", "refsource": "UBUNTU", "tags": ["Third Party Advisory"]}, {"url": "https://www.oracle.com/security-alerts/cpujul2020.html", "name": "https://www.oracle.com/security-alerts/cpujul2020.html", "refsource": "MISC", "tags": ["Third Party Advisory"]}, {"url": "https://security.gentoo.org/glsa/202007-54", "name": "GLSA-202007-54", "refsource": "GENTOO", "tags": ["Third Party Advisory"]}]}

{"openvas": [{"lastseen": "2020-05-06T01:04:41", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "cvss3": {}, "published": "2020-04-30T00:00:00", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for zlib (EulerOS-SA-2020-1556)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840"], "modified": "2020-04-30T00:00:00", "id": "OPENVAS:1361412562311220201556", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201556", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1556\");\n script_version(\"2020-04-30T12:13:34+0000\");\n script_cve_id(\"CVE-2016-9840\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-04-30 12:13:34 +0000 (Thu, 30 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-04-30 12:13:34 +0000 (Thu, 30 Apr 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for zlib (EulerOS-SA-2020-1556)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRTARM64-3\\.0\\.2\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1556\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1556\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'zlib' package(s) announced via the EulerOS-SA-2020-1556 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.(CVE-2016-9840)\");\n\n script_tag(name:\"affected\", value:\"'zlib' package(s) on Huawei EulerOS Virtualization for ARM 64 3.0.2.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRTARM64-3.0.2.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"zlib\", rpm:\"zlib~1.2.7~17.h1\", rls:\"EULEROSVIRTARM64-3.0.2.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"zlib-devel\", rpm:\"zlib-devel~1.2.7~17.h1\", rls:\"EULEROSVIRTARM64-3.0.2.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-21T19:54:55", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "cvss3": {}, "published": "2020-07-03T00:00:00", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for zlib (EulerOS-SA-2020-1741)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841"], "modified": "2020-07-03T00:00:00", "id": "OPENVAS:1361412562311220201741", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201741", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1741\");\n script_version(\"2020-07-03T06:19:20+0000\");\n script_cve_id(\"CVE-2016-9840\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-07-03 06:19:20 +0000 (Fri, 03 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-07-03 06:19:20 +0000 (Fri, 03 Jul 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for zlib (EulerOS-SA-2020-1741)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRT-3\\.0\\.6\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1741\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1741\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'zlib' package(s) announced via the EulerOS-SA-2020-1741 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.(CVE-2016-9840)\n\ninffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.(CVE-2016-9841)\");\n\n script_tag(name:\"affected\", value:\"'zlib' package(s) on Huawei EulerOS Virtualization 3.0.6.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRT-3.0.6.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"zlib\", rpm:\"zlib~1.2.7~17.h1\", rls:\"EULEROSVIRT-3.0.6.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"zlib-devel\", rpm:\"zlib-devel~1.2.7~17.h1\", rls:\"EULEROSVIRT-3.0.6.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-30T16:45:19", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-01-30T00:00:00", "type": "openvas", "title": "Debian LTS: Security Advisory for zlib (DLA-2085-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2016-9842", "CVE-2016-9843", "CVE-2016-9841"], "modified": "2020-01-30T00:00:00", "id": "OPENVAS:1361412562310892085", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310892085", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.892085\");\n script_version(\"2020-01-30T04:00:18+0000\");\n script_cve_id(\"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-30 04:00:18 +0000 (Thu, 30 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-30 04:00:18 +0000 (Thu, 30 Jan 2020)\");\n script_name(\"Debian LTS: Security Advisory for zlib (DLA-2085-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2020/01/msg00030.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-2085-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'zlib'\n package(s) announced via the DLA-2085-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Several issues have been found in zlib, a compression library.\nThey are basically about improper big-endian CRC calculation, improper\nleft shift of negative integers and improper pointer arithmetic.\");\n\n script_tag(name:\"affected\", value:\"'zlib' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n1:1.2.8.dfsg-2+deb8u1.\n\nWe recommend that you upgrade your zlib packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"lib32z1\", ver:\"1:1.2.8.dfsg-2+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lib32z1-dev\", ver:\"1:1.2.8.dfsg-2+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lib64z1\", ver:\"1:1.2.8.dfsg-2+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lib64z1-dev\", ver:\"1:1.2.8.dfsg-2+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"zlib1g\", ver:\"1:1.2.8.dfsg-2+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"zlib1g-dbg\", ver:\"1:1.2.8.dfsg-2+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"zlib1g-dev\", ver:\"1:1.2.8.dfsg-2+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-23T16:32:38", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-01-23T00:00:00", "type": "openvas", "title": "Ubuntu Update for zlib USN-4246-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2016-9842", "CVE-2016-9843", "CVE-2016-9841"], "modified": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562310844303", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310844303", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.844303\");\n script_version(\"2020-01-23T07:59:05+0000\");\n script_cve_id(\"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 07:59:05 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 04:00:20 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Ubuntu Update for zlib USN-4246-1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n script_xref(name:\"USN\", value:\"4246-1\");\n script_xref(name:\"URL\", value:\"https://lists.ubuntu.com/archives/ubuntu-security-announce/2020-January/005284.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'zlib'\n package(s) announced via the USN-4246-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that zlib incorrectly handled pointer arithmetic. An\nattacker\ncould use this issue to cause zlib to crash, resulting in a denial of\nservice, or possibly execute arbitrary code. (CVE-2016-9840, CVE-2016-9841)\n\nIt was discovered that zlib incorrectly handled vectors involving left\nshifts of\nnegative integers. An attacker could use this issue to cause zlib to\ncrash, resulting in a denial of service, or possibly execute arbitrary code.\n(CVE-2016-9842)\n\nIt was discovered that zlib incorrectly handled vectors involving\nbig-endian CRC\ncalculation. An attacker could use this issue to cause zlib to crash,\nresulting in a denial of service, or possibly execute arbitrary code.\n(CVE-2016-9843)\");\n\n script_tag(name:\"affected\", value:\"'zlib' package(s) on Ubuntu 16.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"UBUNTU16.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"lib32z1\", ver:\"1:1.2.8.dfsg-2ubuntu4.3\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"lib64z1\", ver:\"1:1.2.8.dfsg-2ubuntu4.3\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"libn32z1\", ver:\"1:1.2.8.dfsg-2ubuntu4.3\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"libx32z1\", ver:\"1:1.2.8.dfsg-2ubuntu4.3\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"zlib1g\", ver:\"1:1.2.8.dfsg-2ubuntu4.3\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-27T18:36:20", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "cvss3": {}, "published": "2020-01-23T00:00:00", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for zlib (EulerOS-SA-2019-1276)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2016-9842", "CVE-2016-9843", "CVE-2016-9841"], "modified": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191276", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191276", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1276\");\n script_version(\"2020-01-23T11:37:07+0000\");\n script_cve_id(\"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 11:37:07 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:37:07 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for zlib (EulerOS-SA-2019-1276)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRT-2\\.5\\.3\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1276\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1276\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'zlib' package(s) announced via the EulerOS-SA-2019-1276 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.(CVE-2016-9840)\n\ninffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.CVE-2016-9841\n\nThe inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.CVE-2016-9842\n\nThe crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.CVE-2016-9843\");\n\n script_tag(name:\"affected\", value:\"'zlib' package(s) on Huawei EulerOS Virtualization 2.5.3.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRT-2.5.3\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"zlib\", rpm:\"zlib~1.2.7~17.h1\", rls:\"EULEROSVIRT-2.5.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"zlib-devel\", rpm:\"zlib-devel~1.2.7~17.h1\", rls:\"EULEROSVIRT-2.5.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-02-26T20:52:50", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-02-25T00:00:00", "type": "openvas", "title": "Ubuntu: Security Advisory for rsync (USN-4292-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2016-9842", "CVE-2016-9843", "CVE-2016-9841"], "modified": "2020-02-26T00:00:00", "id": "OPENVAS:1361412562310844353", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310844353", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.844353\");\n script_version(\"2020-02-26T06:23:50+0000\");\n script_cve_id(\"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-02-26 06:23:50 +0000 (Wed, 26 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-02-25 04:00:26 +0000 (Tue, 25 Feb 2020)\");\n script_name(\"Ubuntu: Security Advisory for rsync (USN-4292-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=(UBUNTU18\\.04 LTS|UBUNTU16\\.04 LTS)\");\n\n script_xref(name:\"USN\", value:\"4292-1\");\n script_xref(name:\"URL\", value:\"https://lists.ubuntu.com/archives/ubuntu-security-announce/2020-February/005346.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'rsync'\n package(s) announced via the USN-4292-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that rsync incorrectly handled pointer arithmetic in zlib.\nAn attacker could use this issue to cause rsync to crash, resulting in a\ndenial of service, or possibly execute arbitrary code. (CVE-2016-9840,\nCVE-2016-9841)\n\nIt was discovered that rsync incorrectly handled vectors involving left shifts\nof negative integers in zlib. An attacker could use this issue to cause rsync\nto crash, resulting in a denial of service, or possibly execute arbitrary\ncode. (CVE-2016-9842)\n\nIt was discovered that rsync incorrectly handled vectors involving big-endian\nCRC calculation in zlib. An attacker could use this issue to cause rsync to\ncrash, resulting in a denial of service, or possibly execute arbitrary code.\n(CVE-2016-9843)\");\n\n script_tag(name:\"affected\", value:\"'rsync' package(s) on Ubuntu 18.04 LTS, Ubuntu 16.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"UBUNTU18.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"rsync\", ver:\"3.1.2-2.1ubuntu1.1\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU16.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"rsync\", ver:\"3.1.1-3ubuntu1.3\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-27T18:37:00", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "cvss3": {}, "published": "2020-01-23T00:00:00", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for zlib (EulerOS-SA-2019-2704)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2016-9842", "CVE-2016-9843", "CVE-2016-9841"], "modified": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220192704", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220192704", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.2704\");\n script_version(\"2020-01-23T13:14:55+0000\");\n script_cve_id(\"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 13:14:55 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 13:14:55 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for zlib (EulerOS-SA-2019-2704)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP5\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-2704\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2704\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'zlib' package(s) announced via the EulerOS-SA-2019-2704 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.(CVE-2016-9840)\n\ninffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.(CVE-2016-9841)\n\nThe inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.(CVE-2016-9842)\n\nThe crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.(CVE-2016-9843)\");\n\n script_tag(name:\"affected\", value:\"'zlib' package(s) on Huawei EulerOS V2.0SP5.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP5\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"zlib\", rpm:\"zlib~1.2.7~17.h1.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"zlib-devel\", rpm:\"zlib-devel~1.2.7~17.h1.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-29T19:29:58", "description": "Trail of Bits used the automated vulnerability discovery tools developed\nfor the DARPA Cyber Grand Challenge to audit zlib. As rsync, a fast,\nversatile, remote (and local) file-copying tool, uses an embedded copy of\nzlib, those issues are also present in rsync.\n\nCVE-2016-9840\nIn order to avoid undefined behavior, remove offset pointer\noptimization, as this is not compliant with the C standard.\n\nCVE-2016-9841\nOnly use post-increment to be compliant with the C standard.\n\nCVE-2016-9842\nIn order to avoid undefined behavior, do not shift negative values,\nas this is not compliant with the C standard.\n\nCVE-2016-9843\nIn order to avoid undefined behavior, do not pre-decrement a pointer\nin big-endian CRC calculation, as this is not compliant with the\nC standard.\n\nCVE-2018-5764\nPrevent remote attackers from being able to bypass the\nargument-sanitization protection mechanism by ignoring --protect-args\nwhen already sent by client.", "cvss3": {}, "published": "2019-03-24T00:00:00", "type": "openvas", "title": "Debian LTS: Security Advisory for rsync (DLA-1725-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2018-5764", "CVE-2016-9842", "CVE-2016-9843", "CVE-2016-9841"], "modified": "2020-01-29T00:00:00", "id": "OPENVAS:1361412562310891725", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891725", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891725\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\", \"CVE-2018-5764\");\n script_name(\"Debian LTS: Security Advisory for rsync (DLA-1725-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-03-24 23:00:00 +0100 (Sun, 24 Mar 2019)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/03/msg00027.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_tag(name:\"affected\", value:\"rsync on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n3.1.1-3+deb8u2.\n\nWe recommend that you upgrade your rsync packages.\");\n\n script_tag(name:\"summary\", value:\"Trail of Bits used the automated vulnerability discovery tools developed\nfor the DARPA Cyber Grand Challenge to audit zlib. As rsync, a fast,\nversatile, remote (and local) file-copying tool, uses an embedded copy of\nzlib, those issues are also present in rsync.\n\nCVE-2016-9840\nIn order to avoid undefined behavior, remove offset pointer\noptimization, as this is not compliant with the C standard.\n\nCVE-2016-9841\nOnly use post-increment to be compliant with the C standard.\n\nCVE-2016-9842\nIn order to avoid undefined behavior, do not shift negative values,\nas this is not compliant with the C standard.\n\nCVE-2016-9843\nIn order to avoid undefined behavior, do not pre-decrement a pointer\nin big-endian CRC calculation, as this is not compliant with the\nC standard.\n\nCVE-2018-5764\nPrevent remote attackers from being able to bypass the\nargument-sanitization protection mechanism by ignoring --protect-args\nwhen already sent by client.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"rsync\", ver:\"3.1.1-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:27", "description": "IBM Tivoli Endpoint Manager is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2017-07-21T00:00:00", "type": "openvas", "title": "IBM Tivoli Entpoint Manager Multiple Vulnerabilities July17", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2017-1223", "CVE-2017-1218", "CVE-2017-1224", "CVE-2016-9842", "CVE-2017-1203", "CVE-2016-9843", "CVE-2016-9841", "CVE-2017-1219"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310106979", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106979", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ibm_endpoint_manager_mult_vuln_jul17.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# IBM Tivoli Entpoint Manager Multiple Vulnerabilities July17\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:ibm:tivoli_endpoint_manager\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106979\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-07-21 15:30:52 +0700 (Fri, 21 Jul 2017)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\", \"CVE-2017-1203\",\n\"CVE-2017-1218\", \"CVE-2017-1219\", \"CVE-2017-1223\", \"CVE-2017-1224\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"IBM Tivoli Entpoint Manager Multiple Vulnerabilities July17\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_ibm_endpoint_manager_web_detect.nasl\");\n script_mandatory_keys(\"ibm_endpoint_manager/installed\");\n\n script_tag(name:\"summary\", value:\"IBM Tivoli Endpoint Manager is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"insight\", value:\"IBM Tivoli Endpoint Manager is prone to multiple vulnerabilities:\n\n - Multiple denial of service vulnerabilities in zlib. (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9842)\n\n - WebUI Component is vulnerable to cross-site scripting. (CVE-2017-1203)\n\n - WebUI Component is vulnerable to cross-site request forgery (CVE-2017-1218)\n\n - XML External Entity Injection (XXE) error when processing XML data (CVE-2017-1219)\n\n - Open redirect vulnerability (CVE-2017-1223)\n\n - WebUI Component uses weaker than expected cryptographic algorithms (CVE-2017-1224)\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"affected\", value:\"IBM Tivoli Endpoint Manager versions 9.1, 9.2 and 9.5.\");\n\n script_tag(name:\"solution\", value:\"Follow the instructions in the referenced advisories.\");\n\n script_xref(name:\"URL\", value:\"https://www-01.ibm.com/support/docview.wss?uid=swg22006014\");\n script_xref(name:\"URL\", value:\"https://www-01.ibm.com/support/docview.wss?uid=swg22005246\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif(!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version =~ \"^9\\.1\\.\") {\n if (version_is_less(version: version, test_version: \"9.1.1328.0\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"9.1.1328.0\");\n security_message(port: port, data: report);\n exit(0);\n }\n}\n\nif (version =~ \"^9\\.2\\.\") {\n if (version_is_less(version: version, test_version: \"9.2.11.19\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"9.2.11.19\");\n security_message(port: port, data: report);\n exit(0);\n }\n}\n\nif (version =~ \"^9\\.5\\.\") {\n if (version_is_less(version: version, test_version: \"9.5.6.63\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"9.5.6.63\");\n security_message(port: port, data: report);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-31T18:28:23", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2017-11-13T00:00:00", "type": "openvas", "title": "openSUSE: Security Advisory for java-1_8_0-openjdk (openSUSE-SU-2017:2998-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2017-10357", "CVE-2017-10356", "CVE-2017-10349", "CVE-2017-10281", "CVE-2017-10348", "CVE-2017-10388", "CVE-2017-10355", "CVE-2016-9842", "CVE-2017-10347", "CVE-2017-10285", "CVE-2016-9843", "CVE-2017-10350", "CVE-2017-10274", "CVE-2017-10346", "CVE-2017-10295", "CVE-2016-10165", "CVE-2016-9841", "CVE-2017-10345"], "modified": "2020-01-31T00:00:00", "id": "OPENVAS:1361412562310851646", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851646", "sourceData": "# Copyright (C) 2017 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851646\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-11-13 07:24:54 +0100 (Mon, 13 Nov 2017)\");\n script_cve_id(\"CVE-2016-10165\", \"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\", \"CVE-2017-10274\", \"CVE-2017-10281\", \"CVE-2017-10285\", \"CVE-2017-10295\", \"CVE-2017-10345\", \"CVE-2017-10346\", \"CVE-2017-10347\", \"CVE-2017-10348\", \"CVE-2017-10349\", \"CVE-2017-10350\", \"CVE-2017-10355\", \"CVE-2017-10356\", \"CVE-2017-10357\", \"CVE-2017-10388\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for java-1_8_0-openjdk (openSUSE-SU-2017:2998-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java-1_8_0-openjdk'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for java-1_8_0-openjdk fixes the following issues:\n\n - Update to version jdk8u151 (icedtea 3.6.0)\n\n Security issues fixed:\n\n - CVE-2017-10274: Handle smartcard clean up better (bsc#1064071)\n\n - CVE-2017-10281: Better queuing priorities (bsc#1064072)\n\n - CVE-2017-10285: Unreferenced references (bsc#1064073)\n\n - CVE-2017-10295: Better URL connections (bsc#1064075)\n\n - CVE-2017-10388: Correct Kerberos ticket grants (bsc#1064086)\n\n - CVE-2017-10346: Better invokespecial checks (bsc#1064078)\n\n - CVE-2017-10350: Better Base Exceptions (bsc#1064082)\n\n - CVE-2017-10347: Better timezone processing (bsc#1064079)\n\n - CVE-2017-10349: Better X processing (bsc#1064081)\n\n - CVE-2017-10345: Better keystore handling (bsc#1064077)\n\n - CVE-2017-10348: Better processing of unresolved permissions (bsc#1064080)\n\n - CVE-2017-10357: Process Proxy presentation (bsc#1064085)\n\n - CVE-2017-10355: More stable connection processing (bsc#1064083)\n\n - CVE-2017-10356: Update storage implementations (bsc#1064084)\n\n - CVE-2016-10165: Improve CMS header processing (bsc#1064069)\n\n - CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843: Upgrade\n compression library (bsc#1064070)\n\n Bug fixes:\n\n - Fix bsc#1032647, bsc#1052009 with btrfs subvolumes and overlayfs\n\n This update was imported from the SUSE:SLE-12-SP1:Update update project.\");\n\n script_tag(name:\"affected\", value:\"java-1_8_0-openjdk on openSUSE Leap 42.3, openSUSE Leap 42.2\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2017:2998-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=(openSUSELeap42\\.2|openSUSELeap42\\.3)\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.2\") {\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk\", rpm:\"java-1_8_0-openjdk~1.8.0.151~10.18.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-accessibility\", rpm:\"java-1_8_0-openjdk-accessibility~1.8.0.151~10.18.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-debuginfo\", rpm:\"java-1_8_0-openjdk-debuginfo~1.8.0.151~10.18.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-debugsource\", rpm:\"java-1_8_0-openjdk-debugsource~1.8.0.151~10.18.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-demo\", rpm:\"java-1_8_0-openjdk-demo~1.8.0.151~10.18.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-demo-debuginfo\", rpm:\"java-1_8_0-openjdk-demo-debuginfo~1.8.0.151~10.18.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-devel\", rpm:\"java-1_8_0-openjdk-devel~1.8.0.151~10.18.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-devel-debuginfo\", rpm:\"java-1_8_0-openjdk-devel-debuginfo~1.8.0.151~10.18.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-headless\", rpm:\"java-1_8_0-openjdk-headless~1.8.0.151~10.18.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-headless-debuginfo\", rpm:\"java-1_8_0-openjdk-headless-debuginfo~1.8.0.151~10.18.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-src\", rpm:\"java-1_8_0-openjdk-src~1.8.0.151~10.18.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-javadoc\", rpm:\"java-1_8_0-openjdk-javadoc~1.8.0.151~10.18.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"openSUSELeap42.3\") {\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk\", rpm:\"java-1_8_0-openjdk~1.8.0.151~18.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-accessibility\", rpm:\"java-1_8_0-openjdk-accessibility~1.8.0.151~18.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-debuginfo\", rpm:\"java-1_8_0-openjdk-debuginfo~1.8.0.151~18.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-debugsource\", rpm:\"java-1_8_0-openjdk-debugsource~1.8.0.151~18.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-demo\", rpm:\"java-1_8_0-openjdk-demo~1.8.0.151~18.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-demo-debuginfo\", rpm:\"java-1_8_0-openjdk-demo-debuginfo~1.8.0.151~18.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-devel\", rpm:\"java-1_8_0-openjdk-devel~1.8.0.151~18.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-devel-debuginfo\", rpm:\"java-1_8_0-openjdk-devel-debuginfo~1.8.0.151~18.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-headless\", rpm:\"java-1_8_0-openjdk-headless~1.8.0.151~18.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-headless-debuginfo\", rpm:\"java-1_8_0-openjdk-headless-debuginfo~1.8.0.151~18.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-src\", rpm:\"java-1_8_0-openjdk-src~1.8.0.151~18.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-javadoc\", rpm:\"java-1_8_0-openjdk-javadoc~1.8.0.151~18.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-17T14:22:48", "description": "This host is running Apple Mac OS X and\n is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2017-09-26T00:00:00", "type": "openvas", "title": "Apple Mac OS X Multiple Vulnerabilities-HT208144", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-6459", "CVE-2017-7077", "CVE-2017-9233", "CVE-2017-10989", "CVE-2017-7143", "CVE-2016-9840", "CVE-2017-7084", "CVE-2017-7138", "CVE-2016-9063", "CVE-2017-7126", "CVE-2017-11103", "CVE-2017-6455", "CVE-2017-6460", "CVE-2017-7130", "CVE-2017-7128", "CVE-2016-9842", "CVE-2017-7114", "CVE-2017-6451", "CVE-2017-1000373", "CVE-2017-7083", "CVE-2017-7121", "CVE-2017-7074", "CVE-2017-7078", "CVE-2017-7129", "CVE-2017-0381", "CVE-2017-7080", "CVE-2017-6458", "CVE-2017-7141", "CVE-2017-7119", "CVE-2016-9042", "CVE-2017-7125", "CVE-2017-6462", "CVE-2017-6463", "CVE-2016-9843", "CVE-2017-6452", "CVE-2017-7086", "CVE-2017-7082", "CVE-2016-9841", "CVE-2017-7127", "CVE-2017-6464", "CVE-2017-7124", "CVE-2017-7123", "CVE-2017-7122"], "modified": "2019-07-05T00:00:00", "id": "OPENVAS:1361412562310811790", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811790", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apple Mac OS X Multiple Vulnerabilities-HT208144\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811790\");\n script_version(\"2019-07-05T09:12:25+0000\");\n script_cve_id(\"CVE-2017-7084\", \"CVE-2017-7074\", \"CVE-2017-7143\", \"CVE-2017-7083\",\n \"CVE-2017-0381\", \"CVE-2017-7138\", \"CVE-2017-7121\", \"CVE-2017-7122\",\n \"CVE-2017-7123\", \"CVE-2017-7124\", \"CVE-2017-7125\", \"CVE-2017-7126\",\n \"CVE-2017-11103\", \"CVE-2017-7077\", \"CVE-2017-7119\", \"CVE-2017-7114\",\n \"CVE-2017-7086\", \"CVE-2017-1000373\", \"CVE-2016-9063\", \"CVE-2017-9233\",\n \"CVE-2017-7141\", \"CVE-2017-7078\", \"CVE-2017-6451\", \"CVE-2017-6452\",\n \"CVE-2017-6455\", \"CVE-2017-6458\", \"CVE-2017-6459\", \"CVE-2017-6460\",\n \"CVE-2017-6462\", \"CVE-2017-6463\", \"CVE-2017-6464\", \"CVE-2016-9042\",\n \"CVE-2017-7082\", \"CVE-2017-7080\", \"CVE-2017-10989\", \"CVE-2017-7128\",\n \"CVE-2017-7129\", \"CVE-2017-7130\", \"CVE-2017-7127\", \"CVE-2016-9840\",\n \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\");\n script_bugtraq_id(999551, 97074, 99276, 95131, 97049, 99502, 97078, 97076, 99177,\n 97058, 94337, 97045, 95248, 97046, 97052, 97050, 97051);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 09:12:25 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-09-26 12:22:46 +0530 (Tue, 26 Sep 2017)\");\n script_name(\"Apple Mac OS X Multiple Vulnerabilities-HT208144\");\n\n script_tag(name:\"summary\", value:\"This host is running Apple Mac OS X and\n is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Multiple issues in zlib, SQLite, ntp, expat and files.\n\n - Multiple memory corruption issues.\n\n - A certificate validation issue existed in the handling of revocation data.\n\n - Window management, memory consumption and validation issues.\n\n - An encryption issue existed in the handling of mail drafts.\n\n - Turning off 'Load remote content in messages' did not apply to all mailboxes.\n\n - A resource exhaustion issue in 'glob' function.\n\n - A permissions issue existed in the handling of the Apple ID.\n\n - An out-of-bounds read error.\n\n - The security state of the captive portal browser was not obvious.\n\n - An upgrade issue existed in the handling of firewall settings.\n\n - Some unspecified errors.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker\n to cause a denial of service, read unencrypted password over the network, gain\n access to potentially sensitive information, determine the Apple ID of the owner\n of the computer, impersonate a service, execute arbitrary code with system\n privileges, execute arbitrary code with kernel privileges, able to intercept\n mail contents, revoked certificate to be trusted and have other unknown impacts.\");\n\n script_tag(name:\"affected\", value:\"Apple Mac OS X version 10.8 through 10.12.x\n prior to 10.13\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apple Mac OS X version\n 10.13 or later. Note: According to the vendor an upgrade to version 10.13 is required to\n mitigate this vulnerabilities. Please see the advisory (HT208144) for more info.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://support.apple.com/en-us/HT208144\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Mac OS X Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/osx_name\", \"ssh/login/osx_version\", re:\"ssh/login/osx_version=^10\\.(8|9|10|11|12)\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\n\nosName = get_kb_item(\"ssh/login/osx_name\");\nif(!osName)\n exit(0);\n\nosVer = get_kb_item(\"ssh/login/osx_version\");\nif(!osVer){\n exit(0);\n}\n\nif(\"Mac OS X\" >< osName && osVer =~ \"^10\\.(8|9|10|11|12)\"){\n if(version_in_range(version:osVer, test_version:\"10.8\", test_version2:\"10.12.9\")){\n report = report_fixed_ver(installed_version:osVer, fixed_version:\"According to the vendor an upgrade to version 10.13 is required to mitigate this vulnerabilities. Please see the advisory (HT208144) for more info.\");\n security_message(port:0, data:report);\n exit(0);\n }\n}\n\nexit(99);", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T17:39:25", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-01-09T00:00:00", "type": "openvas", "title": "openSUSE: Security Advisory for java-1_7_0-openjdk (openSUSE-SU-2018:0042-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-10193", "CVE-2016-9840", "CVE-2017-10357", "CVE-2017-10356", "CVE-2017-10349", "CVE-2017-10281", "CVE-2017-10087", "CVE-2017-10348", "CVE-2017-10388", "CVE-2017-10198", "CVE-2017-10355", "CVE-2017-10107", "CVE-2017-10243", "CVE-2016-9842", "CVE-2017-10347", "CVE-2017-10135", "CVE-2017-10101", "CVE-2017-10108", "CVE-2017-10090", "CVE-2017-10111", "CVE-2017-10096", "CVE-2017-10110", "CVE-2017-10105", "CVE-2017-10115", "CVE-2017-10285", "CVE-2017-10114", "CVE-2016-9843", "CVE-2017-10350", "CVE-2017-10274", "CVE-2017-10116", "CVE-2017-10067", "CVE-2017-10346", "CVE-2017-10295", "CVE-2017-10074", "CVE-2016-10165", "CVE-2017-10053", "CVE-2016-9841", "CVE-2017-10081", "CVE-2017-10345", "CVE-2017-10176", "CVE-2017-10089", "CVE-2017-10109", "CVE-2017-10086", "CVE-2017-10118", "CVE-2017-10125", "CVE-2017-10102"], "modified": "2020-01-31T00:00:00", "id": "OPENVAS:1361412562310851679", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851679", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851679\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-01-09 15:38:23 +0100 (Tue, 09 Jan 2018)\");\n script_cve_id(\"CVE-2016-10165\", \"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\",\n \"CVE-2016-9843\", \"CVE-2017-10053\", \"CVE-2017-10067\", \"CVE-2017-10074\",\n \"CVE-2017-10081\", \"CVE-2017-10086\", \"CVE-2017-10087\", \"CVE-2017-10089\",\n \"CVE-2017-10090\", \"CVE-2017-10096\", \"CVE-2017-10101\", \"CVE-2017-10102\",\n \"CVE-2017-10105\", \"CVE-2017-10107\", \"CVE-2017-10108\", \"CVE-2017-10109\",\n \"CVE-2017-10110\", \"CVE-2017-10111\", \"CVE-2017-10114\", \"CVE-2017-10115\",\n \"CVE-2017-10116\", \"CVE-2017-10118\", \"CVE-2017-10125\", \"CVE-2017-10135\",\n \"CVE-2017-10176\", \"CVE-2017-10193\", \"CVE-2017-10198\", \"CVE-2017-10243\",\n \"CVE-2017-10274\", \"CVE-2017-10281\", \"CVE-2017-10285\", \"CVE-2017-10295\",\n \"CVE-2017-10345\", \"CVE-2017-10346\", \"CVE-2017-10347\", \"CVE-2017-10348\",\n \"CVE-2017-10349\", \"CVE-2017-10350\", \"CVE-2017-10355\", \"CVE-2017-10356\",\n \"CVE-2017-10357\", \"CVE-2017-10388\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for java-1_7_0-openjdk (openSUSE-SU-2018:0042-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java-1_7_0-openjdk'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for java-1_7_0-openjdk fixes the following issues:\n\n Security issues fixed:\n\n - CVE-2017-10356: Fix issue inside subcomponent Security (bsc#1064084).\n\n - CVE-2017-10274: Fix issue inside subcomponent Smart Card IO\n (bsc#1064071).\n\n - CVE-2017-10281: Fix issue inside subcomponent Serialization\n (bsc#1064072).\n\n - CVE-2017-10285: Fix issue inside subcomponent RMI (bsc#1064073).\n\n - CVE-2017-10295: Fix issue inside subcomponent Networking (bsc#1064075).\n\n - CVE-2017-10388: Fix issue inside subcomponent Libraries (bsc#1064086).\n\n - CVE-2017-10346: Fix issue inside subcomponent Hotspot (bsc#1064078).\n\n - CVE-2017-10350: Fix issue inside subcomponent JAX-WS (bsc#1064082).\n\n - CVE-2017-10347: Fix issue inside subcomponent Serialization\n (bsc#1064079).\n\n - CVE-2017-10349: Fix issue inside subcomponent JAXP (bsc#1064081).\n\n - CVE-2017-10345: Fix issue inside subcomponent Serialization\n (bsc#1064077).\n\n - CVE-2017-10348: Fix issue inside subcomponent Libraries (bsc#1064080).\n\n - CVE-2017-10357: Fix issue inside subcomponent Serialization\n (bsc#1064085).\n\n - CVE-2017-10355: Fix issue inside subcomponent Networking (bsc#1064083).\n\n - CVE-2017-10102: Fix incorrect handling of references in DGC\n (bsc#1049316).\n\n - CVE-2017-10053: Fix reading of unprocessed image data in JPEGImageReader\n (bsc#1049305).\n\n - CVE-2017-10067: Fix JAR verifier incorrect handling of missing digest\n (bsc#1049306).\n\n - CVE-2017-10081: Fix incorrect bracket processing in function signature\n handling (bsc#1049309).\n\n - CVE-2017-10087: Fix insufficient access control checks in\n ThreadPoolExecutor (bsc#1049311).\n\n - CVE-2017-10089: Fix insufficient access control checks in\n ServiceRegistry (bsc#1049312).\n\n - CVE-2017-10090: Fix insufficient access control checks in\n AsynchronousChannelGroupImpl (bsc#1049313).\n\n - CVE-2017-10096: Fix insufficient access control checks in XML\n transformations (bsc#1049314).\n\n - CVE-2017-10101: Fix unrestricted access to\n com.sun.org.apache.xml.internal.resolver (bsc#1049315).\n\n - CVE-2017-10107: Fix insufficient access control checks in ActivationID\n (bsc#1049318).\n\n - CVE-2017-10074: Fix integer overflows in range check loop predicates\n (bsc#1049307).\n\n - CVE-2017-10110: Fix insufficient access control checks in ImageWatched\n (bsc#1049321).\n\n - CVE-2017-10108: Fix unbounded memory allocation in BasicAttribute\n deserialization (bsc#1049319).\n\n - CVE-2017-10109: Fix unbounded memory allocation in CodeSource\n deserialization (bsc#1049320).\n\n - CVE-2017-10115: Fix unspecified vulnerability in subcomponent JCE\n (bsc#1049324).\n\n - CVE-2 ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n\n script_tag(name:\"affected\", value:\"java-1_7_0-openjdk on openSUSE Leap 42.3, openSUSE Leap 42.2\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2018:0042-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2018-01/msg00025.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=(openSUSELeap42\\.2|openSUSELeap42\\.3)\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.2\") {\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk\", rpm:\"java-1_7_0-openjdk~1.7.0.161~42.6.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-accessibility\", rpm:\"java-1_7_0-openjdk-accessibility~1.7.0.161~42.6.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-bootstrap\", rpm:\"java-1_7_0-openjdk-bootstrap~1.7.0.161~42.6.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-bootstrap-debuginfo\", rpm:\"java-1_7_0-openjdk-bootstrap-debuginfo~1.7.0.161~42.6.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-bootstrap-debugsource\", rpm:\"java-1_7_0-openjdk-bootstrap-debugsource~1.7.0.161~42.6.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-bootstrap-devel\", rpm:\"java-1_7_0-openjdk-bootstrap-devel~1.7.0.161~42.6.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-bootstrap-devel-debuginfo\", rpm:\"java-1_7_0-openjdk-bootstrap-devel-debuginfo~1.7.0.161~42.6.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-bootstrap-headless\", rpm:\"java-1_7_0-openjdk-bootstrap-headless~1.7.0.161~42.6.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-bootstrap-headless-debuginfo\", rpm:\"java-1_7_0-openjdk-bootstrap-headless-debuginfo~1.7.0.161~42.6.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-debuginfo\", rpm:\"java-1_7_0-openjdk-debuginfo~1.7.0.161~42.6.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-debugsource\", rpm:\"java-1_7_0-openjdk-debugsource~1.7.0.161~42.6.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-demo\", rpm:\"java-1_7_0-openjdk-demo~1.7.0.161~42.6.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-demo-debuginfo\", rpm:\"java-1_7_0-openjdk-demo-debuginfo~1.7.0.161~42.6.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-devel\", rpm:\"java-1_7_0-openjdk-devel~1.7.0.161~42.6.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-devel-debuginfo\", rpm:\"java-1_7_0-openjdk-devel-debuginfo~1.7.0.161~42.6.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-headless\", rpm:\"java-1_7_0-openjdk-headless~1.7.0.161~42.6.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-headless-debuginfo\", rpm:\"java-1_7_0-openjdk-headless-debuginfo~1.7.0.161~42.6.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-src\", rpm:\"java-1_7_0-openjdk-src~1.7.0.161~42.6.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-javadoc\", rpm:\"java-1_7_0-openjdk-javadoc~1.7.0.161~42.6.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"openSUSELeap42.3\") {\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk\", rpm:\"java-1_7_0-openjdk~1.7.0.161~45.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-accessibility\", rpm:\"java-1_7_0-openjdk-accessibility~1.7.0.161~45.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-bootstrap\", rpm:\"java-1_7_0-openjdk-bootstrap~1.7.0.161~45.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-bootstrap-debuginfo\", rpm:\"java-1_7_0-openjdk-bootstrap-debuginfo~1.7.0.161~45.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-bootstrap-debugsource\", rpm:\"java-1_7_0-openjdk-bootstrap-debugsource~1.7.0.161~45.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-bootstrap-devel\", rpm:\"java-1_7_0-openjdk-bootstrap-devel~1.7.0.161~45.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-bootstrap-devel-debuginfo\", rpm:\"java-1_7_0-openjdk-bootstrap-devel-debuginfo~1.7.0.161~45.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-bootstrap-headless\", rpm:\"java-1_7_0-openjdk-bootstrap-headless~1.7.0.161~45.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-bootstrap-headless-debuginfo\", rpm:\"java-1_7_0-openjdk-bootstrap-headless-debuginfo~1.7.0.161~45.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-debuginfo\", rpm:\"java-1_7_0-openjdk-debuginfo~1.7.0.161~45.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-debugsource\", rpm:\"java-1_7_0-openjdk-debugsource~1.7.0.161~45.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-demo\", rpm:\"java-1_7_0-openjdk-demo~1.7.0.161~45.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-demo-debuginfo\", rpm:\"java-1_7_0-openjdk-demo-debuginfo~1.7.0.161~45.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-devel\", rpm:\"java-1_7_0-openjdk-devel~1.7.0.161~45.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-devel-debuginfo\", rpm:\"java-1_7_0-openjdk-devel-debuginfo~1.7.0.161~45.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-headless\", rpm:\"java-1_7_0-openjdk-headless~1.7.0.161~45.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-headless-debuginfo\", rpm:\"java-1_7_0-openjdk-headless-debuginfo~1.7.0.161~45.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-src\", rpm:\"java-1_7_0-openjdk-src~1.7.0.161~45.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-javadoc\", rpm:\"java-1_7_0-openjdk-javadoc~1.7.0.161~45.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:33", "description": "This host is running Nessus and is prone to\n multiple vulnerabilities.", "cvss3": {}, "published": "2018-06-15T00:00:00", "type": "openvas", "title": "Tenable Nessus Multiple Vulnerabilities(tns-2018-08)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-8388", "CVE-2017-16931", "CVE-2017-9233", "CVE-2016-9840", "CVE-2017-7375", "CVE-2017-7244", "CVE-2017-11742", "CVE-2015-8391", "CVE-2018-11214", "CVE-2016-9063", "CVE-2016-5300", "CVE-2015-8395", "CVE-2015-8382", "CVE-2017-5969", "CVE-2016-9318", "CVE-2015-8386", "CVE-2015-2327", "CVE-2017-9049", "CVE-2016-9842", "CVE-2017-8872", "CVE-2012-0876", "CVE-2012-6702", "CVE-2016-0718", "CVE-2015-8392", "CVE-2015-8389", "CVE-2018-9251", "CVE-2015-8380", "CVE-2017-9048", "CVE-2014-8964", "CVE-2016-1283", "CVE-2017-5029", "CVE-2015-8394", "CVE-2012-6139", "CVE-2016-5131", "CVE-2015-3217", "CVE-2016-3191", "CVE-2015-8384", "CVE-2016-9843", "CVE-2017-7246", "CVE-2017-7245", "CVE-2017-1000061", "CVE-2017-9047", "CVE-2016-1683", "CVE-2015-8383", "CVE-2016-1684", "CVE-2015-8381", "CVE-2017-7186", "CVE-2015-5073", "CVE-2017-18258", "CVE-2015-8385", "CVE-2016-9841", "CVE-2017-16932", "CVE-2015-9019", "CVE-2015-7995", "CVE-2015-2328", "CVE-2016-4472", "CVE-2014-9769", "CVE-2015-8387", "CVE-2015-8390", "CVE-2017-6004", "CVE-2017-9050"], "modified": "2019-05-17T00:00:00", "id": "OPENVAS:1361412562310813437", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813437", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Tenable Nessus Multiple Vulnerabilities(tns-2018-08)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:tenable:nessus\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813437\");\n script_version(\"2019-05-17T10:45:27+0000\");\n script_cve_id(\"CVE-2017-11742\", \"CVE-2017-9233\", \"CVE-2016-9063\", \"CVE-2016-0718\",\n \"CVE-2016-5300\", \"CVE-2012-0876\", \"CVE-2016-4472\", \"CVE-2012-6702\",\n \"CVE-2018-11214\", \"CVE-2017-18258\", \"CVE-2017-16932\", \"CVE-2017-16931\",\n \"CVE-2017-9050\", \"CVE-2017-9049\", \"CVE-2017-9048\", \"CVE-2017-9047\",\n \"CVE-2017-8872\", \"CVE-2017-7375\", \"CVE-2017-5969\", \"CVE-2016-9318\",\n \"CVE-2016-5131\", \"CVE-2018-9251\", \"CVE-2017-1000061\", \"CVE-2012-6139\",\n \"CVE-2015-7995\", \"CVE-2015-9019\", \"CVE-2016-1683\", \"CVE-2016-1684\",\n \"CVE-2017-5029\", \"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\",\n \"CVE-2016-9843\", \"CVE-2014-8964\", \"CVE-2014-9769\", \"CVE-2015-2327\",\n \"CVE-2015-2328\", \"CVE-2015-3217\", \"CVE-2015-5073\", \"CVE-2015-8380\",\n \"CVE-2015-8381\", \"CVE-2015-8382\", \"CVE-2015-8383\", \"CVE-2015-8384\",\n \"CVE-2015-8385\", \"CVE-2015-8386\", \"CVE-2015-8387\", \"CVE-2015-8388\",\n \"CVE-2015-8389\", \"CVE-2015-8390\", \"CVE-2015-8391\", \"CVE-2015-8392\",\n \"CVE-2015-8394\", \"CVE-2015-8395\", \"CVE-2016-1283\", \"CVE-2016-3191\",\n \"CVE-2017-6004\", \"CVE-2017-7186\", \"CVE-2017-7244\", \"CVE-2017-7245\",\n \"CVE-2017-7246\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:45:27 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-06-15 11:03:08 +0530 (Fri, 15 Jun 2018)\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_name(\"Tenable Nessus Multiple Vulnerabilities(tns-2018-08)\");\n\n script_tag(name:\"summary\", value:\"This host is running Nessus and is prone to\n multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists as some of the third-party\n components used within Nessus to provide underlying functionality were found to\n contain various vulnerabilities. The components with vulnerabilities include\n expat, libjpeg, libXML2, libXMLSEC, libXSLT, Zlib and libPCRE\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers potentially to gain privileges, execute arbitrary code, bypass\n security restrictions, conduct denial-of-service, gain access to potentially\n sensitive information, conduct XML External Entity (XXE) attacks and unspecified\n other impacts.\");\n\n script_tag(name:\"affected\", value:\"Nessus versions prior to version 7.1.1\");\n\n script_tag(name:\"solution\", value:\"Upgrade to nessus version 7.1.1 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://www.tenable.com\");\n script_xref(name:\"URL\", value:\"https://www.tenable.com/security/tns-2018-08\");\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_nessus_web_server_detect.nasl\");\n script_mandatory_keys(\"nessus/installed\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!nesPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:nesPort, exit_no_version:TRUE)) exit(0);\nnesVer = infos['version'];\npath = infos['location'];\n\nif(version_is_less(version:nesVer, test_version:\"7.1.1\"))\n{\n report = report_fixed_ver(installed_version:nesVer, fixed_version:\"7.1.1\", install_path:path);\n security_message(data:report, port:nesPort);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:C"}}], "debiancve": [{"lastseen": "2022-06-22T22:03:11", "description": "inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-05-23T04:29:00", "type": "debiancve", "title": "CVE-2016-9840", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840"], "modified": "2017-05-23T04:29:00", "id": "DEBIANCVE:CVE-2016-9840", "href": "https://security-tracker.debian.org/tracker/CVE-2016-9840", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2022-06-24T16:06:27", "description": "According to the version of the zlib packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerability :\n\n - inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.(CVE-2016-9840)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-05-01T00:00:00", "type": "nessus", "title": "EulerOS Virtualization for ARM 64 3.0.2.0 : zlib (EulerOS-SA-2020-1556)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:zlib", "p-cpe:/a:huawei:euleros:zlib-devel", "cpe:/o:huawei:euleros:uvp:3.0.2.0"], "id": "EULEROS_SA-2020-1556.NASL", "href": "https://www.tenable.com/plugins/nessus/136259", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136259);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2016-9840\"\n );\n\n script_name(english:\"EulerOS Virtualization for ARM 64 3.0.2.0 : zlib (EulerOS-SA-2020-1556)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization for ARM 64 host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the zlib packages installed, the EulerOS\nVirtualization for ARM 64 installation on the remote host is affected\nby the following vulnerability :\n\n - inftrees.c in zlib 1.2.8 might allow context-dependent\n attackers to have unspecified impact by leveraging\n improper pointer arithmetic.(CVE-2016-9840)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1556\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4d0aabd8\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected zlib package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:zlib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:zlib-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.2.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.2.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"zlib-1.2.7-17.h1\",\n \"zlib-devel-1.2.7-17.h1\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"zlib\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-24T16:09:59", "description": "According to the versions of the zlib packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.(CVE-2016-9840)\n\n - inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.(CVE-2016-9841)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-07-01T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 3.0.6.0 : zlib (EulerOS-SA-2020-1741)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:zlib", "p-cpe:/a:huawei:euleros:zlib-devel", "cpe:/o:huawei:euleros:uvp:3.0.6.0"], "id": "EULEROS_SA-2020-1741.NASL", "href": "https://www.tenable.com/plugins/nessus/137960", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137960);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2016-9840\"\n );\n\n script_name(english:\"EulerOS Virtualization 3.0.6.0 : zlib (EulerOS-SA-2020-1741)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the zlib packages installed, the EulerOS\nVirtualization installation on the remote host is affected by the\nfollowing vulnerabilities :\n\n - inftrees.c in zlib 1.2.8 might allow context-dependent\n attackers to have unspecified impact by leveraging\n improper pointer arithmetic.(CVE-2016-9840)\n\n - inffast.c in zlib 1.2.8 might allow context-dependent\n attackers to have unspecified impact by leveraging\n improper pointer arithmetic.(CVE-2016-9841)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1741\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?17feb566\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected zlib packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:zlib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:zlib-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.6.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.6.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.6.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"zlib-1.2.7-17.h1\",\n \"zlib-devel-1.2.7-17.h1\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"zlib\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-12T16:12:01", "description": "This update for zlib fixes the following issues :\n\n - Remove incompatible declarations of 'struct internal_state' (boo#1003577)\n\n - Avoid out-of-bounds pointer arithmetic in inftrees.c (boo#1003579, CVE-2016-9840, CVE-2016-9841)\n\n - Avoid left-shift with negative number (boo#1003580, CVE-2016-9842)\n\n - Avoid undefined behaviour in pointer arithmetic on powerpc (boo#1013882, CVE-2016-9843)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-12-21T00:00:00", "type": "nessus", "title": "openSUSE Security Update : zlib (openSUSE-2016-1499)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libminizip1", "p-cpe:/a:novell:opensuse:libminizip1-debuginfo", "p-cpe:/a:novell:opensuse:libz1", "p-cpe:/a:novell:opensuse:libz1-32bit", "p-cpe:/a:novell:opensuse:libz1-debuginfo", "p-cpe:/a:novell:opensuse:libz1-debuginfo-32bit", "p-cpe:/a:novell:opensuse:minizip-devel", "p-cpe:/a:novell:opensuse:zlib-debugsource", "p-cpe:/a:novell:opensuse:zlib-devel", "p-cpe:/a:novell:opensuse:zlib-devel-32bit", "p-cpe:/a:novell:opensuse:zlib-devel-static", "p-cpe:/a:novell:opensuse:zlib-devel-static-32bit", "cpe:/o:novell:opensuse:13.2"], "id": "OPENSUSE-2016-1499.NASL", "href": "https://www.tenable.com/plugins/nessus/95975", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2016-1499.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(95975);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\");\n\n script_name(english:\"openSUSE Security Update : zlib (openSUSE-2016-1499)\");\n script_summary(english:\"Check for the openSUSE-2016-1499 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for zlib fixes the following issues :\n\n - Remove incompatible declarations of 'struct\n internal_state' (boo#1003577)\n\n - Avoid out-of-bounds pointer arithmetic in inftrees.c\n (boo#1003579, CVE-2016-9840, CVE-2016-9841)\n\n - Avoid left-shift with negative number (boo#1003580,\n CVE-2016-9842)\n\n - Avoid undefined behaviour in pointer arithmetic on\n powerpc (boo#1013882, CVE-2016-9843)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1003577\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1003579\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1003580\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1013882\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected zlib packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libminizip1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libminizip1-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libz1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libz1-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libz1-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libz1-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:minizip-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zlib-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zlib-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zlib-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zlib-devel-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zlib-devel-static-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.2\", reference:\"libminizip1-1.2.8-5.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"libminizip1-debuginfo-1.2.8-5.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"libz1-1.2.8-5.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"libz1-debuginfo-1.2.8-5.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"minizip-devel-1.2.8-5.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"zlib-debugsource-1.2.8-5.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"zlib-devel-1.2.8-5.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"zlib-devel-static-1.2.8-5.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", cpu:\"x86_64\", reference:\"libz1-32bit-1.2.8-5.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", cpu:\"x86_64\", reference:\"libz1-debuginfo-32bit-1.2.8-5.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", cpu:\"x86_64\", reference:\"zlib-devel-32bit-1.2.8-5.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", cpu:\"x86_64\", reference:\"zlib-devel-static-32bit-1.2.8-5.8.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libminizip1 / libminizip1-debuginfo / libz1 / libz1-32bit / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-24T15:38:39", "description": "This update for zlib fixes the following issues :\n\n - CVE-2016-9843: Big-endian out-of-bounds pointer (bsc#1013882)\n\n - CVE-2016-9842: Undefined Left Shift of Negative Number (bsc#1003580) CVE-2016-9840 CVE-2016-9841: Out-of-bounds pointer arithmetic in inftrees.c (bsc#1003579) Incompatible declarations for external linkage function deflate (bsc#1003577)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-01-03T00:00:00", "type": "nessus", "title": "SUSE SLED12 / SLES12 Security Update : zlib (SUSE-SU-2017:0004-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libz1", "p-cpe:/a:novell:suse_linux:libz1-debuginfo", "p-cpe:/a:novell:suse_linux:zlib-debugsource", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2017-0004-1.NASL", "href": "https://www.tenable.com/plugins/nessus/96266", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:0004-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96266);\n script_version(\"3.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : zlib (SUSE-SU-2017:0004-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for zlib fixes the following issues :\n\n - CVE-2016-9843: Big-endian out-of-bounds pointer\n (bsc#1013882)\n\n - CVE-2016-9842: Undefined Left Shift of Negative Number\n (bsc#1003580) CVE-2016-9840 CVE-2016-9841: Out-of-bounds\n pointer arithmetic in inftrees.c (bsc#1003579)\n Incompatible declarations for external linkage function\n deflate (bsc#1003577)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1003577\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1003579\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1003580\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1013882\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9840/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9841/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9842/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9843/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20170004-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f4a24ec8\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 12-SP1:zypper in -t\npatch SUSE-SLE-SDK-12-SP1-2017-3=1\n\nSUSE Linux Enterprise Server 12-SP1:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2017-3=1\n\nSUSE Linux Enterprise Desktop 12-SP1:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP1-2017-3=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libz1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libz1-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:zlib-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/01/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP1\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libz1-1.2.8-6.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libz1-debuginfo-1.2.8-6.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"zlib-debugsource-1.2.8-6.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libz1-32bit-1.2.8-6.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libz1-debuginfo-32bit-1.2.8-6.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"libz1-1.2.8-6.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"libz1-32bit-1.2.8-6.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"libz1-debuginfo-1.2.8-6.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"libz1-debuginfo-32bit-1.2.8-6.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"zlib-debugsource-1.2.8-6.3.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"zlib\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-24T15:38:40", "description": "This update for zlib fixes the following issues :\n\n - CVE-2016-9843: Big-endian out-of-bounds pointer\n\n - CVE-2016-9842: Undefined Left Shift of Negative Number (bsc#1003580) CVE-2016-9840 CVE-2016-9841: Out-of-bounds pointer arithmetic in inftrees.c (bsc#1003579) Incompatible declarations for external linkage function deflate (bsc#1003577)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-01-03T00:00:00", "type": "nessus", "title": "SUSE SLED12 / SLES12 Security Update : zlib (SUSE-SU-2017:0003-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libz1", "p-cpe:/a:novell:suse_linux:libz1-debuginfo", "p-cpe:/a:novell:suse_linux:zlib-debugsource", "p-cpe:/a:novell:suse_linux:zlib-devel", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2017-0003-1.NASL", "href": "https://www.tenable.com/plugins/nessus/96265", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:0003-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96265);\n script_version(\"3.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : zlib (SUSE-SU-2017:0003-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for zlib fixes the following issues :\n\n - CVE-2016-9843: Big-endian out-of-bounds pointer\n\n - CVE-2016-9842: Undefined Left Shift of Negative Number\n (bsc#1003580) CVE-2016-9840 CVE-2016-9841: Out-of-bounds\n pointer arithmetic in inftrees.c (bsc#1003579)\n Incompatible declarations for external linkage function\n deflate (bsc#1003577)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1003577\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1003579\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1003580\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1013882\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9840/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9841/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9842/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9843/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20170003-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0d39fb45\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t\npatch SUSE-SLE-SDK-12-SP2-2017-2=1\n\nSUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t\npatch SUSE-SLE-RPI-12-SP2-2017-2=1\n\nSUSE Linux Enterprise Server 12-SP2:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-2017-2=1\n\nSUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP2-2017-2=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libz1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libz1-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:zlib-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:zlib-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/01/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP2\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libz1-1.2.8-11.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libz1-debuginfo-1.2.8-11.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"zlib-debugsource-1.2.8-11.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"zlib-devel-1.2.8-11.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libz1-32bit-1.2.8-11.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libz1-debuginfo-32bit-1.2.8-11.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libz1-1.2.8-11.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libz1-32bit-1.2.8-11.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libz1-debuginfo-1.2.8-11.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libz1-debuginfo-32bit-1.2.8-11.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"zlib-debugsource-1.2.8-11.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"zlib-devel-1.2.8-11.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"zlib\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-24T16:12:07", "description": "The remote host is affected by the vulnerability described in GLSA-202007-54 (rsync: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in rsync (within bundled zlib). Please review the CVE identifiers referenced below for details.\n Impact :\n\n Please review the referenced CVE identifiers for details.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-07-30T00:00:00", "type": "nessus", "title": "GLSA-202007-54 : rsync: Multiple vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2020-08-03T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:rsync", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-202007-54.NASL", "href": "https://www.tenable.com/plugins/nessus/139117", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 202007-54.\n#\n# The advisory text is Copyright (C) 2001-2020 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(139117);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/03\");\n\n script_cve_id(\"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\");\n script_xref(name:\"GLSA\", value:\"202007-54\");\n\n script_name(english:\"GLSA-202007-54 : rsync: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is affected by the vulnerability described in GLSA-202007-54\n(rsync: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in rsync (within bundled\n zlib). Please review the CVE identifiers referenced below for details.\n \nImpact :\n\n Please review the referenced CVE identifiers for details.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/202007-54\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"All rsync users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-misc/rsync-3.2.0'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:rsync\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/30\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-misc/rsync\", unaffected:make_list(\"ge 3.2.0\"), vulnerable:make_list(\"lt 3.2.0\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"rsync\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-24T15:38:14", "description": "The remote host is affected by the vulnerability described in GLSA-201701-56 (zlib: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in zlib. Please review the CVE identifiers referenced below for details.\n Impact :\n\n An attacker could cause a Denial of Service condition.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-01-23T00:00:00", "type": "nessus", "title": "GLSA-201701-56 : zlib: Multiple vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:zlib", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-201701-56.NASL", "href": "https://www.tenable.com/plugins/nessus/96691", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201701-56.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96691);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\");\n script_xref(name:\"GLSA\", value:\"201701-56\");\n\n script_name(english:\"GLSA-201701-56 : zlib: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201701-56\n(zlib: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in zlib. Please review the\n CVE identifiers referenced below for details.\n \nImpact :\n\n An attacker could cause a Denial of Service condition.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201701-56\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All zlib users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=sys-libs/zlib-1.2.9'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:zlib\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/01/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"sys-libs/zlib\", unaffected:make_list(\"ge 1.2.9\"), vulnerable:make_list(\"lt 1.2.9\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"zlib\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-24T16:02:04", "description": "Several issues have been found in zlib, a compression library. They are basically about improper big-endian CRC calculation, improper left shift of negative integers and improper pointer arithmetic.\n\nFor Debian 8 'Jessie', these problems have been fixed in version 1:1.2.8.dfsg-2+deb8u1.\n\nWe recommend that you upgrade your zlib packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-01-30T00:00:00", "type": "nessus", "title": "Debian DLA-2085-1 : zlib security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:lib32z1", "p-cpe:/a:debian:debian_linux:lib32z1-dev", "p-cpe:/a:debian:debian_linux:lib64z1", "p-cpe:/a:debian:debian_linux:lib64z1-dev", "p-cpe:/a:debian:debian_linux:zlib1g", "p-cpe:/a:debian:debian_linux:zlib1g-dbg", "p-cpe:/a:debian:debian_linux:zlib1g-dev", "cpe:/o:debian:debian_linux:8.0"], "id": "DEBIAN_DLA-2085.NASL", "href": "https://www.tenable.com/plugins/nessus/133323", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2085-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(133323);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\");\n\n script_name(english:\"Debian DLA-2085-1 : zlib security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several issues have been found in zlib, a compression library. They\nare basically about improper big-endian CRC calculation, improper left\nshift of negative integers and improper pointer arithmetic.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n1:1.2.8.dfsg-2+deb8u1.\n\nWe recommend that you upgrade your zlib packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2020/01/msg00030.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/zlib\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:lib32z1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:lib32z1-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:lib64z1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:lib64z1-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:zlib1g\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:zlib1g-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:zlib1g-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/30\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"lib32z1\", reference:\"1:1.2.8.dfsg-2+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"lib32z1-dev\", reference:\"1:1.2.8.dfsg-2+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"lib64z1\", reference:\"1:1.2.8.dfsg-2+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"lib64z1-dev\", reference:\"1:1.2.8.dfsg-2+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"zlib1g\", reference:\"1:1.2.8.dfsg-2+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"zlib1g-dbg\", reference:\"1:1.2.8.dfsg-2+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"zlib1g-dev\", reference:\"1:1.2.8.dfsg-2+deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-24T16:13:21", "description": "rsync developers reports :\n\nVarious zlib fixes, including security fixes for CVE-2016-9843, CVE-2016-9842, CVE-2016-9841, and CVE-2016-9840", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-08-18T00:00:00", "type": "nessus", "title": "FreeBSD : net/rsync -- multiple zlib issues (085399ab-dfd7-11ea-96e4-80ee73bc7b66)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2020-08-20T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:rsync", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_085399ABDFD711EA96E480EE73BC7B66.NASL", "href": "https://www.tenable.com/plugins/nessus/139639", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2020 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(139639);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/20\");\n\n script_cve_id(\"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\");\n\n script_name(english:\"FreeBSD : net/rsync -- multiple zlib issues (085399ab-dfd7-11ea-96e4-80ee73bc7b66)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"rsync developers reports :\n\nVarious zlib fixes, including security fixes for CVE-2016-9843,\nCVE-2016-9842, CVE-2016-9841, and CVE-2016-9840\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://download.samba.org/pub/rsync/NEWS#3.2.0\"\n );\n # https://vuxml.freebsd.org/freebsd/085399ab-dfd7-11ea-96e4-80ee73bc7b66.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?81f605dd\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:rsync\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/08/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/08/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"rsync<3.2.0\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-24T16:03:02", "description": "It was discovered that zlib incorrectly handled pointer arithmetic. An attacker could use this issue to cause zlib to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-9840, CVE-2016-9841)\n\nIt was discovered that zlib incorrectly handled vectors involving left shifts of negative integers. An attacker could use this issue to cause zlib to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-9842)\n\nIt was discovered that zlib incorrectly handled vectors involving big-endian CRC calculation. An attacker could use this issue to cause zlib to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-9843).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-01-23T00:00:00", "type": "nessus", "title": "Ubuntu 16.04 LTS : zlib vulnerabilities (USN-4246-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2020-01-27T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:lib32z1", "p-cpe:/a:canonical:ubuntu_linux:lib64z1", "p-cpe:/a:canonical:ubuntu_linux:libn32z1", "p-cpe:/a:canonical:ubuntu_linux:libx32z1", "p-cpe:/a:canonical:ubuntu_linux:zlib1g", "cpe:/o:canonical:ubuntu_linux:16.04"], "id": "UBUNTU_USN-4246-1.NASL", "href": "https://www.tenable.com/plugins/nessus/133204", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4246-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(133204);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2020/01/27\");\n\n script_cve_id(\"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\");\n script_xref(name:\"USN\", value:\"4246-1\");\n\n script_name(english:\"Ubuntu 16.04 LTS : zlib vulnerabilities (USN-4246-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that zlib incorrectly handled pointer arithmetic. An\nattacker could use this issue to cause zlib to crash, resulting in a\ndenial of service, or possibly execute arbitrary code. (CVE-2016-9840,\nCVE-2016-9841)\n\nIt was discovered that zlib incorrectly handled vectors involving left\nshifts of negative integers. An attacker could use this issue to cause\nzlib to crash, resulting in a denial of service, or possibly execute\narbitrary code. (CVE-2016-9842)\n\nIt was discovered that zlib incorrectly handled vectors involving\nbig-endian CRC calculation. An attacker could use this issue to cause\nzlib to crash, resulting in a denial of service, or possibly execute\narbitrary code. (CVE-2016-9843).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/4246-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:lib32z1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:lib64z1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libn32z1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libx32z1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:zlib1g\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/23\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"lib32z1\", pkgver:\"1:1.2.8.dfsg-2ubuntu4.3\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"lib64z1\", pkgver:\"1:1.2.8.dfsg-2ubuntu4.3\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"libn32z1\", pkgver:\"1:1.2.8.dfsg-2ubuntu4.3\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"libx32z1\", pkgver:\"1:1.2.8.dfsg-2ubuntu4.3\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"zlib1g\", pkgver:\"1:1.2.8.dfsg-2ubuntu4.3\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"lib32z1 / lib64z1 / libn32z1 / libx32z1 / zlib1g\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-24T16:04:39", "description": "It was discovered that rsync incorrectly handled pointer arithmetic in zlib. An attacker could use this issue to cause rsync to crash, resulting in a denial of service, or possibly execute arbitrary code.\n(CVE-2016-9840, CVE-2016-9841)\n\nIt was discovered that rsync incorrectly handled vectors involving left shifts of negative integers in zlib. An attacker could use this issue to cause rsync to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-9842)\n\nIt was discovered that rsync incorrectly handled vectors involving big-endian CRC calculation in zlib. An attacker could use this issue to cause rsync to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-9843).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-02-25T00:00:00", "type": "nessus", "title": "Ubuntu 16.04 LTS / 18.04 LTS : rsync vulnerabilities (USN-4292-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2020-02-27T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:rsync", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts"], "id": "UBUNTU_USN-4292-1.NASL", "href": "https://www.tenable.com/plugins/nessus/134039", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4292-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(134039);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/02/27\");\n\n script_cve_id(\"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\");\n script_xref(name:\"USN\", value:\"4292-1\");\n\n script_name(english:\"Ubuntu 16.04 LTS / 18.04 LTS : rsync vulnerabilities (USN-4292-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that rsync incorrectly handled pointer arithmetic in\nzlib. An attacker could use this issue to cause rsync to crash,\nresulting in a denial of service, or possibly execute arbitrary code.\n(CVE-2016-9840, CVE-2016-9841)\n\nIt was discovered that rsync incorrectly handled vectors involving\nleft shifts of negative integers in zlib. An attacker could use this\nissue to cause rsync to crash, resulting in a denial of service, or\npossibly execute arbitrary code. (CVE-2016-9842)\n\nIt was discovered that rsync incorrectly handled vectors involving\nbig-endian CRC calculation in zlib. An attacker could use this issue\nto cause rsync to crash, resulting in a denial of service, or possibly\nexecute arbitrary code. (CVE-2016-9843).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/4292-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected rsync package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:rsync\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/02/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/02/25\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04|18\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04 / 18.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"rsync\", pkgver:\"3.1.1-3ubuntu1.3\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"rsync\", pkgver:\"3.1.2-2.1ubuntu1.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"rsync\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-24T15:17:18", "description": "According to the versions of the zlib packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.(CVE-2016-9840)\n\n - inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.i1/4^CVE-2016-9841i1/4%0\n\n - The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.i1/4^CVE-2016-9842i1/4%0\n\n - The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.i1/4^CVE-2016-9843i1/4%0\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-04-04T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 2.5.3 : zlib (EulerOS-SA-2019-1276)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:zlib", "p-cpe:/a:huawei:euleros:zlib-devel", "cpe:/o:huawei:euleros:uvp:2.5.3"], "id": "EULEROS_SA-2019-1276.NASL", "href": "https://www.tenable.com/plugins/nessus/123744", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(123744);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2016-9840\",\n \"CVE-2016-9841\",\n \"CVE-2016-9842\",\n \"CVE-2016-9843\"\n );\n\n script_name(english:\"EulerOS Virtualization 2.5.3 : zlib (EulerOS-SA-2019-1276)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the zlib packages installed, the EulerOS\nVirtualization installation on the remote host is affected by the\nfollowing vulnerabilities :\n\n - inftrees.c in zlib 1.2.8 might allow context-dependent\n attackers to have unspecified impact by leveraging\n improper pointer arithmetic.(CVE-2016-9840)\n\n - inffast.c in zlib 1.2.8 might allow context-dependent\n attackers to have unspecified impact by leveraging\n improper pointer arithmetic.i1/4^CVE-2016-9841i1/4%0\n\n - The inflateMark function in inflate.c in zlib 1.2.8\n might allow context-dependent attackers to have\n unspecified impact via vectors involving left shifts of\n negative integers.i1/4^CVE-2016-9842i1/4%0\n\n - The crc32_big function in crc32.c in zlib 1.2.8 might\n allow context-dependent attackers to have unspecified\n impact via vectors involving big-endian CRC\n calculation.i1/4^CVE-2016-9843i1/4%0\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1276\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?613671de\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected zlib packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/04/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:zlib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:zlib-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:2.5.3\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"2.5.3\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 2.5.3\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"zlib-1.2.7-17.h1\",\n \"zlib-devel-1.2.7-17.h1\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"zlib\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-24T15:37:56", "description": "This update for zlib fixes the following issues :\n\n - CVE-2016-9843: Big-endian out-of-bounds pointer\n\n - CVE-2016-9842: Undefined Left Shift of Negative Number (bsc#1003580) \n\n - CVE-2016-9840 CVE-2016-9841: Out-of-bounds pointer arithmetic in inftrees.c (bsc#1003579)\n\n - Incompatible declarations for external linkage function deflate (bsc#1003577)\n\nThis update was imported from the SUSE:SLE-12-SP2:Update update project.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-01-10T00:00:00", "type": "nessus", "title": "openSUSE Security Update : zlib (openSUSE-2017-46)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libminizip1", "p-cpe:/a:novell:opensuse:libminizip1-debuginfo", "p-cpe:/a:novell:opensuse:libz1", "p-cpe:/a:novell:opensuse:libz1-32bit", "p-cpe:/a:novell:opensuse:libz1-debuginfo", "p-cpe:/a:novell:opensuse:libz1-debuginfo-32bit", "p-cpe:/a:novell:opensuse:minizip-devel", "p-cpe:/a:novell:opensuse:zlib-debugsource", "p-cpe:/a:novell:opensuse:zlib-devel", "p-cpe:/a:novell:opensuse:zlib-devel-32bit", "p-cpe:/a:novell:opensuse:zlib-devel-static", "p-cpe:/a:novell:opensuse:zlib-devel-static-32bit", "cpe:/o:novell:opensuse:42.2"], "id": "OPENSUSE-2017-46.NASL", "href": "https://www.tenable.com/plugins/nessus/96376", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2017-46.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96376);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\");\n\n script_name(english:\"openSUSE Security Update : zlib (openSUSE-2017-46)\");\n script_summary(english:\"Check for the openSUSE-2017-46 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for zlib fixes the following issues :\n\n - CVE-2016-9843: Big-endian out-of-bounds pointer\n\n - CVE-2016-9842: Undefined Left Shift of Negative Number\n (bsc#1003580) \n\n - CVE-2016-9840 CVE-2016-9841: Out-of-bounds pointer\n arithmetic in inftrees.c (bsc#1003579)\n\n - Incompatible declarations for external linkage function\n deflate (bsc#1003577)\n\nThis update was imported from the SUSE:SLE-12-SP2:Update update\nproject.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1003577\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1003579\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1003580\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1013882\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected zlib packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libminizip1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libminizip1-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libz1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libz1-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libz1-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libz1-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:minizip-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zlib-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zlib-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zlib-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zlib-devel-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zlib-devel-static-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/01/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libminizip1-1.2.8-10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libminizip1-debuginfo-1.2.8-10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libz1-1.2.8-10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libz1-debuginfo-1.2.8-10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"minizip-devel-1.2.8-10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"zlib-debugsource-1.2.8-10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"zlib-devel-1.2.8-10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"zlib-devel-static-1.2.8-10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"libz1-32bit-1.2.8-10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"libz1-debuginfo-32bit-1.2.8-10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"zlib-devel-32bit-1.2.8-10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"zlib-devel-static-32bit-1.2.8-10.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libminizip1 / libminizip1-debuginfo / libz1 / libz1-32bit / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-24T15:38:15", "description": "This update for zlib fixes the following issues :\n\n - CVE-2016-9843: Big-endian out-of-bounds pointer (bsc#1013882)\n\n - CVE-2016-9842: Undefined Left Shift of Negative Number (bsc#1003580) \n\n - CVE-2016-9840 CVE-2016-9841: Out-of-bounds pointer arithmetic in inftrees.c (bsc#1003579)\n\n - Incompatible declarations for external linkage function deflate (bsc#1003577)\n\nThis update was imported from the SUSE:SLE-12:Update update project.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-01-10T00:00:00", "type": "nessus", "title": "openSUSE Security Update : zlib (openSUSE-2017-47)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libz1", "p-cpe:/a:novell:opensuse:libz1-32bit", "p-cpe:/a:novell:opensuse:libz1-debuginfo", "p-cpe:/a:novell:opensuse:libz1-debuginfo-32bit", "p-cpe:/a:novell:opensuse:zlib-debugsource", "p-cpe:/a:novell:opensuse:zlib-devel", "p-cpe:/a:novell:opensuse:zlib-devel-32bit", "p-cpe:/a:novell:opensuse:zlib-devel-static", "p-cpe:/a:novell:opensuse:zlib-devel-static-32bit", "cpe:/o:novell:opensuse:42.1"], "id": "OPENSUSE-2017-47.NASL", "href": "https://www.tenable.com/plugins/nessus/96377", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2017-47.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96377);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\");\n\n script_name(english:\"openSUSE Security Update : zlib (openSUSE-2017-47)\");\n script_summary(english:\"Check for the openSUSE-2017-47 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for zlib fixes the following issues :\n\n - CVE-2016-9843: Big-endian out-of-bounds pointer\n (bsc#1013882)\n\n - CVE-2016-9842: Undefined Left Shift of Negative Number\n (bsc#1003580) \n\n - CVE-2016-9840 CVE-2016-9841: Out-of-bounds pointer\n arithmetic in inftrees.c (bsc#1003579)\n\n - Incompatible declarations for external linkage function\n deflate (bsc#1003577)\n\nThis update was imported from the SUSE:SLE-12:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1003577\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1003579\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1003580\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1013882\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected zlib packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libz1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libz1-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libz1-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libz1-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zlib-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zlib-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zlib-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zlib-devel-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zlib-devel-static-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/01/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libz1-1.2.8-8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libz1-debuginfo-1.2.8-8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"zlib-debugsource-1.2.8-8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"zlib-devel-1.2.8-8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"zlib-devel-static-1.2.8-8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libz1-32bit-1.2.8-8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libz1-debuginfo-32bit-1.2.8-8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"zlib-devel-32bit-1.2.8-8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"zlib-devel-static-32bit-1.2.8-8.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libz1 / libz1-32bit / libz1-debuginfo / libz1-debuginfo-32bit / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-24T15:42:59", "description": "According to the versions of the zlib packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.(CVE-2016-9840)\n\n - inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.(CVE-2016-9841)\n\n - The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.(CVE-2016-9842)\n\n - The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.(CVE-2016-9843)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-12-23T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP5 : zlib (EulerOS-SA-2019-2704)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:zlib", "p-cpe:/a:huawei:euleros:zlib-devel", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2019-2704.NASL", "href": "https://www.tenable.com/plugins/nessus/132371", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(132371);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2016-9840\",\n \"CVE-2016-9841\",\n \"CVE-2016-9842\",\n \"CVE-2016-9843\"\n );\n\n script_name(english:\"EulerOS 2.0 SP5 : zlib (EulerOS-SA-2019-2704)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the zlib packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerabilities :\n\n - inftrees.c in zlib 1.2.8 might allow context-dependent\n attackers to have unspecified impact by leveraging\n improper pointer arithmetic.(CVE-2016-9840)\n\n - inffast.c in zlib 1.2.8 might allow context-dependent\n attackers to have unspecified impact by leveraging\n improper pointer arithmetic.(CVE-2016-9841)\n\n - The inflateMark function in inflate.c in zlib 1.2.8\n might allow context-dependent attackers to have\n unspecified impact via vectors involving left shifts of\n negative integers.(CVE-2016-9842)\n\n - The crc32_big function in crc32.c in zlib 1.2.8 might\n allow context-dependent attackers to have unspecified\n impact via vectors involving big-endian CRC\n calculation.(CVE-2016-9843)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2704\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5b5f1bb3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected zlib packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:zlib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:zlib-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(5)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"zlib-1.2.7-17.h1.eulerosv2r7\",\n \"zlib-devel-1.2.7-17.h1.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"5\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"zlib\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-13T15:49:52", "description": "This update for zlib fixes the following issues :\n\n - Incompatible declarations for external linkage function deflate (bnc#1003577)\n\n - CVE-2016-9842: Undefined Left Shift of Negative Number (bnc#1003580)\n\n - CVE-2016-9840 CVE-2016-9841: Out-of-bounds pointer arithmetic in inftrees.c (bnc#1003579)\n\n - CVE-2016-9843: Big-endian out-of-bounds pointer\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-12-22T00:00:00", "type": "nessus", "title": "SUSE SLES11 Security Update : zlib (SUSE-SU-2016:3209-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:zlib", "cpe:/o:novell:suse_linux:11"], "id": "SUSE_SU-2016-3209-1.NASL", "href": "https://www.tenable.com/plugins/nessus/96077", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2016:3209-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96077);\n script_version(\"3.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\");\n\n script_name(english:\"SUSE SLES11 Security Update : zlib (SUSE-SU-2016:3209-1)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for zlib fixes the following issues :\n\n - Incompatible declarations for external linkage function\n deflate (bnc#1003577)\n\n - CVE-2016-9842: Undefined Left Shift of Negative Number\n (bnc#1003580)\n\n - CVE-2016-9840 CVE-2016-9841: Out-of-bounds pointer\n arithmetic in inftrees.c (bnc#1003579)\n\n - CVE-2016-9843: Big-endian out-of-bounds pointer\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1003577\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1003579\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1003580\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1013882\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9840/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9841/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9842/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9843/\"\n );\n # https://www.suse.com/support/update/announcement/2016/suse-su-20163209-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f0fbcc0b\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 11-SP4:zypper in -t\npatch sdksp4-zlib-12902=1\n\nSUSE Linux Enterprise Server 11-SP4:zypper in -t patch\nslessp4-zlib-12902=1\n\nSUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch\ndbgsp4-zlib-12902=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:zlib\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES11\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! preg(pattern:\"^(4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP4\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:\"4\", cpu:\"x86_64\", reference:\"zlib-32bit-1.2.7-0.14.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", cpu:\"s390x\", reference:\"zlib-32bit-1.2.7-0.14.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"zlib-1.2.7-0.14.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"zlib\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-24T14:15:32", "description": "The version of IBM Java installed on the remote host is prior to 6.0 < 6.0.16.45 / 6.1 < 6.1.8.45 / 7.0 < 7.0.10.5 / 7.1 < 7.1.4.5 / 8.0 < 8.0.4.5. It is, therefore, affected by multiple vulnerabilities as referenced in the IBM Security Update May 2017 advisory.\n\n - inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic. (CVE-2016-9840)\n\n - inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic. (CVE-2016-9841)\n\n - The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers. (CVE-2016-9842)\n\n - The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation. (CVE-2016-9843)\n\n - IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 125150. (CVE-2017-1289)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-04-29T00:00:00", "type": "nessus", "title": "IBM Java 6.0 < 6.0.16.45 / 6.1 < 6.1.8.45 / 7.0 < 7.0.10.5 / 7.1 < 7.1.4.5 / 8.0 < 8.0.4.5 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289"], "modified": "2022-04-29T00:00:00", "cpe": ["cpe:/a:ibm:java"], "id": "IBM_JAVA_2017_05_01.NASL", "href": "https://www.tenable.com/plugins/nessus/160346", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160346);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/29\");\n\n script_cve_id(\n \"CVE-2016-9840\",\n \"CVE-2016-9841\",\n \"CVE-2016-9842\",\n \"CVE-2016-9843\",\n \"CVE-2017-1289\"\n );\n script_xref(name:\"IAVA\", value:\"2017-A-0306-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0328\");\n script_xref(name:\"IAVA\", value:\"2018-A-0226-S\");\n\n script_name(english:\"IBM Java 6.0 < 6.0.16.45 / 6.1 < 6.1.8.45 / 7.0 < 7.0.10.5 / 7.1 < 7.1.4.5 / 8.0 < 8.0.4.5 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"IBM Java is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of IBM Java installed on the remote host is prior to 6.0 < 6.0.16.45 / 6.1 < 6.1.8.45 / 7.0 < 7.0.10.5 / 7.1\n< 7.1.4.5 / 8.0 < 8.0.4.5. It is, therefore, affected by multiple vulnerabilities as referenced in the IBM Security\nUpdate May 2017 advisory.\n\n - inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging\n improper pointer arithmetic. (CVE-2016-9840)\n\n - inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging\n improper pointer arithmetic. (CVE-2016-9841)\n\n - The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have\n unspecified impact via vectors involving left shifts of negative integers. (CVE-2016-9842)\n\n - The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have\n unspecified impact via vectors involving big-endian CRC calculation. (CVE-2016-9843)\n\n - IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing\n XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or\n consume memory resources. IBM X-Force ID: 125150. (CVE-2017-1289)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www-01.ibm.com/support/docview.wss?uid=swg1IV95268\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www-01.ibm.com/support/docview.wss?uid=swg1IV95456\");\n # https://www.ibm.com/support/pages/java-sdk-security-vulnerabilities#IBM_Security_Update_May_2017\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d5a419df\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the IBM Security Update May 2017 advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-9843\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/12/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:java\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ibm_java_nix_installed.nbin\", \"ibm_java_win_installed.nbin\");\n script_require_keys(\"installed_sw/Java\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_list = ['IBM Java'];\nvar app_info = vcf::java::get_app_info(app:app_list);\n\nvar constraints = [\n { 'min_version' : '6.0.0', 'fixed_version' : '6.0.16.45' },\n { 'min_version' : '6.1.0', 'fixed_version' : '6.1.8.45' },\n { 'min_version' : '7.0.0', 'fixed_version' : '7.0.10.5' },\n { 'min_version' : '7.1.0', 'fixed_version' : '7.1.4.5' },\n { 'min_version' : '8.0.0', 'fixed_version' : '8.0.4.5' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-24T15:15:37", "description": "Trail of Bits used the automated vulnerability discovery tools developed for the DARPA Cyber Grand Challenge to audit zlib. As rsync, a fast, versatile, remote (and local) file-copying tool, uses an embedded copy of zlib, those issues are also present in rsync.\n\nCVE-2016-9840 In order to avoid undefined behavior, remove offset pointer optimization, as this is not compliant with the C standard.\n\nCVE-2016-9841 Only use post-increment to be compliant with the C standard.\n\nCVE-2016-9842 In order to avoid undefined behavior, do not shift negative values, as this is not compliant with the C standard.\n\nCVE-2016-9843 In order to avoid undefined behavior, do not pre-decrement a pointer in big-endian CRC calculation, as this is not compliant with the C standard.\n\nCVE-2018-5764 Prevent remote attackers from being able to bypass the argument-sanitization protection mechanism by ignoring --protect-args when already sent by client.\n\nFor Debian 8 'Jessie', these problems have been fixed in version 3.1.1-3+deb8u2.\n\nWe recommend that you upgrade your rsync packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-03-25T00:00:00", "type": "nessus", "title": "Debian DLA-1725-1 : rsync security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2018-5764"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:rsync", "cpe:/o:debian:debian_linux:8.0"], "id": "DEBIAN_DLA-1725.NASL", "href": "https://www.tenable.com/plugins/nessus/123019", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1725-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(123019);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\", \"CVE-2018-5764\");\n\n script_name(english:\"Debian DLA-1725-1 : rsync security update\");\n script_summary(english:\"Checks dpkg output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Trail of Bits used the automated vulnerability discovery tools\ndeveloped for the DARPA Cyber Grand Challenge to audit zlib. As rsync,\na fast, versatile, remote (and local) file-copying tool, uses an\nembedded copy of zlib, those issues are also present in rsync.\n\nCVE-2016-9840 In order to avoid undefined behavior, remove offset\npointer optimization, as this is not compliant with the C standard.\n\nCVE-2016-9841 Only use post-increment to be compliant with the C\nstandard.\n\nCVE-2016-9842 In order to avoid undefined behavior, do not shift\nnegative values, as this is not compliant with the C standard.\n\nCVE-2016-9843 In order to avoid undefined behavior, do not\npre-decrement a pointer in big-endian CRC calculation, as this is not\ncompliant with the C standard.\n\nCVE-2018-5764 Prevent remote attackers from being able to bypass the\nargument-sanitization protection mechanism by ignoring --protect-args\nwhen already sent by client.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n3.1.1-3+deb8u2.\n\nWe recommend that you upgrade your rsync packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2019/03/msg00027.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/rsync\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected rsync package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:rsync\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/25\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"rsync\", reference:\"3.1.1-3+deb8u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-24T15:43:35", "description": "According to its self-reported version, the IBM BigFix Platform application running on the remote host is 9.1.x prior to 9.1.1328.0 or 9.2.x prior to 9.2.11.19. It is, therefore, affected by multiple vulnerabilities :\n\n - An out-of-bounds pointer arithmetic error exists in zlib within file inftrees.c. An unauthenticated, remote attacker can exploit this, via a specially crafted document, to cause a denial of service condition.\n (CVE-2016-9840)\n\n - An out-of-bounds pointer arithmetic error exists in zlib within file inffast.c. An unauthenticated, remote attacker can exploit this, via a specially crafted document, to cause a denial of service condition.\n (CVE-2016-9841)\n\n - A flaw exists in zlib in the z_streamp() function within file inflate.c that is related to left shifts of negative numbers. An unauthenticated, remote attacker can exploit this, via a specially crafted document, to cause a denial of service condition.\n (CVE-2016-9842)\n\n - An out-of-bounds pointer flaw exists in the crc32_big() function within file crc32.c when handling big-endian pointer calculations. An unauthenticated, remote attacker can exploit this, via a specially crafted document, to cause a denial of service condition.\n (CVE-2016-9843)\n\n - A cross-site scripting (XSS) vulnerability exists in the web-based user interface due to improper validation of user-supplied input before returning it to users. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2017-1203)\n\n - An XML external entity (XXE) injection flaw exists when parsing XML data due to an incorrectly configured XML parser accepting XML external entities from untrusted sources. An authenticated, remote attacker can exploit this, via specially crafted XML data, to disclose sensitive information or cause a denial of service condition. (CVE-2017-1219)\n\nIBM BigFix Platform was formerly known as Tivoli Endpoint Manager, IBM Endpoint Manager, and IBM BigFix Endpoint Manager.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-07-27T00:00:00", "type": "nessus", "title": "IBM BigFix Platform 9.1.x < 9.1.1328.0 / 9.2.x < 9.2.11.19 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1203", "CVE-2017-1219"], "modified": "2019-11-12T00:00:00", "cpe": ["cpe:/a:ibm:tivoli_endpoint_manager", "cpe:/a:ibm:bigfix_platform"], "id": "IBM_TEM_9_2_11_19.NASL", "href": "https://www.tenable.com/plugins/nessus/102019", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(102019);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\n \"CVE-2016-9840\",\n \"CVE-2016-9841\",\n \"CVE-2016-9842\",\n \"CVE-2016-9843\",\n \"CVE-2017-1203\",\n \"CVE-2017-1219\"\n );\n script_bugtraq_id(95131, 99871, 99916);\n\n script_name(english:\"IBM BigFix Platform 9.1.x < 9.1.1328.0 / 9.2.x < 9.2.11.19 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of the IBM BigFix Server.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An infrastructure management application running on the remote host\nis affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the IBM BigFix Platform\napplication running on the remote host is 9.1.x prior to 9.1.1328.0 or\n9.2.x prior to 9.2.11.19. It is, therefore, affected by multiple\nvulnerabilities :\n\n - An out-of-bounds pointer arithmetic error exists in\n zlib within file inftrees.c. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n document, to cause a denial of service condition.\n (CVE-2016-9840)\n\n - An out-of-bounds pointer arithmetic error exists in\n zlib within file inffast.c. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n document, to cause a denial of service condition.\n (CVE-2016-9841)\n\n - A flaw exists in zlib in the z_streamp() function\n within file inflate.c that is related to left shifts of\n negative numbers. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n document, to cause a denial of service condition.\n (CVE-2016-9842)\n\n - An out-of-bounds pointer flaw exists in the crc32_big()\n function within file crc32.c when handling big-endian\n pointer calculations. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n document, to cause a denial of service condition.\n (CVE-2016-9843)\n\n - A cross-site scripting (XSS) vulnerability exists in\n the web-based user interface due to improper validation\n of user-supplied input before returning it to users. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted request, to execute arbitrary script\n code in a user's browser session. (CVE-2017-1203)\n\n - An XML external entity (XXE) injection flaw exists when\n parsing XML data due to an incorrectly configured XML\n parser accepting XML external entities from untrusted\n sources. An authenticated, remote attacker can exploit\n this, via specially crafted XML data, to disclose\n sensitive information or cause a denial of service\n condition. (CVE-2017-1219)\n\nIBM BigFix Platform was formerly known as Tivoli Endpoint Manager, IBM\nEndpoint Manager, and IBM BigFix Endpoint Manager.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # https://www.ibm.com/blogs/psirt/ibm-security-bulletin-the-bigfix-platform-versions-9-1-and-9-2-have-security-vulnerabilities-that-have-been-addressed-via-patch-releases/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?192a2e64\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www-01.ibm.com/support/docview.wss?uid=swg22006014\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to IBM BigFix Platform version 9.1.1328.0 / 9.2.11.19 or\nlater.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-9843\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/09/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:tivoli_endpoint_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:bigfix_platform\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ibm_tem_detect.nasl\");\n script_require_keys(\"www/BigFixHTTPServer\");\n script_require_ports(\"Services/www\", 52311);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp_name = \"IBM BigFix Server\";\nport = get_http_port(default:52311, embedded:FALSE);\n\nversion = get_kb_item_or_exit(\"www/BigFixHTTPServer/\"+port+\"/version\");\n\nif (version == UNKNOWN_VER)\n audit(AUDIT_UNKNOWN_WEB_SERVER_VER, app_name, port);\n\nif (version !~ \"^(\\d+\\.){2,}\\d+$\")\n audit(AUDIT_VER_NOT_GRANULAR, app_name, port, version);\n\nfix = NULL;\nmin_fix = make_array(\n \"9.1\", \"9.1.1328.0\",\n \"9.2\", \"9.2.11.19\"\n);\n\nforeach minver (keys(min_fix))\n{\n if (ver_compare(ver:version, minver:minver, fix:min_fix[minver], strict:FALSE) < 0)\n {\n fix = min_fix[minver];\n break;\n }\n}\n\nif (isnull(fix))\n audit(AUDIT_LISTEN_NOT_VULN, app_name, port, version);\n\nreport = \"\";\n\nsource = get_kb_item(\"www/BigFixHTTPServer/\"+port+\"/source\");\nif (!isnull(source))\n report += '\\n Source : ' + source;\n\nreport +=\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n\nsecurity_report_v4(port:port, extra:report, severity:SECURITY_HOLE, xss:TRUE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-24T15:41:57", "description": "An update for java-1.6.0-ibm is now available for Red Hat Enterprise Linux 6 Supplementary.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nIBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.\n\nThis update upgrades IBM Java SE 6 to version 6 SR16-FP45.\n\nSecurity Fix(es) :\n\n* This update fixes multiple vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security Vulnerabilities page, listed in the References section.\n(CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843, CVE-2017-1289, CVE-2017-3509, CVE-2017-3533, CVE-2017-3539, CVE-2017-3544)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-11T00:00:00", "type": "nessus", "title": "RHEL 6 : java-1.6.0-ibm (RHSA-2017:1222)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2019-10-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-devel", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-javacomm", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-jdbc", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-plugin", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-src", "cpe:/o:redhat:enterprise_linux:6"], "id": "REDHAT-RHSA-2017-1222.NASL", "href": "https://www.tenable.com/plugins/nessus/100119", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:1222. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100119);\n script_version(\"3.12\");\n script_cvs_date(\"Date: 2019/10/24 15:35:43\");\n\n script_cve_id(\"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\", \"CVE-2017-1289\", \"CVE-2017-3509\", \"CVE-2017-3533\", \"CVE-2017-3539\", \"CVE-2017-3544\");\n script_xref(name:\"RHSA\", value:\"2017:1222\");\n\n script_name(english:\"RHEL 6 : java-1.6.0-ibm (RHSA-2017:1222)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for java-1.6.0-ibm is now available for Red Hat Enterprise\nLinux 6 Supplementary.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nIBM Java SE version 6 includes the IBM Java Runtime Environment and\nthe IBM Java Software Development Kit.\n\nThis update upgrades IBM Java SE 6 to version 6 SR16-FP45.\n\nSecurity Fix(es) :\n\n* This update fixes multiple vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Further\ninformation about these flaws can be found on the IBM Java Security\nVulnerabilities page, listed in the References section.\n(CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843,\nCVE-2017-1289, CVE-2017-3509, CVE-2017-3533, CVE-2017-3539,\nCVE-2017-3544)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://developer.ibm.com/javasdk/support/security-vulnerabilities/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2017:1222\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9840\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9841\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9842\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9843\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-1289\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-3509\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-3533\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-3539\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-3544\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-javacomm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2017:1222\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-ibm-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.6.0-ibm-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-ibm-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-ibm-demo-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.6.0-ibm-demo-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-ibm-demo-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-ibm-devel-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.6.0-ibm-devel-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-ibm-devel-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-ibm-javacomm-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-ibm-javacomm-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-ibm-jdbc-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.6.0-ibm-jdbc-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-ibm-jdbc-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-ibm-plugin-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-ibm-plugin-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-ibm-src-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.6.0-ibm-src-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-ibm-src-1.6.0.16.45-1jpp.1.el6_9\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.6.0-ibm / java-1.6.0-ibm-demo / java-1.6.0-ibm-devel / etc\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-24T15:42:05", "description": "An update for java-1.7.1-ibm is now available for Red Hat Enterprise Linux 6 Supplementary and Red Hat Enterprise Linux 7 Supplementary.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nIBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.\n\nThis update upgrades IBM Java SE 7 to version 7R1 SR4-FP5.\n\nSecurity Fix(es) :\n\n* This update fixes multiple vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security Vulnerabilities page, listed in the References section.\n(CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843, CVE-2017-1289, CVE-2017-3509, CVE-2017-3511, CVE-2017-3533, CVE-2017-3539, CVE-2017-3544)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-11T00:00:00", "type": "nessus", "title": "RHEL 6 / 7 : java-1.7.1-ibm (RHSA-2017:1221)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2019-10-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm", "p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-devel", "p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-jdbc", "p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-plugin", "p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-src", "cpe:/o:redhat:enterprise_linux:6", "cpe:/o:redhat:enterprise_linux:7", "cpe:/o:redhat:enterprise_linux:7.4", "cpe:/o:redhat:enterprise_linux:7.5"], "id": "REDHAT-RHSA-2017-1221.NASL", "href": "https://www.tenable.com/plugins/nessus/100118", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:1221. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100118);\n script_version(\"3.12\");\n script_cvs_date(\"Date: 2019/10/24 15:35:43\");\n\n script_cve_id(\"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\", \"CVE-2017-1289\", \"CVE-2017-3509\", \"CVE-2017-3511\", \"CVE-2017-3533\", \"CVE-2017-3539\", \"CVE-2017-3544\");\n script_xref(name:\"RHSA\", value:\"2017:1221\");\n\n script_name(english:\"RHEL 6 / 7 : java-1.7.1-ibm (RHSA-2017:1221)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for java-1.7.1-ibm is now available for Red Hat Enterprise\nLinux 6 Supplementary and Red Hat Enterprise Linux 7 Supplementary.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nIBM Java SE version 7 Release 1 includes the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit.\n\nThis update upgrades IBM Java SE 7 to version 7R1 SR4-FP5.\n\nSecurity Fix(es) :\n\n* This update fixes multiple vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Further\ninformation about these flaws can be found on the IBM Java Security\nVulnerabilities page, listed in the References section.\n(CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843,\nCVE-2017-1289, CVE-2017-3509, CVE-2017-3511, CVE-2017-3533,\nCVE-2017-3539, CVE-2017-3544)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://developer.ibm.com/javasdk/support/security-vulnerabilities/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2017:1221\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9840\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9841\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9842\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9843\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-1289\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-3509\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-3511\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-3533\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-3539\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-3544\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x / 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2017:1221\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.1-ibm-1.7.1.4.5-1jpp.2.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.7.1-ibm-1.7.1.4.5-1jpp.2.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-1.7.1.4.5-1jpp.2.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.1-ibm-demo-1.7.1.4.5-1jpp.2.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.7.1-ibm-demo-1.7.1.4.5-1jpp.2.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-demo-1.7.1.4.5-1jpp.2.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.1-ibm-devel-1.7.1.4.5-1jpp.2.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.7.1-ibm-devel-1.7.1.4.5-1jpp.2.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-devel-1.7.1.4.5-1jpp.2.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.1-ibm-jdbc-1.7.1.4.5-1jpp.2.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.7.1-ibm-jdbc-1.7.1.4.5-1jpp.2.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-jdbc-1.7.1.4.5-1jpp.2.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.1-ibm-plugin-1.7.1.4.5-1jpp.2.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-plugin-1.7.1.4.5-1jpp.2.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.1-ibm-src-1.7.1.4.5-1jpp.2.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.7.1-ibm-src-1.7.1.4.5-1jpp.2.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-src-1.7.1.4.5-1jpp.2.el6_9\")) flag++;\n\n\n if (rpm_check(release:\"RHEL7\", reference:\"java-1.7.1-ibm-1.7.1.4.5-1jpp.1.el7_3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.7.1-ibm-demo-1.7.1.4.5-1jpp.1.el7_3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-demo-1.7.1.4.5-1jpp.1.el7_3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"java-1.7.1-ibm-devel-1.7.1.4.5-1jpp.1.el7_3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.7.1-ibm-jdbc-1.7.1.4.5-1jpp.1.el7_3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-jdbc-1.7.1.4.5-1jpp.1.el7_3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-plugin-1.7.1.4.5-1jpp.1.el7_3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.7.1-ibm-src-1.7.1.4.5-1jpp.1.el7_3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-src-1.7.1.4.5-1jpp.1.el7_3\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.1-ibm / java-1.7.1-ibm-demo / java-1.7.1-ibm-devel / etc\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-24T15:41:49", "description": "An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 6 Supplementary and Red Hat Enterprise Linux 7 Supplementary.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nIBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.\n\nThis update upgrades IBM Java SE 8 to version 8 SR4-FP5.\n\nSecurity Fix(es) :\n\n* This update fixes multiple vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security Vulnerabilities page, listed in the References section.\n(CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843, CVE-2017-1289, CVE-2017-3509, CVE-2017-3511, CVE-2017-3533, CVE-2017-3539, CVE-2017-3544)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-11T00:00:00", "type": "nessus", "title": "RHEL 6 / 7 : java-1.8.0-ibm (RHSA-2017:1220)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2019-10-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-devel", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-jdbc", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-plugin", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-src", "cpe:/o:redhat:enterprise_linux:6", "cpe:/o:redhat:enterprise_linux:7", "cpe:/o:redhat:enterprise_linux:7.4", "cpe:/o:redhat:enterprise_linux:7.5"], "id": "REDHAT-RHSA-2017-1220.NASL", "href": "https://www.tenable.com/plugins/nessus/100117", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:1220. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100117);\n script_version(\"3.12\");\n script_cvs_date(\"Date: 2019/10/24 15:35:43\");\n\n script_cve_id(\"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\", \"CVE-2017-1289\", \"CVE-2017-3509\", \"CVE-2017-3511\", \"CVE-2017-3533\", \"CVE-2017-3539\", \"CVE-2017-3544\");\n script_xref(name:\"RHSA\", value:\"2017:1220\");\n\n script_name(english:\"RHEL 6 / 7 : java-1.8.0-ibm (RHSA-2017:1220)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for java-1.8.0-ibm is now available for Red Hat Enterprise\nLinux 6 Supplementary and Red Hat Enterprise Linux 7 Supplementary.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nIBM Java SE version 8 includes the IBM Java Runtime Environment and\nthe IBM Java Software Development Kit.\n\nThis update upgrades IBM Java SE 8 to version 8 SR4-FP5.\n\nSecurity Fix(es) :\n\n* This update fixes multiple vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Further\ninformation about these flaws can be found on the IBM Java Security\nVulnerabilities page, listed in the References section.\n(CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843,\nCVE-2017-1289, CVE-2017-3509, CVE-2017-3511, CVE-2017-3533,\nCVE-2017-3539, CVE-2017-3544)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://developer.ibm.com/javasdk/support/security-vulnerabilities/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2017:1220\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9840\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9841\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9842\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9843\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-1289\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-3509\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-3511\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-3533\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-3539\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-3544\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x / 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2017:1220\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.8.0-ibm-1.8.0.4.5-1jpp.1.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.8.0-ibm-1.8.0.4.5-1jpp.1.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.8.0-ibm-1.8.0.4.5-1jpp.1.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.8.0-ibm-demo-1.8.0.4.5-1jpp.1.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.8.0-ibm-demo-1.8.0.4.5-1jpp.1.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.8.0-ibm-demo-1.8.0.4.5-1jpp.1.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.8.0-ibm-devel-1.8.0.4.5-1jpp.1.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.8.0-ibm-devel-1.8.0.4.5-1jpp.1.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.8.0-ibm-devel-1.8.0.4.5-1jpp.1.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.8.0-ibm-jdbc-1.8.0.4.5-1jpp.1.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.8.0-ibm-jdbc-1.8.0.4.5-1jpp.1.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.8.0-ibm-jdbc-1.8.0.4.5-1jpp.1.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.8.0-ibm-plugin-1.8.0.4.5-1jpp.1.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.8.0-ibm-plugin-1.8.0.4.5-1jpp.1.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.8.0-ibm-src-1.8.0.4.5-1jpp.1.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.8.0-ibm-src-1.8.0.4.5-1jpp.1.el6_9\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.8.0-ibm-src-1.8.0.4.5-1jpp.1.el6_9\")) flag++;\n\n\n if (rpm_check(release:\"RHEL7\", reference:\"java-1.8.0-ibm-1.8.0.4.5-1jpp.1.el7_3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.8.0-ibm-demo-1.8.0.4.5-1jpp.1.el7_3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-ibm-demo-1.8.0.4.5-1jpp.1.el7_3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"java-1.8.0-ibm-devel-1.8.0.4.5-1jpp.1.el7_3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.8.0-ibm-jdbc-1.8.0.4.5-1jpp.1.el7_3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-ibm-jdbc-1.8.0.4.5-1jpp.1.el7_3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-ibm-plugin-1.8.0.4.5-1jpp.1.el7_3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.8.0-ibm-src-1.8.0.4.5-1jpp.1.el7_3\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-ibm-src-1.8.0.4.5-1jpp.1.el7_3\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.8.0-ibm / java-1.8.0-ibm-demo / java-1.8.0-ibm-devel / etc\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-24T15:41:56", "description": "This update for java-1_7_1-ibm fixes the following issues :\n\n - Version update to 7.1-4.5 bsc#1038505\n\n - CVE-2016-9840: zlib: Out-of-bounds pointer arithmetic in inftrees.c\n\n - CVE-2016-9841: zlib: Out-of-bounds pointer arithmetic in inffast.c\n\n - CVE-2016-9842: zlib: Undefined left shift of negative number\n\n - CVE-2016-9843: zlib: Big-endian out-of-bounds pointer\n\n - CVE-2017-1289: IBM JDK: XML External Entity Injection (XXE) error when processing XML data\n\n - CVE-2017-3509: OpenJDK: improper re-use of NTLM authenticated connections\n\n - CVE-2017-3511: OpenJDK: untrusted extension directories search path in Launcher\n\n - CVE-2017-3539: OpenJDK: MD5 allowed for jar verification\n\n - CVE-2017-3533: OpenJDK: newline injection in the FTP client\n\n - CVE-2017-3544: OpenJDK: newline injection in the SMTP client\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-24T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : java-1_7_1-ibm (SUSE-SU-2017:1385-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:java-1_7_1-ibm", "p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-alsa", "p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-devel", "p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-jdbc", "p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-plugin", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2017-1385-1.NASL", "href": "https://www.tenable.com/plugins/nessus/100376", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:1385-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100376);\n script_version(\"3.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\", \"CVE-2017-1289\", \"CVE-2017-3509\", \"CVE-2017-3511\", \"CVE-2017-3533\", \"CVE-2017-3539\", \"CVE-2017-3544\");\n\n script_name(english:\"SUSE SLES12 Security Update : java-1_7_1-ibm (SUSE-SU-2017:1385-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for java-1_7_1-ibm fixes the following issues :\n\n - Version update to 7.1-4.5 bsc#1038505\n\n - CVE-2016-9840: zlib: Out-of-bounds pointer arithmetic in\n inftrees.c\n\n - CVE-2016-9841: zlib: Out-of-bounds pointer arithmetic in\n inffast.c\n\n - CVE-2016-9842: zlib: Undefined left shift of negative\n number\n\n - CVE-2016-9843: zlib: Big-endian out-of-bounds pointer\n\n - CVE-2017-1289: IBM JDK: XML External Entity Injection\n (XXE) error when processing XML data\n\n - CVE-2017-3509: OpenJDK: improper re-use of NTLM\n authenticated connections\n\n - CVE-2017-3511: OpenJDK: untrusted extension directories\n search path in Launcher\n\n - CVE-2017-3539: OpenJDK: MD5 allowed for jar verification\n\n - CVE-2017-3533: OpenJDK: newline injection in the FTP\n client\n\n - CVE-2017-3544: OpenJDK: newline injection in the SMTP\n client\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1038505\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9840/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9841/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9842/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9843/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-1289/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3509/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3511/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3533/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3539/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3544/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20171385-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b99504ca\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t\npatch SUSE-SLE-SDK-12-SP2-2017-847=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP1:zypper in -t\npatch SUSE-SLE-SDK-12-SP1-2017-847=1\n\nSUSE Linux Enterprise Server for SAP 12:zypper in -t patch\nSUSE-SLE-SAP-12-2017-847=1\n\nSUSE Linux Enterprise Server 12-SP2:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-2017-847=1\n\nSUSE Linux Enterprise Server 12-SP1:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2017-847=1\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2017-847=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_1-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-alsa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0|1|2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0/1/2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"java-1_7_1-ibm-alsa-1.7.1_sr4.5-37.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"java-1_7_1-ibm-plugin-1.7.1_sr4.5-37.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"java-1_7_1-ibm-1.7.1_sr4.5-37.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"java-1_7_1-ibm-jdbc-1.7.1_sr4.5-37.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"java-1_7_1-ibm-alsa-1.7.1_sr4.5-37.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"java-1_7_1-ibm-plugin-1.7.1_sr4.5-37.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"java-1_7_1-ibm-1.7.1_sr4.5-37.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"java-1_7_1-ibm-devel-1.7.1_sr4.5-37.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"java-1_7_1-ibm-jdbc-1.7.1_sr4.5-37.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_7_1-ibm-1.7.1_sr4.5-37.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_7_1-ibm-jdbc-1.7.1_sr4.5-37.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_7_1-ibm-alsa-1.7.1_sr4.5-37.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_7_1-ibm-plugin-1.7.1_sr4.5-37.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1_7_1-ibm\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-24T15:41:30", "description": "This update for java-1_7_1-ibm fixes the following issues: Version update to 7.1-4.5 bsc#1038505\n\n - CVE-2016-9840: zlib: Out-of-bounds pointer arithmetic in inftrees.c\n\n - CVE-2016-9841: zlib: Out-of-bounds pointer arithmetic in inffast.c\n\n - CVE-2016-9842: zlib: Undefined left shift of negative number\n\n - CVE-2016-9843: zlib: Big-endian out-of-bounds pointer\n\n - CVE-2017-1289: IBM JDK: XML External Entity Injection (XXE) error when processing XML data\n\n - CVE-2017-3509: OpenJDK: improper re-use of NTLM authenticated connections\n\n - CVE-2017-3511: OpenJDK: untrusted extension directories search path in Launcher\n\n - CVE-2017-3539: OpenJDK: MD5 allowed for jar verification\n\n - CVE-2017-3533: OpenJDK: newline injection in the FTP client\n\n - CVE-2017-3544: OpenJDK: newline injection in the SMTP client\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-24T00:00:00", "type": "nessus", "title": "SUSE SLES11 Security Update : java-1_7_1-ibm (SUSE-SU-2017:1387-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:java-1_7_1-ibm", "p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-alsa", "p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-jdbc", "p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-plugin", "cpe:/o:novell:suse_linux:11"], "id": "SUSE_SU-2017-1387-1.NASL", "href": "https://www.tenable.com/plugins/nessus/100378", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:1387-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100378);\n script_version(\"3.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\", \"CVE-2017-1289\", \"CVE-2017-3509\", \"CVE-2017-3511\", \"CVE-2017-3533\", \"CVE-2017-3539\", \"CVE-2017-3544\");\n\n script_name(english:\"SUSE SLES11 Security Update : java-1_7_1-ibm (SUSE-SU-2017:1387-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for java-1_7_1-ibm fixes the following issues: Version\nupdate to 7.1-4.5 bsc#1038505\n\n - CVE-2016-9840: zlib: Out-of-bounds pointer arithmetic in\n inftrees.c\n\n - CVE-2016-9841: zlib: Out-of-bounds pointer arithmetic in\n inffast.c\n\n - CVE-2016-9842: zlib: Undefined left shift of negative\n number\n\n - CVE-2016-9843: zlib: Big-endian out-of-bounds pointer\n\n - CVE-2017-1289: IBM JDK: XML External Entity Injection\n (XXE) error when processing XML data\n\n - CVE-2017-3509: OpenJDK: improper re-use of NTLM\n authenticated connections\n\n - CVE-2017-3511: OpenJDK: untrusted extension directories\n search path in Launcher\n\n - CVE-2017-3539: OpenJDK: MD5 allowed for jar verification\n\n - CVE-2017-3533: OpenJDK: newline injection in the FTP\n client\n\n - CVE-2017-3544: OpenJDK: newline injection in the SMTP\n client\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1038505\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9840/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9841/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9842/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9843/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-1289/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3509/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3511/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3533/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3539/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3544/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20171387-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0795a9e4\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 11-SP4:zypper in -t\npatch sdksp4-java-1_7_1-ibm-13123=1\n\nSUSE Linux Enterprise Server 11-SP4:zypper in -t patch\nslessp4-java-1_7_1-ibm-13123=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_1-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-alsa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_1-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES11\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! preg(pattern:\"^(4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP4\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:\"4\", cpu:\"x86_64\", reference:\"java-1_7_1-ibm-alsa-1.7.1_sr4.5-25.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", cpu:\"x86_64\", reference:\"java-1_7_1-ibm-plugin-1.7.1_sr4.5-25.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"java-1_7_1-ibm-1.7.1_sr4.5-25.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"java-1_7_1-ibm-jdbc-1.7.1_sr4.5-25.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", cpu:\"i586\", reference:\"java-1_7_1-ibm-alsa-1.7.1_sr4.5-25.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", cpu:\"i586\", reference:\"java-1_7_1-ibm-plugin-1.7.1_sr4.5-25.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1_7_1-ibm\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-24T15:41:39", "description": "This update for java-1_8_0-ibm fixes the following issues: Version update bsc#1038505 :\n\n - CVE-2016-9840: zlib: Out-of-bounds pointer arithmetic in inftrees.c\n\n - CVE-2016-9841: zlib: Out-of-bounds pointer arithmetic in inffast.c\n\n - CVE-2016-9842: zlib: Undefined left shift of negative number\n\n - CVE-2016-9843: zlib: Big-endian out-of-bounds pointer\n\n - CVE-2017-3544: OpenJDK: newline injection in the SMTP client\n\n - CVE-2017-3509: OpenJDK: improper re-use of NTLM authenticated connections\n\n - CVE-2017-3511: OpenJDK: untrusted extension directories search path in Launcher\n\n - CVE-2017-3533: OpenJDK: newline injection in the FTP client\n\n - CVE-2017-3539: OpenJDK: MD5 allowed for jar verification\n\n - CVE-2017-1289: IBM JDK: XML External Entity Injection (XXE) error when processing XML data\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-24T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : java-1_8_0-ibm (SUSE-SU-2017:1386-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:java-1_8_0-ibm", "p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-alsa", "p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-plugin", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2017-1386-1.NASL", "href": "https://www.tenable.com/plugins/nessus/100377", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:1386-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100377);\n script_version(\"3.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\", \"CVE-2017-1289\", \"CVE-2017-3509\", \"CVE-2017-3511\", \"CVE-2017-3533\", \"CVE-2017-3539\", \"CVE-2017-3544\");\n\n script_name(english:\"SUSE SLES12 Security Update : java-1_8_0-ibm (SUSE-SU-2017:1386-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for java-1_8_0-ibm fixes the following issues: Version\nupdate bsc#1038505 :\n\n - CVE-2016-9840: zlib: Out-of-bounds pointer arithmetic in\n inftrees.c\n\n - CVE-2016-9841: zlib: Out-of-bounds pointer arithmetic in\n inffast.c\n\n - CVE-2016-9842: zlib: Undefined left shift of negative\n number\n\n - CVE-2016-9843: zlib: Big-endian out-of-bounds pointer\n\n - CVE-2017-3544: OpenJDK: newline injection in the SMTP\n client\n\n - CVE-2017-3509: OpenJDK: improper re-use of NTLM\n authenticated connections\n\n - CVE-2017-3511: OpenJDK: untrusted extension directories\n search path in Launcher\n\n - CVE-2017-3533: OpenJDK: newline injection in the FTP\n client\n\n - CVE-2017-3539: OpenJDK: MD5 allowed for jar verification\n\n - CVE-2017-1289: IBM JDK: XML External Entity Injection\n (XXE) error when processing XML data\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1038505\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9840/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9841/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9842/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9843/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-1289/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3509/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3511/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3533/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3539/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3544/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20171386-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b1e96fe3\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t\npatch SUSE-SLE-SDK-12-SP2-2017-844=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP1:zypper in -t\npatch SUSE-SLE-SDK-12-SP1-2017-844=1\n\nSUSE Linux Enterprise Server 12-SP2:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-2017-844=1\n\nSUSE Linux Enterprise Server 12-SP1:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2017-844=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-alsa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(1|2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP1/2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"java-1_8_0-ibm-alsa-1.8.0_sr4.5-29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"java-1_8_0-ibm-plugin-1.8.0_sr4.5-29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"java-1_8_0-ibm-1.8.0_sr4.5-29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_8_0-ibm-1.8.0_sr4.5-29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_8_0-ibm-alsa-1.8.0_sr4.5-29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_8_0-ibm-plugin-1.8.0_sr4.5-29.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1_8_0-ibm\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-24T15:42:05", "description": "This update for java-1_7_0-ibm fixes the following issues: Version update to 7.0-10.5 bsc#1038505\n\n - CVE-2016-9840: zlib: Out-of-bounds pointer arithmetic in inftrees.c\n\n - CVE-2016-9841: zlib: Out-of-bounds pointer arithmetic in inffast.c\n\n - CVE-2016-9842: zlib: Undefined left shift of negative number\n\n - CVE-2016-9843: zlib: Big-endian out-of-bounds pointer\n\n - CVE-2017-1289: IBM JDK: XML External Entity Injection (XXE) error when processing XML data\n\n - CVE-2017-3509: OpenJDK: improper re-use of NTLM authenticated connections\n\n - CVE-2017-3511: OpenJDK: untrusted extension directories search path in Launcher\n\n - CVE-2017-3539: OpenJDK: MD5 allowed for jar verification\n\n - CVE-2017-3533: OpenJDK: newline injection in the FTP client\n\n - CVE-2017-3544: OpenJDK: newline injection in the SMTP client\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-24T00:00:00", "type": "nessus", "title": "SUSE SLES11 Security Update : java-1_7_0-ibm (SUSE-SU-2017:1384-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:java-1_7_0-ibm", "p-cpe:/a:novell:suse_linux:java-1_7_0-ibm-alsa", "p-cpe:/a:novell:suse_linux:java-1_7_0-ibm-devel", "p-cpe:/a:novell:suse_linux:java-1_7_0-ibm-jdbc", "p-cpe:/a:novell:suse_linux:java-1_7_0-ibm-plugin", "cpe:/o:novell:suse_linux:11"], "id": "SUSE_SU-2017-1384-1.NASL", "href": "https://www.tenable.com/plugins/nessus/100375", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:1384-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100375);\n script_version(\"3.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\", \"CVE-2017-1289\", \"CVE-2017-3509\", \"CVE-2017-3511\", \"CVE-2017-3533\", \"CVE-2017-3539\", \"CVE-2017-3544\");\n\n script_name(english:\"SUSE SLES11 Security Update : java-1_7_0-ibm (SUSE-SU-2017:1384-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for java-1_7_0-ibm fixes the following issues: Version\nupdate to 7.0-10.5 bsc#1038505\n\n - CVE-2016-9840: zlib: Out-of-bounds pointer arithmetic in\n inftrees.c\n\n - CVE-2016-9841: zlib: Out-of-bounds pointer arithmetic in\n inffast.c\n\n - CVE-2016-9842: zlib: Undefined left shift of negative\n number\n\n - CVE-2016-9843: zlib: Big-endian out-of-bounds pointer\n\n - CVE-2017-1289: IBM JDK: XML External Entity Injection\n (XXE) error when processing XML data\n\n - CVE-2017-3509: OpenJDK: improper re-use of NTLM\n authenticated connections\n\n - CVE-2017-3511: OpenJDK: untrusted extension directories\n search path in Launcher\n\n - CVE-2017-3539: OpenJDK: MD5 allowed for jar verification\n\n - CVE-2017-3533: OpenJDK: newline injection in the FTP\n client\n\n - CVE-2017-3544: OpenJDK: newline injection in the SMTP\n client\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1038505\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9840/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9841/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9842/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9843/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-1289/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3509/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3511/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3533/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3539/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3544/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20171384-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2813b030\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 11-SP3-LTSS:zypper in -t patch\nslessp3-java-1_7_0-ibm-13124=1\n\nSUSE Linux Enterprise Point of Sale 11-SP3:zypper in -t patch\nsleposp3-java-1_7_0-ibm-13124=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_0-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_0-ibm-alsa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_0-ibm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_0-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_0-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES11\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! preg(pattern:\"^(3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP3\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:\"3\", cpu:\"x86_64\", reference:\"java-1_7_0-ibm-alsa-1.7.0_sr10.5-64.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", cpu:\"x86_64\", reference:\"java-1_7_0-ibm-plugin-1.7.0_sr10.5-64.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"java-1_7_0-ibm-1.7.0_sr10.5-64.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"java-1_7_0-ibm-devel-1.7.0_sr10.5-64.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"java-1_7_0-ibm-jdbc-1.7.0_sr10.5-64.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", cpu:\"i586\", reference:\"java-1_7_0-ibm-alsa-1.7.0_sr10.5-64.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", cpu:\"i586\", reference:\"java-1_7_0-ibm-plugin-1.7.0_sr10.5-64.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1_7_0-ibm\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-24T15:09:56", "description": "This update for java-1_6_0-ibm fixes the following issues :\n\n - Version update to 6.0-16.45 bsc#1038505\n\n - CVE-2016-9840: zlib: Out-of-bounds pointer arithmetic in inftrees.c\n\n - CVE-2016-9841: zlib: Out-of-bounds pointer arithmetic in inffast.c\n\n - CVE-2016-9842: zlib: Undefined left shift of negative number\n\n - CVE-2016-9843: zlib: Big-endian out-of-bounds pointer\n\n - CVE-2017-1289: IBM JDK: XML External Entity Injection (XXE) error when processing XML data\n\n - CVE-2017-3509: OpenJDK: improper re-use of NTLM authenticated connections\n\n - CVE-2017-3539: OpenJDK: MD5 allowed for jar verification\n\n - CVE-2017-3533: OpenJDK: newline injection in the FTP client\n\n - CVE-2017-3544: OpenJDK: newline injection in the SMTP client\n\n - Version update to 6.0-16.40 bsc#1027038 CVE-2016-2183\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-01-02T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : java-1_6_0-ibm (SUSE-SU-2017:1389-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-2183", "CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3514", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:java-1_6_0-ibm", "p-cpe:/a:novell:suse_linux:java-1_6_0-ibm-fonts", "p-cpe:/a:novell:suse_linux:java-1_6_0-ibm-jdbc", "p-cpe:/a:novell:suse_linux:java-1_6_0-ibm-plugin", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2017-1389-1.NASL", "href": "https://www.tenable.com/plugins/nessus/119998", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:1389-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(119998);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2016-2183\", \"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\", \"CVE-2017-1289\", \"CVE-2017-3509\", \"CVE-2017-3514\", \"CVE-2017-3533\", \"CVE-2017-3539\", \"CVE-2017-3544\");\n\n script_name(english:\"SUSE SLES12 Security Update : java-1_6_0-ibm (SUSE-SU-2017:1389-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for java-1_6_0-ibm fixes the following issues :\n\n - Version update to 6.0-16.45 bsc#1038505\n\n - CVE-2016-9840: zlib: Out-of-bounds pointer arithmetic in\n inftrees.c\n\n - CVE-2016-9841: zlib: Out-of-bounds pointer arithmetic in\n inffast.c\n\n - CVE-2016-9842: zlib: Undefined left shift of negative\n number\n\n - CVE-2016-9843: zlib: Big-endian out-of-bounds pointer\n\n - CVE-2017-1289: IBM JDK: XML External Entity Injection\n (XXE) error when processing XML data\n\n - CVE-2017-3509: OpenJDK: improper re-use of NTLM\n authenticated connections\n\n - CVE-2017-3539: OpenJDK: MD5 allowed for jar verification\n\n - CVE-2017-3533: OpenJDK: newline injection in the FTP\n client\n\n - CVE-2017-3544: OpenJDK: newline injection in the SMTP\n client\n\n - Version update to 6.0-16.40 bsc#1027038 CVE-2016-2183\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1027038\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1038505\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-2183/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9840/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9841/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9842/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9843/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-1289/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3509/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3514/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3533/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3539/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3544/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20171389-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b43ae059\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for Legacy Software 12:zypper in -t patch\nSUSE-SLE-Module-Legacy-12-2017-843=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_6_0-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_6_0-ibm-fonts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_6_0-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_6_0-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/09/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/02\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"java-1_6_0-ibm-plugin-1.6.0_sr16.45-49.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"java-1_6_0-ibm-1.6.0_sr16.45-49.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"java-1_6_0-ibm-fonts-1.6.0_sr16.45-49.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"java-1_6_0-ibm-jdbc-1.6.0_sr16.45-49.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1_6_0-ibm\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-24T15:41:39", "description": "This update for java-1_6_0-ibm fixes the following issues :\n\n - CVE-2016-9840: zlib: Out-of-bounds pointer arithmetic in inftrees.c\n\n - CVE-2016-9841: zlib: Out-of-bounds pointer arithmetic in inffast.c\n\n - CVE-2016-9842: zlib: Undefined left shift of negative number\n\n - CVE-2016-9843: zlib: Big-endian out-of-bounds pointer\n\n - CVE-2017-1289: IBM JDK: XML External Entity Injection (XXE) error when processing XML data\n\n - CVE-2017-3509: OpenJDK: improper re-use of NTLM authenticated connections\n\n - CVE-2017-3539: OpenJDK: MD5 allowed for jar verification\n\n - CVE-2017-3533: OpenJDK: newline injection in the FTP client\n\n - CVE-2017-3544: OpenJDK: newline injection in the SMTP client\n\n - Version update to 6.0-16.40 bsc#1027038 CVE-2016-2183\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-31T00:00:00", "type": "nessus", "title": "SUSE SLES11 Security Update : java-1_6_0-ibm (SUSE-SU-2017:1444-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-2183", "CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3514", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:java-1_6_0-ibm", "p-cpe:/a:novell:suse_linux:java-1_6_0-ibm-alsa", "p-cpe:/a:novell:suse_linux:java-1_6_0-ibm-devel", "p-cpe:/a:novell:suse_linux:java-1_6_0-ibm-fonts", "p-cpe:/a:novell:suse_linux:java-1_6_0-ibm-jdbc", "p-cpe:/a:novell:suse_linux:java-1_6_0-ibm-plugin", "cpe:/o:novell:suse_linux:11"], "id": "SUSE_SU-2017-1444-1.NASL", "href": "https://www.tenable.com/plugins/nessus/100540", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:1444-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100540);\n script_version(\"3.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-2183\", \"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\", \"CVE-2017-1289\", \"CVE-2017-3509\", \"CVE-2017-3514\", \"CVE-2017-3533\", \"CVE-2017-3539\", \"CVE-2017-3544\");\n\n script_name(english:\"SUSE SLES11 Security Update : java-1_6_0-ibm (SUSE-SU-2017:1444-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for java-1_6_0-ibm fixes the following issues :\n\n - CVE-2016-9840: zlib: Out-of-bounds pointer arithmetic in\n inftrees.c\n\n - CVE-2016-9841: zlib: Out-of-bounds pointer arithmetic in\n inffast.c\n\n - CVE-2016-9842: zlib: Undefined left shift of negative\n number\n\n - CVE-2016-9843: zlib: Big-endian out-of-bounds pointer\n\n - CVE-2017-1289: IBM JDK: XML External Entity Injection\n (XXE) error when processing XML data\n\n - CVE-2017-3509: OpenJDK: improper re-use of NTLM\n authenticated connections\n\n - CVE-2017-3539: OpenJDK: MD5 allowed for jar verification\n\n - CVE-2017-3533: OpenJDK: newline injection in the FTP\n client\n\n - CVE-2017-3544: OpenJDK: newline injection in the SMTP\n client\n\n - Version update to 6.0-16.40 bsc#1027038 CVE-2016-2183\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1027038\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1038505\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-2183/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9840/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9841/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9842/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9843/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-1289/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3509/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3514/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3533/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3539/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3544/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20171444-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8c928ab5\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 11-SP3-LTSS:zypper in -t patch\nslessp3-java-1_6_0-ibm-13130=1\n\nSUSE Linux Enterprise Point of Sale 11-SP3:zypper in -t patch\nsleposp3-java-1_6_0-ibm-13130=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_6_0-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_6_0-ibm-alsa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_6_0-ibm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_6_0-ibm-fonts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_6_0-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_6_0-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/09/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/31\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES11\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! preg(pattern:\"^(3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP3\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:\"3\", cpu:\"x86_64\", reference:\"java-1_6_0-ibm-plugin-1.6.0_sr16.45-84.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", cpu:\"x86_64\", reference:\"java-1_6_0-ibm-alsa-1.6.0_sr16.45-84.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"java-1_6_0-ibm-1.6.0_sr16.45-84.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"java-1_6_0-ibm-devel-1.6.0_sr16.45-84.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"java-1_6_0-ibm-fonts-1.6.0_sr16.45-84.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"java-1_6_0-ibm-jdbc-1.6.0_sr16.45-84.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", cpu:\"i586\", reference:\"java-1_6_0-ibm-plugin-1.6.0_sr16.45-84.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", cpu:\"i586\", reference:\"java-1_6_0-ibm-alsa-1.6.0_sr16.45-84.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1_6_0-ibm\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-24T15:44:45", "description": "The version of Java SDK installed on the remote AIX host is affected by multiple vulnerabilities in the following subcomponents :\n\n - Multiple vulnerabilities exist in the zlib subcomponent that allow an unauthenticated, remote attacker to trigger denial of service conditions. (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843)\n\n - An unspecified flaw exists in the XML subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-1289)\n\n - An unspecified flaw exists in the Networking subcomponent that allows an unauthenticated, remote attacker to impact confidentiality and integrity.\n (CVE-2017-3509)\n\n - An unspecified flaw exists in the JCE subcomponent that allows a local attacker to gain elevated privileges.\n This vulnerability does not affect Java SE version 6.\n (CVE-2017-3511)\n\n - An unspecified flaw exists in the AWT subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. This vulnerability does not affect Java SE version 6. (CVE-2017-3512)\n\n - An unspecified flaw exists in the AWT subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-3514)\n\n - Multiple unspecified flaws exist in the Networking subcomponent that allow an unauthenticated, remote attacker to gain update, insert, or delete access to unauthorized data. (CVE-2017-3533, CVE-2017-3544)\n\n - An unspecified flaw exists in the Security subcomponent that allows an unauthenticated, remote attacker to gain update, insert, or delete access to unauthorized data.\n (CVE-2017-3539)", "cvss3": {"score": 8.3, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"}, "published": "2017-09-13T00:00:00", "type": "nessus", "title": "AIX Java Advisory : java_apr2017_advisory.asc (April 2017 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3512", "CVE-2017-3514", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2021-01-04T00:00:00", "cpe": ["cpe:/o:ibm:aix", "cpe:/a:oracle:jre", "cpe:/a:oracle:jdk"], "id": "AIX_JAVA_APR2017_ADVISORY.NASL", "href": "https://www.tenable.com/plugins/nessus/103189", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103189);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\n \"CVE-2016-9840\",\n \"CVE-2016-9841\",\n \"CVE-2016-9842\",\n \"CVE-2016-9843\",\n \"CVE-2017-1289\",\n \"CVE-2017-3509\",\n \"CVE-2017-3511\",\n \"CVE-2017-3512\",\n \"CVE-2017-3514\",\n \"CVE-2017-3533\",\n \"CVE-2017-3539\",\n \"CVE-2017-3544\"\n );\n script_bugtraq_id(\n 95131,\n 97727,\n 97729,\n 97731,\n 97737,\n 97740,\n 97745,\n 97752,\n 98401\n );\n\n script_name(english:\"AIX Java Advisory : java_apr2017_advisory.asc (April 2017 CPU)\");\n script_summary(english:\"Checks the version of the Java package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Java SDK installed on the remote AIX host is affected\nby multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Java SDK installed on the remote AIX host is affected\nby multiple vulnerabilities in the following subcomponents :\n\n - Multiple vulnerabilities exist in the zlib subcomponent\n that allow an unauthenticated, remote attacker to\n trigger denial of service conditions. (CVE-2016-9840,\n CVE-2016-9841, CVE-2016-9842, CVE-2016-9843)\n\n - An unspecified flaw exists in the XML subcomponent that\n allows an unauthenticated, remote attacker to execute\n arbitrary code. (CVE-2017-1289)\n\n - An unspecified flaw exists in the Networking\n subcomponent that allows an unauthenticated, remote\n attacker to impact confidentiality and integrity.\n (CVE-2017-3509)\n\n - An unspecified flaw exists in the JCE subcomponent that\n allows a local attacker to gain elevated privileges.\n This vulnerability does not affect Java SE version 6.\n (CVE-2017-3511)\n\n - An unspecified flaw exists in the AWT subcomponent\n that allows an unauthenticated, remote attacker to\n execute arbitrary code. This vulnerability does not\n affect Java SE version 6. (CVE-2017-3512)\n\n - An unspecified flaw exists in the AWT subcomponent\n that allows an unauthenticated, remote attacker to\n execute arbitrary code. (CVE-2017-3514)\n\n - Multiple unspecified flaws exist in the Networking\n subcomponent that allow an unauthenticated, remote\n attacker to gain update, insert, or delete access to\n unauthorized data. (CVE-2017-3533, CVE-2017-3544)\n\n - An unspecified flaw exists in the Security subcomponent\n that allows an unauthenticated, remote attacker to gain\n update, insert, or delete access to unauthorized data.\n (CVE-2017-3539)\");\n # http://aix.software.ibm.com/aix/efixes/security/java_apr2017_advisory.asc\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8d03f97b\");\n # https://www-945.ibm.com/support/fixcentral/swg/selectFixes?\n # parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=6.0.0.0&platform=AIX+32-bit,+pSeries&function=all\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ce533d8f\");\n # https://www-945.ibm.com/support/fixcentral/swg/selectFixes?\n # parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=6.0.0.0&platform=AIX+64-bit,+pSeries&function=all\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?17d05c61\");\n # https://www-945.ibm.com/support/fixcentral/swg/selectFixes?\n # parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=7.0.0.0&platform=AIX+32-bit,+pSeries&function=all\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d4595696\");\n # https://www-945.ibm.com/support/fixcentral/swg/selectFixes?\n # parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=7.0.0.0&platform=AIX+64-bit,+pSeries&function=all\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9abd5252\");\n # https://www-945.ibm.com/support/fixcentral/swg/selectFixes?\n # parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=7.1.0.0&platform=AIX+32-bit,+pSeries&function=all\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4ee03dc1\");\n # https://www-945.ibm.com/support/fixcentral/swg/selectFixes?\n # parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=7.1.0.0&platform=AIX+64-bit,+pSeries&function=all\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8f7a066c\");\n # https://www-945.ibm.com/support/fixcentral/swg/selectFixes?\n # parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=8.0.0.0&platform=AIX+32-bit,+pSeries&function=all\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?52d4ddf3\");\n # https://www-945.ibm.com/support/fixcentral/swg/selectFixes?\n # parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=8.0.0.0&platform=AIX+64-bit,+pSeries&function=all\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?343fa903\");\n # http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?623d2c22\");\n script_set_attribute(attribute:\"solution\", value:\n\"Fixes are available by version and can be downloaded from the IBM AIX\nwebsite.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jre\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jdk\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/12/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/13\");\n\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"AIX Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\", \"Host/AIX/oslevelsp\");\n\n exit(0);\n}\n\ninclude(\"aix.inc\");\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\noslevel = get_kb_item_or_exit(\"Host/AIX/version\");\nif ( oslevel != \"AIX-5.3\" && oslevel != \"AIX-6.1\" && oslevel != \"AIX-7.1\" && oslevel != \"AIX-7.2\" )\n{\n oslevel = ereg_replace(string:oslevel, pattern:\"-\", replace:\" \");\n audit(AUDIT_OS_NOT, \"AIX 5.3 / 6.1 / 7.1 / 7.2\", oslevel);\n}\n\noslevelcomplete = chomp(get_kb_item(\"Host/AIX/oslevelsp\"));\nif (empty_or_null(oslevelcomplete)) audit(AUDIT_UNKNOWN_APP_VER, \"AIX\");\n\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nflag = 0;\n\n#Java6 6.0.0.645\nif (aix_check_package(release:\"5.3\", package:\"Java6.sdk\", minpackagever:\"6.0.0.0\", maxpackagever:\"6.0.0.644\", fixpackagever:\"6.0.0.645\") > 0) flag++;\nif (aix_check_package(release:\"6.1\", package:\"Java6.sdk\", minpackagever:\"6.0.0.0\", maxpackagever:\"6.0.0.644\", fixpackagever:\"6.0.0.645\") > 0) flag++;\nif (aix_check_package(release:\"7.1\", package:\"Java6.sdk\", minpackagever:\"6.0.0.0\", maxpackagever:\"6.0.0.644\", fixpackagever:\"6.0.0.645\") > 0) flag++;\nif (aix_check_package(release:\"7.2\", package:\"Java6.sdk\", minpackagever:\"6.0.0.0\", maxpackagever:\"6.0.0.644\", fixpackagever:\"6.0.0.645\") > 0) flag++;\nif (aix_check_package(release:\"5.3\", package:\"Java6_64.sdk\", minpackagever:\"6.0.0.0\", maxpackagever:\"6.0.0.644\", fixpackagever:\"6.0.0.645\") > 0) flag++;\nif (aix_check_package(release:\"6.1\", package:\"Java6_64.sdk\", minpackagever:\"6.0.0.0\", maxpackagever:\"6.0.0.644\", fixpackagever:\"6.0.0.645\") > 0) flag++;\nif (aix_check_package(release:\"7.1\", package:\"Java6_64.sdk\", minpackagever:\"6.0.0.0\", maxpackagever:\"6.0.0.644\", fixpackagever:\"6.0.0.645\") > 0) flag++;\nif (aix_check_package(release:\"7.2\", package:\"Java6_64.sdk\", minpackagever:\"6.0.0.0\", maxpackagever:\"6.0.0.644\", fixpackagever:\"6.0.0.645\") > 0) flag++;\n\n#Java7 7.0.0.605\nif (aix_check_package(release:\"6.1\", package:\"Java7.sdk\", minpackagever:\"7.0.0.0\", maxpackagever:\"7.0.0.604\", fixpackagever:\"7.0.0.605\") > 0) flag++;\nif (aix_check_package(release:\"7.1\", package:\"Java7.sdk\", minpackagever:\"7.0.0.0\", maxpackagever:\"7.0.0.604\", fixpackagever:\"7.0.0.605\") > 0) flag++;\nif (aix_check_package(release:\"7.2\", package:\"Java7.sdk\", minpackagever:\"7.0.0.0\", maxpackagever:\"7.0.0.604\", fixpackagever:\"7.0.0.605\") > 0) flag++;\nif (aix_check_package(release:\"6.1\", package:\"Java7_64.sdk\", minpackagever:\"7.0.0.0\", maxpackagever:\"7.0.0.604\", fixpackagever:\"7.0.0.605\") > 0) flag++;\nif (aix_check_package(release:\"7.1\", package:\"Java7_64.sdk\", minpackagever:\"7.0.0.0\", maxpackagever:\"7.0.0.604\", fixpackagever:\"7.0.0.605\") > 0) flag++;\nif (aix_check_package(release:\"7.2\", package:\"Java7_64.sdk\", minpackagever:\"7.0.0.0\", maxpackagever:\"7.0.0.604\", fixpackagever:\"7.0.0.605\") > 0) flag++;\n\n#Java7.1 7.1.0.405\nif (aix_check_package(release:\"6.1\", package:\"Java7.sdk\", minpackagever:\"7.1.0.0\", maxpackagever:\"7.1.0.404\", fixpackagever:\"7.1.0.405\") > 0) flag++;\nif (aix_check_package(release:\"7.1\", package:\"Java7.sdk\", minpackagever:\"7.1.0.0\", maxpackagever:\"7.1.0.404\", fixpackagever:\"7.1.0.405\") > 0) flag++;\nif (aix_check_package(release:\"7.2\", package:\"Java7.sdk\", minpackagever:\"7.1.0.0\", maxpackagever:\"7.1.0.404\", fixpackagever:\"7.1.0.405\") > 0) flag++;\nif (aix_check_package(release:\"6.1\", package:\"Java7_64.sdk\", minpackagever:\"7.1.0.0\", maxpackagever:\"7.1.0.404\", fixpackagever:\"7.1.0.405\") > 0) flag++;\nif (aix_check_package(release:\"7.1\", package:\"Java7_64.sdk\", minpackagever:\"7.1.0.0\", maxpackagever:\"7.1.0.404\", fixpackagever:\"7.1.0.405\") > 0) flag++;\nif (aix_check_package(release:\"7.2\", package:\"Java7_64.sdk\", minpackagever:\"7.1.0.0\", maxpackagever:\"7.1.0.404\", fixpackagever:\"7.1.0.405\") > 0) flag++;\n\n#Java8.0 8.0.0.406\nif (aix_check_package(release:\"6.1\", package:\"Java8.sdk\", minpackagever:\"8.0.0.0\", maxpackagever:\"8.0.0.405\", fixpackagever:\"8.0.0.406\") > 0) flag++;\nif (aix_check_package(release:\"7.1\", package:\"Java8.sdk\", minpackagever:\"8.0.0.0\", maxpackagever:\"8.0.0.405\", fixpackagever:\"8.0.0.406\") > 0) flag++;\nif (aix_check_package(release:\"7.2\", package:\"Java8.sdk\", minpackagever:\"8.0.0.0\", maxpackagever:\"8.0.0.405\", fixpackagever:\"8.0.0.406\") > 0) flag++;\nif (aix_check_package(release:\"6.1\", package:\"Java8_64.sdk\", minpackagever:\"8.0.0.0\", maxpackagever:\"8.0.0.405\", fixpackagever:\"8.0.0.406\") > 0) flag++;\nif (aix_check_package(release:\"7.1\", package:\"Java8_64.sdk\", minpackagever:\"8.0.0.0\", maxpackagever:\"8.0.0.405\", fixpackagever:\"8.0.0.406\") > 0) flag++;\nif (aix_check_package(release:\"7.2\", package:\"Java8_64.sdk\", minpackagever:\"8.0.0.0\", maxpackagever:\"8.0.0.405\", fixpackagever:\"8.0.0.406\") > 0) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : aix_report_get()\n );\n}\nelse\n{\n tested = aix_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Java6 / Java7 / Java8\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-22T15:35:14", "description": "An update for java-1.6.0-sun is now available for Oracle Java for Red Hat Enterprise Linux 6 and Oracle Java for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nOracle Java SE version 6 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.\n\nThis update upgrades Oracle Java SE 6 to version 6 Update 171.\n\nSecurity Fix(es) :\n\n* This update fixes multiple vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.\nFurther information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page listed in the References section. (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843, CVE-2017-10274, CVE-2017-10281, CVE-2017-10285, CVE-2017-10293, CVE-2017-10295, CVE-2017-10345, CVE-2017-10346, CVE-2017-10347, CVE-2017-10348, CVE-2017-10349, CVE-2017-10355, CVE-2017-10356, CVE-2017-10357, CVE-2017-10388)\n\nNote: Starting with this update, Java web browser plugin and Java Web Start application are no longer included with Oracle Java SE 6. Refer to the Releases Notes and the Oracle Java SE Support Roadmap pages linked to in the References section for further information about this change.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-10-25T00:00:00", "type": "nessus", "title": "RHEL 6 / 7 : java-1.6.0-sun (RHSA-2017:3047)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-10274", "CVE-2017-10281", "CVE-2017-10285", "CVE-2017-10293", "CVE-2017-10295", "CVE-2017-10345", "CVE-2017-10346", "CVE-2017-10347", "CVE-2017-10348", "CVE-2017-10349", "CVE-2017-10355", "CVE-2017-10356", "CVE-2017-10357", "CVE-2017-10388"], "modified": "2019-10-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.6.0-sun", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-sun-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-sun-devel", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-sun-jdbc", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-sun-plugin", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-sun-src", "cpe:/o:redhat:enterprise_linux:6", "cpe:/o:redhat:enterprise_linux:7", "cpe:/o:redhat:enterprise_linux:7.4"], "id": "REDHAT-RHSA-2017-3047.NASL", "href": "https://www.tenable.com/plugins/nessus/104140", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:3047. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104140);\n script_version(\"3.7\");\n script_cvs_date(\"Date: 2019/10/24 15:35:43\");\n\n script_cve_id(\"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\", \"CVE-2017-10274\", \"CVE-2017-10281\", \"CVE-2017-10285\", \"CVE-2017-10293\", \"CVE-2017-10295\", \"CVE-2017-10345\", \"CVE-2017-10346\", \"CVE-2017-10347\", \"CVE-2017-10348\", \"CVE-2017-10349\", \"CVE-2017-10355\", \"CVE-2017-10356\", \"CVE-2017-10357\", \"CVE-2017-10388\");\n script_xref(name:\"RHSA\", value:\"2017:3047\");\n\n script_name(english:\"RHEL 6 / 7 : java-1.6.0-sun (RHSA-2017:3047)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for java-1.6.0-sun is now available for Oracle Java for Red\nHat Enterprise Linux 6 and Oracle Java for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nOracle Java SE version 6 includes the Oracle Java Runtime Environment\nand the Oracle Java Software Development Kit.\n\nThis update upgrades Oracle Java SE 6 to version 6 Update 171.\n\nSecurity Fix(es) :\n\n* This update fixes multiple vulnerabilities in the Oracle Java\nRuntime Environment and the Oracle Java Software Development Kit.\nFurther information about these flaws can be found on the Oracle Java\nSE Critical Patch Update Advisory page listed in the References\nsection. (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843,\nCVE-2017-10274, CVE-2017-10281, CVE-2017-10285, CVE-2017-10293,\nCVE-2017-10295, CVE-2017-10345, CVE-2017-10346, CVE-2017-10347,\nCVE-2017-10348, CVE-2017-10349, CVE-2017-10355, CVE-2017-10356,\nCVE-2017-10357, CVE-2017-10388)\n\nNote: Starting with this update, Java web browser plugin and Java Web\nStart application are no longer included with Oracle Java SE 6. Refer\nto the Releases Notes and the Oracle Java SE Support Roadmap pages\nlinked to in the References section for further information about this\nchange.\"\n );\n # http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1e07fa0e\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.oracle.com/technetwork/java/javase/documentation/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.oracle.com/technetwork/java/javase/eol-135779.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2017:3047\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9840\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9841\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9842\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9843\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10274\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10281\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10285\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10293\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10295\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10345\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10346\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10347\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10348\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10349\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10355\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10356\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10357\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10388\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-sun\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-sun-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-sun-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-sun-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-sun-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-sun-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x / 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2017:3047\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-sun-1.6.0.171-1jpp.4.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-sun-1.6.0.171-1jpp.4.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-sun-demo-1.6.0.171-1jpp.4.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-sun-demo-1.6.0.171-1jpp.4.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-sun-devel-1.6.0.171-1jpp.4.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-sun-devel-1.6.0.171-1jpp.4.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-sun-jdbc-1.6.0.171-1jpp.4.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-sun-jdbc-1.6.0.171-1jpp.4.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-sun-plugin-1.6.0.171-1jpp.4.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-sun-plugin-1.6.0.171-1jpp.4.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-sun-src-1.6.0.171-1jpp.4.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-sun-src-1.6.0.171-1jpp.4.el6\")) flag++;\n\n\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"java-1.6.0-sun-1.6.0.171-1jpp.4.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.6.0-sun-1.6.0.171-1jpp.4.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.6.0-sun-demo-1.6.0.171-1jpp.4.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"java-1.6.0-sun-devel-1.6.0.171-1jpp.4.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.6.0-sun-devel-1.6.0.171-1jpp.4.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.6.0-sun-jdbc-1.6.0.171-1jpp.4.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.6.0-sun-plugin-1.6.0.171-1jpp.4.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.6.0-sun-src-1.6.0.171-1jpp.4.el7\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.6.0-sun / java-1.6.0-sun-demo / java-1.6.0-sun-devel / etc\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-22T15:36:10", "description": "This update for java-1_8_0-openjdk fixes the following issues :\n\n - Update to version jdk8u151 (icedtea 3.6.0)\n\nSecurity issues fixed :\n\n - CVE-2017-10274: Handle smartcard clean up better (bsc#1064071)\n\n - CVE-2017-10281: Better queuing priorities (bsc#1064072)\n\n - CVE-2017-10285: Unreferenced references (bsc#1064073)\n\n - CVE-2017-10295: Better URL connections (bsc#1064075)\n\n - CVE-2017-10388: Correct Kerberos ticket grants (bsc#1064086)\n\n - CVE-2017-10346: Better invokespecial checks (bsc#1064078)\n\n - CVE-2017-10350: Better Base Exceptions (bsc#1064082)\n\n - CVE-2017-10347: Better timezone processing (bsc#1064079)\n\n - CVE-2017-10349: Better X processing (bsc#1064081)\n\n - CVE-2017-10345: Better keystore handling (bsc#1064077)\n\n - CVE-2017-10348: Better processing of unresolved permissions (bsc#1064080)\n\n - CVE-2017-10357: Process Proxy presentation (bsc#1064085)\n\n - CVE-2017-10355: More stable connection processing (bsc#1064083)\n\n - CVE-2017-10356: Update storage implementations (bsc#1064084)\n\n - CVE-2016-10165: Improve CMS header processing (bsc#1064069)\n\n - CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843: Upgrade compression library (bsc#1064070)\n\nBug fixes :\n\n - Fix bsc#1032647, bsc#1052009 with btrfs subvolumes and overlayfs\n\nThis update was imported from the SUSE:SLE-12-SP1:Update update project.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-11-13T00:00:00", "type": "nessus", "title": "openSUSE Security Update : java-1_8_0-openjdk (openSUSE-2017-1269)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-10165", "CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-10274", "CVE-2017-10281", "CVE-2017-10285", "CVE-2017-10295", "CVE-2017-10345", "CVE-2017-10346", "CVE-2017-10347", "CVE-2017-10348", "CVE-2017-10349", "CVE-2017-10350", "CVE-2017-10355", "CVE-2017-10356", "CVE-2017-10357", "CVE-2017-10388"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:java-1_8_0-openjdk", "p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-accessibility", "p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-debuginfo", "p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-debugsource", "p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-demo", "p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-demo-debuginfo", "p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-devel", "p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-devel-debuginfo", "p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-headless", "p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-headless-debuginfo", "p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-javadoc", "p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-src", "cpe:/o:novell:opensuse:42.2", "cpe:/o:novell:opensuse:42.3"], "id": "OPENSUSE-2017-1269.NASL", "href": "https://www.tenable.com/plugins/nessus/104527", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2017-1269.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(104527);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-10165\", \"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\", \"CVE-2017-10274\", \"CVE-2017-10281\", \"CVE-2017-10285\", \"CVE-2017-10295\", \"CVE-2017-10345\", \"CVE-2017-10346\", \"CVE-2017-10347\", \"CVE-2017-10348\", \"CVE-2017-10349\", \"CVE-2017-10350\", \"CVE-2017-10355\", \"CVE-2017-10356\", \"CVE-2017-10357\", \"CVE-2017-10388\");\n\n script_name(english:\"openSUSE Security Update : java-1_8_0-openjdk (openSUSE-2017-1269)\");\n script_summary(english:\"Check for the openSUSE-2017-1269 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for java-1_8_0-openjdk fixes the following issues :\n\n - Update to version jdk8u151 (icedtea 3.6.0)\n\nSecurity issues fixed :\n\n - CVE-2017-10274: Handle smartcard clean up better\n (bsc#1064071)\n\n - CVE-2017-10281: Better queuing priorities (bsc#1064072)\n\n - CVE-2017-10285: Unreferenced references (bsc#1064073)\n\n - CVE-2017-10295: Better URL connections (bsc#1064075)\n\n - CVE-2017-10388: Correct Kerberos ticket grants\n (bsc#1064086)\n\n - CVE-2017-10346: Better invokespecial checks\n (bsc#1064078)\n\n - CVE-2017-10350: Better Base Exceptions (bsc#1064082)\n\n - CVE-2017-10347: Better timezone processing (bsc#1064079)\n\n - CVE-2017-10349: Better X processing (bsc#1064081)\n\n - CVE-2017-10345: Better keystore handling (bsc#1064077)\n\n - CVE-2017-10348: Better processing of unresolved\n permissions (bsc#1064080)\n\n - CVE-2017-10357: Process Proxy presentation (bsc#1064085)\n\n - CVE-2017-10355: More stable connection processing\n (bsc#1064083)\n\n - CVE-2017-10356: Update storage implementations\n (bsc#1064084)\n\n - CVE-2016-10165: Improve CMS header processing\n (bsc#1064069)\n\n - CVE-2016-9840, CVE-2016-9841, CVE-2016-9842,\n CVE-2016-9843: Upgrade compression library (bsc#1064070)\n\nBug fixes :\n\n - Fix bsc#1032647, bsc#1052009 with btrfs subvolumes and\n overlayfs\n\nThis update was imported from the SUSE:SLE-12-SP1:Update update\nproject.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1032647\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1052009\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1064069\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1064070\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1064071\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1064072\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1064073\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1064075\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1064077\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1064078\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1064079\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1064080\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1064081\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1064082\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1064083\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1064084\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1064085\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1064086\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1_8_0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_8_0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-demo-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-headless-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.2|SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.2 / 42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_8_0-openjdk-1.8.0.151-10.18.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_8_0-openjdk-accessibility-1.8.0.151-10.18.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_8_0-openjdk-debuginfo-1.8.0.151-10.18.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_8_0-openjdk-debugsource-1.8.0.151-10.18.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_8_0-openjdk-demo-1.8.0.151-10.18.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_8_0-openjdk-demo-debuginfo-1.8.0.151-10.18.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_8_0-openjdk-devel-1.8.0.151-10.18.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_8_0-openjdk-devel-debuginfo-1.8.0.151-10.18.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_8_0-openjdk-headless-1.8.0.151-10.18.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_8_0-openjdk-headless-debuginfo-1.8.0.151-10.18.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_8_0-openjdk-javadoc-1.8.0.151-10.18.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_8_0-openjdk-src-1.8.0.151-10.18.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"java-1_8_0-openjdk-1.8.0.151-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"java-1_8_0-openjdk-accessibility-1.8.0.151-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"java-1_8_0-openjdk-debuginfo-1.8.0.151-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"java-1_8_0-openjdk-debugsource-1.8.0.151-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"java-1_8_0-openjdk-demo-1.8.0.151-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"java-1_8_0-openjdk-demo-debuginfo-1.8.0.151-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"java-1_8_0-openjdk-devel-1.8.0.151-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"java-1_8_0-openjdk-devel-debuginfo-1.8.0.151-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"java-1_8_0-openjdk-headless-1.8.0.151-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"java-1_8_0-openjdk-headless-debuginfo-1.8.0.151-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"java-1_8_0-openjdk-javadoc-1.8.0.151-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"java-1_8_0-openjdk-src-1.8.0.151-18.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1_8_0-openjdk / java-1_8_0-openjdk-accessibility / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-22T15:36:50", "description": "This update for java-1_8_0-openjdk fixes the following issues :\n\n - Update to version jdk8u151 (icedtea 3.6.0) Security issues fixed :\n\n - CVE-2017-10274: Handle smartcard clean up better (bsc#1064071)\n\n - CVE-2017-10281: Better queuing priorities (bsc#1064072)\n\n - CVE-2017-10285: Unreferenced references (bsc#1064073)\n\n - CVE-2017-10295: Better URL connections (bsc#1064075)\n\n - CVE-2017-10388: Correct Kerberos ticket grants (bsc#1064086)\n\n - CVE-2017-10346: Better invokespecial checks (bsc#1064078)\n\n - CVE-2017-10350: Better Base Exceptions (bsc#1064082)\n\n - CVE-2017-10347: Better timezone processing (bsc#1064079)\n\n - CVE-2017-10349: Better X processing (bsc#1064081)\n\n - CVE-2017-10345: Better keystore handling (bsc#1064077)\n\n - CVE-2017-10348: Better processing of unresolved permissions (bsc#1064080)\n\n - CVE-2017-10357: Process Proxy presentation (bsc#1064085)\n\n - CVE-2017-10355: More stable connection processing (bsc#1064083)\n\n - CVE-2017-10356: Update storage implementations (bsc#1064084)\n\n - CVE-2016-10165: Improve CMS header processing (bsc#1064069)\n\n - CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843: Upgrade compression library (bsc#1064070) Bug fixes :\n\n - Fix bsc#1032647, bsc#1052009 with btrfs subvolumes and overlayfs\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-11-13T00:00:00", "type": "nessus", "title": "SUSE SLED12 / SLES12 Security Update : java-1_8_0-openjdk (SUSE-SU-2017:2989-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-10165", "CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-10274", "CVE-2017-10281", "CVE-2017-10285", "CVE-2017-10295", "CVE-2017-10345", "CVE-2017-10346", "CVE-2017-10347", "CVE-2017-10348", "CVE-2017-10349", "CVE-2017-10350", "CVE-2017-10355", "CVE-2017-10356", "CVE-2017-10357", "CVE-2017-10388"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk", "p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-debuginfo", "p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-debugsource", "p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-demo", "p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-demo-debuginfo", "p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-devel", "p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-devel-debuginfo", "p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-headless", "p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-headless-debuginfo", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2017-2989-1.NASL", "href": "https://www.tenable.com/plugins/nessus/104531", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:2989-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(104531);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2016-10165\", \"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\", \"CVE-2017-10274\", \"CVE-2017-10281\", \"CVE-2017-10285\", \"CVE-2017-10295\", \"CVE-2017-10345\", \"CVE-2017-10346\", \"CVE-2017-10347\", \"CVE-2017-10348\", \"CVE-2017-10349\", \"CVE-2017-10350\", \"CVE-2017-10355\", \"CVE-2017-10356\", \"CVE-2017-10357\", \"CVE-2017-10388\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : java-1_8_0-openjdk (SUSE-SU-2017:2989-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for java-1_8_0-openjdk fixes the following issues :\n\n - Update to version jdk8u151 (icedtea 3.6.0) Security\n issues fixed :\n\n - CVE-2017-10274: Handle smartcard clean up better\n (bsc#1064071)\n\n - CVE-2017-10281: Better queuing priorities (bsc#1064072)\n\n - CVE-2017-10285: Unreferenced references (bsc#1064073)\n\n - CVE-2017-10295: Better URL connections (bsc#1064075)\n\n - CVE-2017-10388: Correct Kerberos ticket grants\n (bsc#1064086)\n\n - CVE-2017-10346: Better invokespecial checks\n (bsc#1064078)\n\n - CVE-2017-10350: Better Base Exceptions (bsc#1064082)\n\n - CVE-2017-10347: Better timezone processing (bsc#1064079)\n\n - CVE-2017-10349: Better X processing (bsc#1064081)\n\n - CVE-2017-10345: Better keystore handling (bsc#1064077)\n\n - CVE-2017-10348: Better processing of unresolved\n permissions (bsc#1064080)\n\n - CVE-2017-10357: Process Proxy presentation (bsc#1064085)\n\n - CVE-2017-10355: More stable connection processing\n (bsc#1064083)\n\n - CVE-2017-10356: Update storage implementations\n (bsc#1064084)\n\n - CVE-2016-10165: Improve CMS header processing\n (bsc#1064069)\n\n - CVE-2016-9840, CVE-2016-9841, CVE-2016-9842,\n CVE-2016-9843: Upgrade compression library (bsc#1064070)\n Bug fixes :\n\n - Fix bsc#1032647, bsc#1052009 with btrfs subvolumes and\n overlayfs\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1032647\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1052009\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1064069\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1064070\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1064071\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1064072\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1064073\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1064075\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1064077\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1064078\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1064079\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1064080\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1064081\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1064082\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1064083\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1064084\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1064085\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1064086\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-10165/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9840/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9841/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9842/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9843/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10274/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10281/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10285/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10295/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10345/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10346/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10347/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10348/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10349/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10350/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10355/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10356/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10357/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10388/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20172989-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2b56d4a6\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud 6:zypper in -t patch\nSUSE-OpenStack-Cloud-6-2017-1847=1\n\nSUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch\nSUSE-SLE-SAP-12-SP1-2017-1847=1\n\nSUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t\npatch SUSE-SLE-RPI-12-SP2-2017-1847=1\n\nSUSE Linux Enterprise Server 12-SP3:zypper in -t patch\nSUSE-SLE-SERVER-12-SP3-2017-1847=1\n\nSUSE Linux Enterprise Server 12-SP2:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-2017-1847=1\n\nSUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2017-1847=1\n\nSUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP3-2017-1847=1\n\nSUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP2-2017-1847=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-demo-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-headless-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(1|2|3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP1/2/3\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(2|3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP2/3\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"java-1_8_0-openjdk-1.8.0.151-27.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"java-1_8_0-openjdk-debuginfo-1.8.0.151-27.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"java-1_8_0-openjdk-debugsource-1.8.0.151-27.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"java-1_8_0-openjdk-demo-1.8.0.151-27.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"java-1_8_0-openjdk-demo-debuginfo-1.8.0.151-27.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"java-1_8_0-openjdk-devel-1.8.0.151-27.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"java-1_8_0-openjdk-headless-1.8.0.151-27.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"java-1_8_0-openjdk-headless-debuginfo-1.8.0.151-27.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"java-1_8_0-openjdk-1.8.0.151-27.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"java-1_8_0-openjdk-debuginfo-1.8.0.151-27.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"java-1_8_0-openjdk-debugsource-1.8.0.151-27.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"java-1_8_0-openjdk-demo-1.8.0.151-27.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"java-1_8_0-openjdk-demo-debuginfo-1.8.0.151-27.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"java-1_8_0-openjdk-devel-1.8.0.151-27.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"java-1_8_0-openjdk-devel-debuginfo-1.8.0.151-27.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"java-1_8_0-openjdk-headless-1.8.0.151-27.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"java-1_8_0-openjdk-headless-debuginfo-1.8.0.151-27.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"java-1_8_0-openjdk-1.8.0.151-27.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"java-1_8_0-openjdk-debuginfo-1.8.0.151-27.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"java-1_8_0-openjdk-debugsource-1.8.0.151-27.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"java-1_8_0-openjdk-demo-1.8.0.151-27.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"java-1_8_0-openjdk-demo-debuginfo-1.8.0.151-27.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"java-1_8_0-openjdk-devel-1.8.0.151-27.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"java-1_8_0-openjdk-devel-debuginfo-1.8.0.151-27.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"java-1_8_0-openjdk-headless-1.8.0.151-27.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"java-1_8_0-openjdk-headless-debuginfo-1.8.0.151-27.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"java-1_8_0-openjdk-1.8.0.151-27.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"java-1_8_0-openjdk-debuginfo-1.8.0.151-27.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"java-1_8_0-openjdk-debugsource-1.8.0.151-27.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"java-1_8_0-openjdk-headless-1.8.0.151-27.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"java-1_8_0-openjdk-headless-debuginfo-1.8.0.151-27.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_8_0-openjdk-1.8.0.151-27.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_8_0-openjdk-debuginfo-1.8.0.151-27.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_8_0-openjdk-debugsource-1.8.0.151-27.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_8_0-openjdk-headless-1.8.0.151-27.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_8_0-openjdk-headless-debuginfo-1.8.0.151-27.8.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1_8_0-openjdk\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-22T15:34:15", "description": "An update for java-1.8.0-oracle is now available for Oracle Java for Red Hat Enterprise Linux 6 and Oracle Java for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nOracle Java SE version 8 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.\n\nThis update upgrades Oracle Java SE 8 to version 8 Update 151.\n\nSecurity Fix(es) :\n\n* This update fixes multiple vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.\nFurther information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page listed in the References section. (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843, CVE-2016-10165, CVE-2017-10274, CVE-2017-10281, CVE-2017-10285, CVE-2017-10293, CVE-2017-10295, CVE-2017-10309, CVE-2017-10345, CVE-2017-10346, CVE-2017-10347, CVE-2017-10348, CVE-2017-10349, CVE-2017-10350, CVE-2017-10355, CVE-2017-10356, CVE-2017-10357, CVE-2017-10388)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-10-24T00:00:00", "type": "nessus", "title": "RHEL 6 / 7 : java-1.8.0-oracle (RHSA-2017:2999)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-10165", "CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-10274", "CVE-2017-10281", "CVE-2017-10285", "CVE-2017-10293", "CVE-2017-10295", "CVE-2017-10309", "CVE-2017-10345", "CVE-2017-10346", "CVE-2017-10347", "CVE-2017-10348", "CVE-2017-10349", "CVE-2017-10350", "CVE-2017-10355", "CVE-2017-10356", "CVE-2017-10357", "CVE-2017-10388"], "modified": "2021-03-11T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-devel", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-javafx", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-jdbc", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-plugin", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-src", "cpe:/o:redhat:enterprise_linux:6", "cpe:/o:redhat:enterprise_linux:7", "cpe:/o:redhat:enterprise_linux:7.4"], "id": "REDHAT-RHSA-2017-2999.NASL", "href": "https://www.tenable.com/plugins/nessus/104116", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:2999. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104116);\n script_version(\"3.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/11\");\n\n script_cve_id(\"CVE-2016-10165\", \"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\", \"CVE-2017-10274\", \"CVE-2017-10281\", \"CVE-2017-10285\", \"CVE-2017-10293\", \"CVE-2017-10295\", \"CVE-2017-10309\", \"CVE-2017-10345\", \"CVE-2017-10346\", \"CVE-2017-10347\", \"CVE-2017-10348\", \"CVE-2017-10349\", \"CVE-2017-10350\", \"CVE-2017-10355\", \"CVE-2017-10356\", \"CVE-2017-10357\", \"CVE-2017-10388\");\n script_xref(name:\"RHSA\", value:\"2017:2999\");\n\n script_name(english:\"RHEL 6 / 7 : java-1.8.0-oracle (RHSA-2017:2999)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for java-1.8.0-oracle is now available for Oracle Java for\nRed Hat Enterprise Linux 6 and Oracle Java for Red Hat Enterprise\nLinux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Critical. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nOracle Java SE version 8 includes the Oracle Java Runtime Environment\nand the Oracle Java Software Development Kit.\n\nThis update upgrades Oracle Java SE 8 to version 8 Update 151.\n\nSecurity Fix(es) :\n\n* This update fixes multiple vulnerabilities in the Oracle Java\nRuntime Environment and the Oracle Java Software Development Kit.\nFurther information about these flaws can be found on the Oracle Java\nSE Critical Patch Update Advisory page listed in the References\nsection. (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843,\nCVE-2016-10165, CVE-2017-10274, CVE-2017-10281, CVE-2017-10285,\nCVE-2017-10293, CVE-2017-10295, CVE-2017-10309, CVE-2017-10345,\nCVE-2017-10346, CVE-2017-10347, CVE-2017-10348, CVE-2017-10349,\nCVE-2017-10350, CVE-2017-10355, CVE-2017-10356, CVE-2017-10357,\nCVE-2017-10388)\"\n );\n # http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1e07fa0e\"\n );\n # http://www.oracle.com/technetwork/java/javase/8u151-relnotes-3850493.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?bbe7f5cf\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2017:2999\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9840\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9841\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9842\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9843\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-10165\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10274\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10281\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10285\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10293\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10295\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10309\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10345\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10346\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10347\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10348\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10349\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10350\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10355\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10356\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10357\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10388\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-javafx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x / 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2017:2999\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.8.0-oracle-1.8.0.151-1jpp.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.8.0-oracle-1.8.0.151-1jpp.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.8.0-oracle-devel-1.8.0.151-1jpp.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.8.0-oracle-devel-1.8.0.151-1jpp.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.8.0-oracle-javafx-1.8.0.151-1jpp.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.8.0-oracle-javafx-1.8.0.151-1jpp.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.8.0-oracle-jdbc-1.8.0.151-1jpp.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.8.0-oracle-jdbc-1.8.0.151-1jpp.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.8.0-oracle-plugin-1.8.0.151-1jpp.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.8.0-oracle-plugin-1.8.0.151-1jpp.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.8.0-oracle-src-1.8.0.151-1jpp.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.8.0-oracle-src-1.8.0.151-1jpp.1.el6\")) flag++;\n\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-oracle-1.8.0.151-1jpp.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-oracle-devel-1.8.0.151-1jpp.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-oracle-javafx-1.8.0.151-1jpp.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-oracle-jdbc-1.8.0.151-1jpp.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-oracle-plugin-1.8.0.151-1jpp.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-oracle-src-1.8.0.151-1jpp.5.el7\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.8.0-oracle / java-1.8.0-oracle-devel / etc\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-22T15:34:15", "description": "An update for java-1.7.0-oracle is now available for Oracle Java for Red Hat Enterprise Linux 6 and Oracle Java for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nOracle Java SE version 7 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.\n\nThis update upgrades Oracle Java SE 7 to version 7 Update 161.\n\nSecurity Fix(es) :\n\n* This update fixes multiple vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.\nFurther information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page listed in the References section. (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843, CVE-2016-10165, CVE-2017-10274, CVE-2017-10281, CVE-2017-10285, CVE-2017-10293, CVE-2017-10295, CVE-2017-10345, CVE-2017-10346, CVE-2017-10347, CVE-2017-10348, CVE-2017-10349, CVE-2017-10350, CVE-2017-10355, CVE-2017-10356, CVE-2017-10357, CVE-2017-10388)\n\nNote: Starting with this update, Java web browser plugin and Java Web Start application are no longer included with Oracle Java SE 7. Refer to the Releases Notes and the Oracle Java SE Support Roadmap pages linked to in the References section for further information about this change.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-10-25T00:00:00", "type": "nessus", "title": "RHEL 6 / 7 : java-1.7.0-oracle (RHSA-2017:3046)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-10165", "CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-10274", "CVE-2017-10281", "CVE-2017-10285", "CVE-2017-10293", "CVE-2017-10295", "CVE-2017-10345", "CVE-2017-10346", "CVE-2017-10347", "CVE-2017-10348", "CVE-2017-10349", "CVE-2017-10350", "CVE-2017-10355", "CVE-2017-10356", "CVE-2017-10357", "CVE-2017-10388"], "modified": "2021-03-11T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-devel", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-javafx", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-jdbc", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-plugin", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-src", "cpe:/o:redhat:enterprise_linux:6", "cpe:/o:redhat:enterprise_linux:7", "cpe:/o:redhat:enterprise_linux:7.4"], "id": "REDHAT-RHSA-2017-3046.NASL", "href": "https://www.tenable.com/plugins/nessus/104139", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:3046. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104139);\n script_version(\"3.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/11\");\n\n script_cve_id(\"CVE-2016-10165\", \"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\", \"CVE-2017-10274\", \"CVE-2017-10281\", \"CVE-2017-10285\", \"CVE-2017-10293\", \"CVE-2017-10295\", \"CVE-2017-10345\", \"CVE-2017-10346\", \"CVE-2017-10347\", \"CVE-2017-10348\", \"CVE-2017-10349\", \"CVE-2017-10350\", \"CVE-2017-10355\", \"CVE-2017-10356\", \"CVE-2017-10357\", \"CVE-2017-10388\");\n script_xref(name:\"RHSA\", value:\"2017:3046\");\n\n script_name(english:\"RHEL 6 / 7 : java-1.7.0-oracle (RHSA-2017:3046)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for java-1.7.0-oracle is now available for Oracle Java for\nRed Hat Enterprise Linux 6 and Oracle Java for Red Hat Enterprise\nLinux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nOracle Java SE version 7 includes the Oracle Java Runtime Environment\nand the Oracle Java Software Development Kit.\n\nThis update upgrades Oracle Java SE 7 to version 7 Update 161.\n\nSecurity Fix(es) :\n\n* This update fixes multiple vulnerabilities in the Oracle Java\nRuntime Environment and the Oracle Java Software Development Kit.\nFurther information about these flaws can be found on the Oracle Java\nSE Critical Patch Update Advisory page listed in the References\nsection. (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843,\nCVE-2016-10165, CVE-2017-10274, CVE-2017-10281, CVE-2017-10285,\nCVE-2017-10293, CVE-2017-10295, CVE-2017-10345, CVE-2017-10346,\nCVE-2017-10347, CVE-2017-10348, CVE-2017-10349, CVE-2017-10350,\nCVE-2017-10355, CVE-2017-10356, CVE-2017-10357, CVE-2017-10388)\n\nNote: Starting with this update, Java web browser plugin and Java Web\nStart application are no longer included with Oracle Java SE 7. Refer\nto the Releases Notes and the Oracle Java SE Support Roadmap pages\nlinked to in the References section for further information about this\nchange.\"\n );\n # http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1e07fa0e\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.oracle.com/technetwork/java/javaseproducts/documentation/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.oracle.com/technetwork/java/javase/eol-135779.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2017:3046\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9840\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9841\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9842\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9843\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-10165\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10274\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10281\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10285\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10293\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10295\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10345\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10346\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10347\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10348\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10349\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10350\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10355\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10356\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10357\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10388\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-javafx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x / 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2017:3046\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-oracle-1.7.0.161-1jpp.3.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-1.7.0.161-1jpp.3.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-oracle-devel-1.7.0.161-1jpp.3.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-devel-1.7.0.161-1jpp.3.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-oracle-javafx-1.7.0.161-1jpp.3.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-javafx-1.7.0.161-1jpp.3.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-oracle-jdbc-1.7.0.161-1jpp.3.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-jdbc-1.7.0.161-1jpp.3.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-oracle-plugin-1.7.0.161-1jpp.3.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-plugin-1.7.0.161-1jpp.3.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-oracle-src-1.7.0.161-1jpp.3.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-src-1.7.0.161-1jpp.3.el6\")) flag++;\n\n\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"java-1.7.0-oracle-1.7.0.161-1jpp.4.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-1.7.0.161-1jpp.4.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"java-1.7.0-oracle-devel-1.7.0.161-1jpp.4.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-devel-1.7.0.161-1jpp.4.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-javafx-1.7.0.161-1jpp.4.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-jdbc-1.7.0.161-1jpp.4.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-plugin-1.7.0.161-1jpp.4.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-src-1.7.0.161-1jpp.4.el7\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-oracle / java-1.7.0-oracle-devel / etc\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-28T16:35:56", "description": "An update for java-1.8.0-ibm is now available for Red Hat Satellite 5.8 and Red Hat Satellite 5.8 ELS.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nIBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.\n\nThis update upgrades IBM Java SE 8 to version 8 SR5-FP5.\n\nSecurity Fix(es) :\n\n* This update fixes multiple vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security Vulnerabilities page listed in the References section. (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843, CVE-2016-10165, CVE-2017-1289, CVE-2017-3509, CVE-2017-3511, CVE-2017-3533, CVE-2017-3539, CVE-2017-3544, CVE-2017-10053, CVE-2017-10067, CVE-2017-10078, CVE-2017-10087, CVE-2017-10089, CVE-2017-10090, CVE-2017-10096, CVE-2017-10101, CVE-2017-10102, CVE-2017-10105, CVE-2017-10107, CVE-2017-10108, CVE-2017-10109, CVE-2017-10110, CVE-2017-10115, CVE-2017-10116, CVE-2017-10243, CVE-2017-10281, CVE-2017-10285, CVE-2017-10295, CVE-2017-10309, CVE-2017-10345, CVE-2017-10346, CVE-2017-10347, CVE-2017-10348, CVE-2017-10349, CVE-2017-10350, CVE-2017-10355, CVE-2017-10356, CVE-2017-10357, CVE-2017-10388)\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to :\n\nhttps://access.redhat.com/articles/11258\n\nFor this update to take effect, Red Hat Satellite must be restarted ('/usr/sbin/rhn-satellite restart'). All running instances of IBM Java must be restarted for this update to take effect.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-12-15T00:00:00", "type": "nessus", "title": "RHEL 6 : Satellite Server (RHSA-2017:3453)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-10165", "CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-10053", "CVE-2017-10067", "CVE-2017-10078", "CVE-2017-10087", "CVE-2017-10089", "CVE-2017-10090", "CVE-2017-10096", "CVE-2017-10101", "CVE-2017-10102", "CVE-2017-10105", "CVE-2017-10107", "CVE-2017-10108", "CVE-2017-10109", "CVE-2017-10110", "CVE-2017-10115", "CVE-2017-10116", "CVE-2017-10243", "CVE-2017-10281", "CVE-2017-10285", "CVE-2017-10295", "CVE-2017-10309", "CVE-2017-10345", "CVE-2017-10346", "CVE-2017-10347", "CVE-2017-10348", "CVE-2017-10349", "CVE-2017-10350", "CVE-2017-10355", "CVE-2017-10356", "CVE-2017-10357", "CVE-2017-10388", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2019-10-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-devel", "cpe:/o:redhat:enterprise_linux:6"], "id": "REDHAT-RHSA-2017-3453.NASL", "href": "https://www.tenable.com/plugins/nessus/105267", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:3453. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105267);\n script_version(\"3.8\");\n script_cvs_date(\"Date: 2019/10/24 15:35:44\");\n\n script_cve_id(\"CVE-2016-10165\", \"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\", \"CVE-2017-10053\", \"CVE-2017-10067\", \"CVE-2017-10078\", \"CVE-2017-10087\", \"CVE-2017-10089\", \"CVE-2017-10090\", \"CVE-2017-10096\", \"CVE-2017-10101\", \"CVE-2017-10102\", \"CVE-2017-10105\", \"CVE-2017-10107\", \"CVE-2017-10108\", \"CVE-2017-10109\", \"CVE-2017-10110\", \"CVE-2017-10115\", \"CVE-2017-10116\", \"CVE-2017-10243\", \"CVE-2017-10281\", \"CVE-2017-10285\", \"CVE-2017-10295\", \"CVE-2017-10309\", \"CVE-2017-10345\", \"CVE-2017-10346\", \"CVE-2017-10347\", \"CVE-2017-10348\", \"CVE-2017-10349\", \"CVE-2017-10350\", \"CVE-2017-10355\", \"CVE-2017-10356\", \"CVE-2017-10357\", \"CVE-2017-10388\", \"CVE-2017-1289\", \"CVE-2017-3509\", \"CVE-2017-3511\", \"CVE-2017-3533\", \"CVE-2017-3539\", \"CVE-2017-3544\");\n script_xref(name:\"RHSA\", value:\"2017:3453\");\n\n script_name(english:\"RHEL 6 : Satellite Server (RHSA-2017:3453)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for java-1.8.0-ibm is now available for Red Hat Satellite\n5.8 and Red Hat Satellite 5.8 ELS.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nIBM Java SE version 8 includes the IBM Java Runtime Environment and\nthe IBM Java Software Development Kit.\n\nThis update upgrades IBM Java SE 8 to version 8 SR5-FP5.\n\nSecurity Fix(es) :\n\n* This update fixes multiple vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Further\ninformation about these flaws can be found on the IBM Java Security\nVulnerabilities page listed in the References section. (CVE-2016-9840,\nCVE-2016-9841, CVE-2016-9842, CVE-2016-9843, CVE-2016-10165,\nCVE-2017-1289, CVE-2017-3509, CVE-2017-3511, CVE-2017-3533,\nCVE-2017-3539, CVE-2017-3544, CVE-2017-10053, CVE-2017-10067,\nCVE-2017-10078, CVE-2017-10087, CVE-2017-10089, CVE-2017-10090,\nCVE-2017-10096, CVE-2017-10101, CVE-2017-10102, CVE-2017-10105,\nCVE-2017-10107, CVE-2017-10108, CVE-2017-10109, CVE-2017-10110,\nCVE-2017-10115, CVE-2017-10116, CVE-2017-10243, CVE-2017-10281,\nCVE-2017-10285, CVE-2017-10295, CVE-2017-10309, CVE-2017-10345,\nCVE-2017-10346, CVE-2017-10347, CVE-2017-10348, CVE-2017-10349,\nCVE-2017-10350, CVE-2017-10355, CVE-2017-10356, CVE-2017-10357,\nCVE-2017-10388)\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to :\n\nhttps://access.redhat.com/articles/11258\n\nFor this update to take effect, Red Hat Satellite must be restarted\n('/usr/sbin/rhn-satellite restart'). All running instances of IBM Java\nmust be restarted for this update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2017:3453\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9840\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9841\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9842\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9843\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-10165\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-1289\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-3509\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-3511\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-3533\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-3539\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-3544\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10053\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10067\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10078\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10087\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10089\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10090\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10096\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10101\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10102\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10105\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10107\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10108\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10109\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10110\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10115\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10116\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10243\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10281\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10285\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10295\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10309\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10345\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10346\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10347\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10348\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10349\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10350\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10355\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10356\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10357\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-10388\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected java-1.8.0-ibm and / or java-1.8.0-ibm-devel\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2017:3453\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n\n if (! (rpm_exists(release:\"RHEL6\", rpm:\"spacewalk-admin-\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Satellite Server\");\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.8.0-ibm-1.8.0.5.5-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.8.0-ibm-1.8.0.5.5-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.8.0-ibm-devel-1.8.0.5.5-1jpp.1.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.8.0-ibm-devel-1.8.0.5.5-1jpp.1.el6_9\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.8.0-ibm / java-1.8.0-ibm-devel\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-28T14:09:08", "description": "This update for java-1_7_0-openjdk fixes the following issues :\n\nSecurity issues fixed :\n\n - CVE-2017-10356: Fix issue inside subcomponent Security (bsc#1064084).\n\n - CVE-2017-10274: Fix issue inside subcomponent Smart Card IO (bsc#1064071).\n\n - CVE-2017-10281: Fix issue inside subcomponent Serialization (bsc#1064072).\n\n - CVE-2017-10285: Fix issue inside subcomponent RMI (bsc#1064073).\n\n - CVE-2017-10295: Fix issue inside subcomponent Networking (bsc#1064075).\n\n - CVE-2017-10388: Fix issue inside subcomponent Libraries (bsc#1064086).\n\n - CVE-2017-10346: Fix issue inside subcomponent Hotspot (bsc#1064078).\n\n - CVE-2017-10350: Fix issue inside subcomponent JAX-WS (bsc#1064082).\n\n - CVE-2017-10347: Fix issue inside subcomponent Serialization (bsc#1064079).\n\n - CVE-2017-10349: Fix issue inside subcomponent JAXP (bsc#1064081).\n\n - CVE-2017-10345: Fix issue inside subcomponent Serialization (bsc#1064077).\n\n - CVE-2017-10348: Fix issue inside subcomponent Libraries (bsc#1064080).\n\n - CVE-2017-10357: Fix issue inside subcomponent Serialization (bsc#1064085).\n\n - CVE-2017-10355: Fix issue inside subcomponent Networking (bsc#1064083).\n\n - CVE-2017-10102: Fix incorrect handling of references in DGC (bsc#1049316).\n\n - CVE-2017-10053: Fix reading of unprocessed image data in JPEGImageReader (bsc#1049305).\n\n - CVE-2017-10067: Fix JAR verifier incorrect handling of missing digest (bsc#1049306).\n\n - CVE-2017-10081: Fix incorrect bracket processing in function signature handling (bsc#1049309).\n\n - CVE-2017-10087: Fix insufficient access control checks in ThreadPoolExecutor (bsc#1049311).\n\n - CVE-2017-10089: Fix insufficient access control checks in ServiceRegistry (bsc#1049312).\n\n - CVE-2017-10090: Fix insufficient access control checks in AsynchronousChannelGroupImpl (bsc#1049313).\n\n - CVE-2017-10096: Fix insufficient access control checks in XML transformations (bsc#1049314).\n\n - CVE-2017-10101: Fix unrestricted access to com.sun.org.apache.xml.internal.resolver (bsc#1049315).\n\n - CVE-2017-10107: Fix insufficient access control checks in ActivationID (bsc#1049318).\n\n - CVE-2017-10074: Fix integer overflows in range check loop predicates (bsc#1049307).\n\n - CVE-2017-10110: Fix insufficient access control checks in ImageWatched (bsc#1049321).\n\n - CVE-2017-10108: Fix unbounded memory allocation in BasicAttribute deserialization (bsc#1049319).\n\n - CVE-2017-10109: Fix unbounded memory allocation in CodeSource deserialization (bsc#1049320).\n\n - CVE-2017-10115: Fix unspecified vulnerability in subcomponent JCE (bsc#1049324).\n\n - CVE-2017-10118: Fix ECDSA implementation timing attack (bsc#1049326).\n\n - CVE-2017-10116: Fix LDAPCertStore following referrals to non-LDAP URL (bsc#1049325).\n\n - CVE-2017-10135: Fix PKCS#8 implementation timing attack (bsc#1049328).\n\n - CVE-2017-10176: Fix incorrect handling of certain EC points (bsc#1049329).\n\n - CVE-2017-10074: Fix integer overflows in range check loop predicates (bsc#1049307).\n\n - CVE-2017-10074: Fix integer overflows in range check loop predicates (bsc#1049307).\n\n - CVE-2017-10111: Fix checks in LambdaFormEditor (bsc#1049322).\n\n - CVE-2017-10243: Fix unspecified vulnerability in subcomponent JAX-WS (bsc#1049332).\n\n - CVE-2017-10125: Fix unspecified vulnerability in subcomponent deployment (bsc#1049327).\n\n - CVE-2017-10114: Fix unspecified vulnerability in subcomponent JavaFX (bsc#1049323).\n\n - CVE-2017-10105: Fix unspecified vulnerability in subcomponent deployment (bsc#1049317).\n\n - CVE-2017-10086: Fix unspecified in subcomponent JavaFX (bsc#1049310).\n\n - CVE-2017-10198: Fix incorrect enforcement of certificate path restrictions (bsc#1049331).\n\n - CVE-2017-10193: Fix incorrect key size constraint check (bsc#1049330).\n\nBug fixes :\n\n - Drop Exec Shield workaround to fix crashes on recent kernels, where Exec Shield is gone (bsc#1052318).\n\nThis update was imported from the SUSE:SLE-12:Update update project.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-01-10T00:00:00", "type": "nessus", "title": "openSUSE Security Update : java-1_7_0-openjdk (openSUSE-2018-14)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-10165", "CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-10053", "CVE-2017-10067", "CVE-2017-10074", "CVE-2017-10081", "CVE-2017-10086", "CVE-2017-10087", "CVE-2017-10089", "CVE-2017-10090", "CVE-2017-10096", "CVE-2017-10101", "CVE-2017-10102", "CVE-2017-10105", "CVE-2017-10107", "CVE-2017-10108", "CVE-2017-10109", "CVE-2017-10110", "CVE-2017-10111", "CVE-2017-10114", "CVE-2017-10115", "CVE-2017-10116", "CVE-2017-10118", "CVE-2017-10125", "CVE-2017-10135", "CVE-2017-10176", "CVE-2017-10193", "CVE-2017-10198", "CVE-2017-10243", "CVE-2017-10274", "CVE-2017-10281", "CVE-2017-10285", "CVE-2017-10295", "CVE-2017-10345", "CVE-2017-10346", "CVE-2017-10347", "CVE-2017-10348", "CVE-2017-10349", "CVE-2017-10350", "CVE-2017-10355", "CVE-2017-10356", "CVE-2017-10357", "CVE-2017-10388"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:java-1_7_0-openjdk", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-accessibility", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap-debuginfo", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap-debugsource", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap-devel", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap-devel-debuginfo", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap-headless", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap-headless-debuginfo", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-debuginfo", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-debugsource", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-demo", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-demo-debuginfo", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-devel", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-devel-debuginfo", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-headless", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-headless-debuginfo", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-javadoc", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-src", "cpe:/o:novell:opensuse:42.2", "cpe:/o:novell:opensuse:42.3"], "id": "OPENSUSE-2018-14.NASL", "href": "https://www.tenable.com/plugins/nessus/105714", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2018-14.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(105714);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-10165\", \"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\", \"CVE-2017-10053\", \"CVE-2017-10067\", \"CVE-2017-10074\", \"CVE-2017-10081\", \"CVE-2017-10086\", \"CVE-2017-10087\", \"CVE-2017-10089\", \"CVE-2017-10090\", \"CVE-2017-10096\", \"CVE-2017-10101\", \"CVE-2017-10102\", \"CVE-2017-10105\", \"CVE-2017-10107\", \"CVE-2017-10108\", \"CVE-2017-10109\", \"CVE-2017-10110\", \"CVE-2017-10111\", \"CVE-2017-10114\", \"CVE-2017-10115\", \"CVE-2017-10116\", \"CVE-2017-10118\", \"CVE-2017-10125\", \"CVE-2017-10135\", \"CVE-2017-10176\", \"CVE-2017-10193\", \"CVE-2017-10198\", \"CVE-2017-10243\", \"CVE-2017-10274\", \"CVE-2017-10281\", \"CVE-2017-10285\", \"CVE-2017-10295\", \"CVE-2017-10345\", \"CVE-2017-10346\", \"CVE-2017-10347\", \"CVE-2017-10348\", \"CVE-2017-10349\", \"CVE-2017-10350\", \"CVE-2017-10355\", \"CVE-2017-10356\", \"CVE-2017-10357\", \"CVE-2017-10388\");\n\n script_name(english:\"openSUSE Security Update : java-1_7_0-openjdk (openSUSE-2018-14)\");\n script_summary(english:\"Check for the openSUSE-2018-14 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for java-1_7_0-openjdk fixes the following issues :\n\nSecurity issues fixed :\n\n - CVE-2017-10356: Fix issue inside subcomponent Security\n (bsc#1064084).\n\n - CVE-2017-10274: Fix issue inside subcomponent Smart Card\n IO (bsc#1064071).\n\n - CVE-2017-10281: Fix issue inside subcomponent\n Serialization (bsc#1064072).\n\n - CVE-2017-10285: Fix issue inside subcomponent RMI\n (bsc#1064073).\n\n - CVE-2017-10295: Fix issue inside subcomponent Networking\n (bsc#1064075).\n\n - CVE-2017-10388: Fix issue inside subcomponent Libraries\n (bsc#1064086).\n\n - CVE-2017-10346: Fix issue inside subcomponent Hotspot\n (bsc#1064078).\n\n - CVE-2017-10350: Fix issue inside subcomponent JAX-WS\n (bsc#1064082).\n\n - CVE-2017-10347: Fix issue inside subcomponent\n Serialization (bsc#1064079).\n\n - CVE-2017-10349: Fix issue inside subcomponent JAXP\n (bsc#1064081).\n\n - CVE-2017-10345: Fix issue inside subcomponent\n Serialization (bsc#1064077).\n\n - CVE-2017-10348: Fix issue inside subcomponent Libraries\n (bsc#1064080).\n\n - CVE-2017-10357: Fix issue inside subcomponent\n Serialization (bsc#1064085).\n\n - CVE-2017-10355: Fix issue inside subcomponent Networking\n (bsc#1064083).\n\n - CVE-2017-10102: Fix incorrect handling of references in\n DGC (bsc#1049316).\n\n - CVE-2017-10053: Fix reading of unprocessed image data in\n JPEGImageReader (bsc#1049305).\n\n - CVE-2017-10067: Fix JAR verifier incorrect handling of\n missing digest (bsc#1049306).\n\n - CVE-2017-10081: Fix incorrect bracket processing in\n function signature handling (bsc#1049309).\n\n - CVE-2017-10087: Fix insufficient access control checks\n in ThreadPoolExecutor (bsc#1049311).\n\n - CVE-2017-10089: Fix insufficient access control checks\n in ServiceRegistry (bsc#1049312).\n\n - CVE-2017-10090: Fix insufficient access control checks\n in AsynchronousChannelGroupImpl (bsc#1049313).\n\n - CVE-2017-10096: Fix insufficient access control checks\n in XML transformations (bsc#1049314).\n\n - CVE-2017-10101: Fix unrestricted access to\n com.sun.org.apache.xml.internal.resolver (bsc#1049315).\n\n - CVE-2017-10107: Fix insufficient access control checks\n in ActivationID (bsc#1049318).\n\n - CVE-2017-10074: Fix integer overflows in range check\n loop predicates (bsc#1049307).\n\n - CVE-2017-10110: Fix insufficient access control checks\n in ImageWatched (bsc#1049321).\n\n - CVE-2017-10108: Fix unbounded memory allocation in\n BasicAttribute deserialization (bsc#1049319).\n\n - CVE-2017-10109: Fix unbounded memory allocation in\n CodeSource deserialization (bsc#1049320).\n\n - CVE-2017-10115: Fix unspecified vulnerability in\n subcomponent JCE (bsc#1049324).\n\n - CVE-2017-10118: Fix ECDSA implementation timing attack\n (bsc#1049326).\n\n - CVE-2017-10116: Fix LDAPCertStore following referrals to\n non-LDAP URL (bsc#1049325).\n\n - CVE-2017-10135: Fix PKCS#8 implementation timing attack\n (bsc#1049328).\n\n - CVE-2017-10176: Fix incorrect handling of certain EC\n points (bsc#1049329).\n\n - CVE-2017-10074: Fix integer overflows in range check\n loop predicates (bsc#1049307).\n\n - CVE-2017-10074: Fix integer overflows in range check\n loop predicates (bsc#1049307).\n\n - CVE-2017-10111: Fix checks in LambdaFormEditor\n (bsc#1049322).\n\n - CVE-2017-10243: Fix unspecified vulnerability in\n subcomponent JAX-WS (bsc#1049332).\n\n - CVE-2017-10125: Fix unspecified vulnerability in\n subcomponent deployment (bsc#1049327).\n\n - CVE-2017-10114: Fix unspecified vulnerability in\n subcomponent JavaFX (bsc#1049323).\n\n - CVE-2017-10105: Fix unspecified vulnerability in\n subcomponent deployment (bsc#1049317).\n\n - CVE-2017-10086: Fix unspecified in subcomponent JavaFX\n (bsc#1049310).\n\n - CVE-2017-10198: Fix incorrect enforcement of certificate\n path restrictions (bsc#1049331).\n\n - CVE-2017-10193: Fix incorrect key size constraint check\n (bsc#1049330).\n\nBug fixes :\n\n - Drop Exec Shield workaround to fix crashes on recent\n kernels, where Exec Shield is gone (bsc#1052318).\n\nThis update was imported from the SUSE:SLE-12:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1049305\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1049306\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1049307\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1049309\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1049310\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1049311\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1049312\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1049313\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1049314\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1049315\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1049316\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1049317\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1049318\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1049319\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1049320\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1049321\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1049322\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1049323\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1049324\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1049325\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1049326\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1049327\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1049328\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1049329\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1049330\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1049331\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1049332\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1052318\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1064071\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1064072\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1064073\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1064075\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1064077\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1064078\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1064079\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1064080\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1064081\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1064082\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1064083\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1064084\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1064085\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1064086\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1_7_0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap-headless-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-demo-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-headless-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/01/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.2|SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.2 / 42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_7_0-openjdk-1.7.0.161-42.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_7_0-openjdk-accessibility-1.7.0.161-42.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_7_0-openjdk-bootstrap-1.7.0.161-42.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_7_0-openjdk-bootstrap-debuginfo-1.7.0.161-42.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_7_0-openjdk-bootstrap-debugsource-1.7.0.161-42.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_7_0-openjdk-bootstrap-devel-1.7.0.161-42.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_7_0-openjdk-bootstrap-devel-debuginfo-1.7.0.161-42.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_7_0-openjdk-bootstrap-headless-1.7.0.161-42.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_7_0-openjdk-bootstrap-headless-debuginfo-1.7.0.161-42.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_7_0-openjdk-debuginfo-1.7.0.161-42.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_7_0-openjdk-debugsource-1.7.0.161-42.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_7_0-openjdk-demo-1.7.0.161-42.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_7_0-openjdk-demo-debuginfo-1.7.0.161-42.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_7_0-openjdk-devel-1.7.0.161-42.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_7_0-openjdk-devel-debuginfo-1.7.0.161-42.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_7_0-openjdk-headless-1.7.0.161-42.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_7_0-openjdk-headless-debuginfo-1.7.0.161-42.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_7_0-openjdk-javadoc-1.7.0.161-42.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"java-1_7_0-openjdk-src-1.7.0.161-42.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"java-1_7_0-openjdk-1.7.0.161-45.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"java-1_7_0-openjdk-accessibility-1.7.0.161-45.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"java-1_7_0-openjdk-bootstrap-1.7.0.161-45.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"java-1_7_0-openjdk-bootstrap-debuginfo-1.7.0.161-45.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"java-1_7_0-openjdk-bootstrap-debugsource-1.7.0.161-45.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"java-1_7_0-openjdk-bootstrap-devel-1.7.0.161-45.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"java-1_7_0-openjdk-bootstrap-devel-debuginfo-1.7.0.161-45.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"java-1_7_0-openjdk-bootstrap-headless-1.7.0.161-45.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"java-1_7_0-openjdk-bootstrap-headless-debuginfo-1.7.0.161-45.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"java-1_7_0-openjdk-debuginfo-1.7.0.161-45.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"java-1_7_0-openjdk-debugsource-1.7.0.161-45.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"java-1_7_0-openjdk-demo-1.7.0.161-45.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"java-1_7_0-openjdk-demo-debuginfo-1.7.0.161-45.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"java-1_7_0-openjdk-devel-1.7.0.161-45.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"java-1_7_0-openjdk-devel-debuginfo-1.7.0.161-45.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"java-1_7_0-openjdk-headless-1.7.0.161-45.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"java-1_7_0-openjdk-headless-debuginfo-1.7.0.161-45.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"java-1_7_0-openjdk-javadoc-1.7.0.161-45.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"java-1_7_0-openjdk-src-1.7.0.161-45.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1_7_0-openjdk-bootstrap / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-28T14:10:55", "description": "This update for java-1_7_0-openjdk fixes the following issues:\nSecurity issues fixed :\n\n - CVE-2017-10356: Fix issue inside subcomponent Security (bsc#1064084).\n\n - CVE-2017-10274: Fix issue inside subcomponent Smart Card IO (bsc#1064071).\n\n - CVE-2017-10281: Fix issue inside subcomponent Serialization (bsc#1064072).\n\n - CVE-2017-10285: Fix issue inside subcomponent RMI (bsc#1064073).\n\n - CVE-2017-10295: Fix issue inside subcomponent Networking (bsc#1064075).\n\n - CVE-2017-10388: Fix issue inside subcomponent Libraries (bsc#1064086).\n\n - CVE-2017-10346: Fix issue inside subcomponent Hotspot (bsc#1064078).\n\n - CVE-2017-10350: Fix issue inside subcomponent JAX-WS (bsc#1064082).\n\n - CVE-2017-10347: Fix issue inside subcomponent Serialization (bsc#1064079).\n\n - CVE-2017-10349: Fix issue inside subcomponent JAXP (bsc#1064081).\n\n - CVE-2017-10345: Fix issue inside subcomponent Serialization (bsc#1064077).\n\n - CVE-2017-10348: Fix issue inside subcomponent Libraries (bsc#1064080).\n\n - CVE-2017-10357: Fix issue inside subcomponent Serialization (bsc#1064085).\n\n - CVE-2017-10355: Fix issue inside subcomponent Networking (bsc#1064083).\n\n - CVE-2017-10102: Fix incorrect handling of references in DGC (bsc#1049316).\n\n - CVE-2017-10053: Fix reading of unprocessed image data in JPEGImageReader (bsc#1049305).\n\n - CVE-2017-10067: Fix JAR verifier incorrect handling of missing digest (bsc#1049306).\n\n - CVE-2017-10081: Fix incorrect bracket processing in function signature handling (bsc#1049309).\n\n - CVE-2017-10087: Fix insufficient access control checks in ThreadPoolExecutor (bsc#1049311).\n\n - CVE-2017-10089: Fix insufficient access control checks in ServiceRegistry (bsc#1049312).\n\n - CVE-2017-10090: Fix insufficient access control checks in AsynchronousChannelGroupImpl (bsc#1049313).\n\n - CVE-2017-10096: Fix insufficient access control checks in XML transformations (bsc#1049314).\n\n - CVE-2017-10101: Fix unrestricted access to com.sun.org.apache.xml.internal.resolver (bsc#1049315).\n\n - CVE-2017-10107: Fix insufficient access control checks in ActivationID (bsc#1049318).\n\n - CVE-2017-10074: Fix integer overflows in range check loop predicates (bsc#1049307).\n\n - CVE-2017-10110: Fix insufficient access control checks in ImageWatched (bsc#1049321).\n\n - CVE-2017-10108: Fix unbounded memory allocation in BasicAttribute deserialization (bsc#1049319).\n\n - CVE-2017-10109: Fix unbounded memory allocation in CodeSource deserialization (bsc#1049320).\n\n - CVE-2017-10115: Fix unspecified vulnerability in subcomponent JCE (bsc#1049324).\n\n - CVE-2017-10118: Fix ECDSA implementation timing attack (bsc#1049326).\n\n - CVE-2017-10116: Fix LDAPCertStore following referrals to non-LDAP URL (bsc#1049325).\n\n - CVE-2017-10135: Fix PKCS#8 implementation timing attack (bsc#1049328).\n\n - CVE-2017-10176: Fix incorrect handling of certain EC points (bsc#1049329).\n\n - CVE-2017-10074: Fix integer overflows in range check loop predicates (bsc#1049307).\n\n - CVE-2017-10074: Fix integer overflows in range check loop predicates (bsc#1049307).\n\n - CVE-2017-10111: Fix checks in LambdaFormEditor (bsc#1049322).\n\n - CVE-2017-10243: Fix unspecified vulnerability in subcomponent JAX-WS (bsc#1049332).\n\n - CVE-2017-10125: Fix unspecified vulnerability in subcomponent deployment (bsc#1049327).\n\n - CVE-2017-10114: Fix unspecified vulnerability in subcomponent JavaFX (bsc#1049323).\n\n - CVE-2017-10105: Fix unspecified vulnerability in subcomponent deployment (bsc#1049317).\n\n - CVE-2017-10086: Fix unspecified in subcomponent JavaFX (bsc#1049310).\n\n - CVE-2017-10198: Fix incorrect enforcement of certificate path restrictions (bsc#1049331).\n\n - CVE-2017-10193: Fix incorrect key size constraint check (bsc#1049330). Bug fixes :\n\n - Drop Exec Shield workaround to fix crashes on recent kernels, where Exec Shield is gone (bsc#1052318).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-01-04T00:00:00", "type": "nessus", "title": "SUSE SLED12 / SLES12 Security Update : java-1_7_0-openjdk (SUSE-SU-2018:0005-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-10165", "CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-10053", "CVE-2017-10067", "CVE-2017-10074", "CVE-2017-10081", "CVE-2017-10086", "CVE-2017-10087", "CVE-2017-10089", "CVE-2017-10090", "CVE-2017-10096", "CVE-2017-10101", "CVE-2017-10102", "CVE-2017-10105", "CVE-2017-10107", "CVE-2017-10108", "CVE-2017-10109", "CVE-2017-10110", "CVE-2017-10111", "CVE-2017-10114", "CVE-2017-10115", "CVE-2017-10116", "CVE-2017-10118", "CVE-2017-10125", "CVE-2017-10135", "CVE-2017-10176", "CVE-2017-10193", "CVE-2017-10198", "CVE-2017-10243", "CVE-2017-10274", "CVE-2017-10281", "CVE-2017-10285", "CVE-2017-10295", "CVE-2017-10345", "CVE-2017-10346", "CVE-2017-10347", "CVE-2017-10348", "CVE-2017-10349", "CVE-2017-10350", "CVE-2017-10355", "CVE-2017-10356", "CVE-2017-10357", "CVE-2017-10388"], "modified": "2019-09-10T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk", "p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-debuginfo", "p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-debugsource", "p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-demo", "p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-demo-debuginfo", "p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-devel", "p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-devel-debuginfo", "p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-headless", "p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-headless-debuginfo", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2018-0005-1.NASL", "href": "https://www.tenable.com/plugins/nessus/105538", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:0005-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105538);\n script_version(\"3.5\");\n script_cvs_date(\"Date: 2019/09/10 13:51:46\");\n\n script_cve_id(\"CVE-2016-10165\", \"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\", \"CVE-2017-10053\", \"CVE-2017-10067\", \"CVE-2017-10074\", \"CVE-2017-10081\", \"CVE-2017-10086\", \"CVE-2017-10087\", \"CVE-2017-10089\", \"CVE-2017-10090\", \"CVE-2017-10096\", \"CVE-2017-10101\", \"CVE-2017-10102\", \"CVE-2017-10105\", \"CVE-2017-10107\", \"CVE-2017-10108\", \"CVE-2017-10109\", \"CVE-2017-10110\", \"CVE-2017-10111\", \"CVE-2017-10114\", \"CVE-2017-10115\", \"CVE-2017-10116\", \"CVE-2017-10118\", \"CVE-2017-10125\", \"CVE-2017-10135\", \"CVE-2017-10176\", \"CVE-2017-10193\", \"CVE-2017-10198\", \"CVE-2017-10243\", \"CVE-2017-10274\", \"CVE-2017-10281\", \"CVE-2017-10285\", \"CVE-2017-10295\", \"CVE-2017-10345\", \"CVE-2017-10346\", \"CVE-2017-10347\", \"CVE-2017-10348\", \"CVE-2017-10349\", \"CVE-2017-10350\", \"CVE-2017-10355\", \"CVE-2017-10356\", \"CVE-2017-10357\", \"CVE-2017-10388\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : java-1_7_0-openjdk (SUSE-SU-2018:0005-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for java-1_7_0-openjdk fixes the following issues:\nSecurity issues fixed :\n\n - CVE-2017-10356: Fix issue inside subcomponent Security\n (bsc#1064084).\n\n - CVE-2017-10274: Fix issue inside subcomponent Smart Card\n IO (bsc#1064071).\n\n - CVE-2017-10281: Fix issue inside subcomponent\n Serialization (bsc#1064072).\n\n - CVE-2017-10285: Fix issue inside subcomponent RMI\n (bsc#1064073).\n\n - CVE-2017-10295: Fix issue inside subcomponent Networking\n (bsc#1064075).\n\n - CVE-2017-10388: Fix issue inside subcomponent Libraries\n (bsc#1064086).\n\n - CVE-2017-10346: Fix issue inside subcomponent Hotspot\n (bsc#1064078).\n\n - CVE-2017-10350: Fix issue inside subcomponent JAX-WS\n (bsc#1064082).\n\n - CVE-2017-10347: Fix issue inside subcomponent\n Serialization (bsc#1064079).\n\n - CVE-2017-10349: Fix issue inside subcomponent JAXP\n (bsc#1064081).\n\n - CVE-2017-10345: Fix issue inside subcomponent\n Serialization (bsc#1064077).\n\n - CVE-2017-10348: Fix issue inside subcomponent Libraries\n (bsc#1064080).\n\n - CVE-2017-10357: Fix issue inside subcomponent\n Serialization (bsc#1064085).\n\n - CVE-2017-10355: Fix issue inside subcomponent Networking\n (bsc#1064083).\n\n - CVE-2017-10102: Fix incorrect handling of references in\n DGC (bsc#1049316).\n\n - CVE-2017-10053: Fix reading of unprocessed image data in\n JPEGImageReader (bsc#1049305).\n\n - CVE-2017-10067: Fix JAR verifier incorrect handling of\n missing digest (bsc#1049306).\n\n - CVE-2017-10081: Fix incorrect bracket processing in\n function signature handling (bsc#1049309).\n\n - CVE-2017-10087: Fix insufficient access control checks\n in ThreadPoolExecutor (bsc#1049311).\n\n - CVE-2017-10089: Fix insufficient access control checks\n in ServiceRegistry (bsc#1049312).\n\n - CVE-2017-10090: Fix insufficient access control checks\n in AsynchronousChannelGroupImpl (bsc#1049313).\n\n - CVE-2017-10096: Fix insufficient access control checks\n in XML transformations (bsc#1049314).\n\n - CVE-2017-10101: Fix unrestricted access to\n com.sun.org.apache.xml.internal.resolver (bsc#1049315).\n\n - CVE-2017-10107: Fix insufficient access control checks\n in ActivationID (bsc#1049318).\n\n - CVE-2017-10074: Fix integer overflows in range check\n loop predicates (bsc#1049307).\n\n - CVE-2017-10110: Fix insufficient access control checks\n in ImageWatched (bsc#1049321).\n\n - CVE-2017-10108: Fix unbounded memory allocation in\n BasicAttribute deserialization (bsc#1049319).\n\n - CVE-2017-10109: Fix unbounded memory allocation in\n CodeSource deserialization (bsc#1049320).\n\n - CVE-2017-10115: Fix unspecified vulnerability in\n subcomponent JCE (bsc#1049324).\n\n - CVE-2017-10118: Fix ECDSA implementation timing attack\n (bsc#1049326).\n\n - CVE-2017-10116: Fix LDAPCertStore following referrals to\n non-LDAP URL (bsc#1049325).\n\n - CVE-2017-10135: Fix PKCS#8 implementation timing attack\n (bsc#1049328).\n\n - CVE-2017-10176: Fix incorrect handling of certain EC\n points (bsc#1049329).\n\n - CVE-2017-10074: Fix integer overflows in range check\n loop predicates (bsc#1049307).\n\n - CVE-2017-10074: Fix integer overflows in range check\n loop predicates (bsc#1049307).\n\n - CVE-2017-10111: Fix checks in LambdaFormEditor\n (bsc#1049322).\n\n - CVE-2017-10243: Fix unspecified vulnerability in\n subcomponent JAX-WS (bsc#1049332).\n\n - CVE-2017-10125: Fix unspecified vulnerability in\n subcomponent deployment (bsc#1049327).\n\n - CVE-2017-10114: Fix unspecified vulnerability in\n subcomponent JavaFX (bsc#1049323).\n\n - CVE-2017-10105: Fix unspecified vulnerability in\n subcomponent deployment (bsc#1049317).\n\n - CVE-2017-10086: Fix unspecified in subcomponent JavaFX\n (bsc#1049310).\n\n - CVE-2017-10198: Fix incorrect enforcement of certificate\n path restrictions (bsc#1049331).\n\n - CVE-2017-10193: Fix incorrect key size constraint check\n (bsc#1049330). Bug fixes :\n\n - Drop Exec Shield workaround to fix crashes on recent\n kernels, where Exec Shield is gone (bsc#1052318).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1049305\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1049306\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1049307\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1049309\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1049310\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1049311\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1049312\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1049313\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1049314\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1049315\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1049316\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1049317\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1049318\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1049319\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1049320\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1049321\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1049322\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1049323\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1049324\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1049325\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1049326\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1049327\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1049328\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1049329\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1049330\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1049331\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1049332\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1052318\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1064071\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1064072\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1064073\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1064075\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1064077\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1064078\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1064079\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1064080\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1064081\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1064082\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1064083\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1064084\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1064085\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1064086\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-10165/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9840/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9841/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9842/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-9843/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10053/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10067/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10074/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10081/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10086/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10087/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10089/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10090/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10096/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10101/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10102/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10105/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10107/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10108/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10109/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10110/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10111/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10114/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10115/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10116/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10118/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10125/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10135/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10176/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10193/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10198/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10243/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10274/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10281/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10285/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10295/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10345/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10346/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10347/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10348/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10349/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10350/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10355/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10356/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10357/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-10388/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20180005-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a779e6a4\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud 6:zypper in -t patch\nSUSE-OpenStack-Cloud-6-2018-6=1\n\nSUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch\nSUSE-SLE-SAP-12-SP1-2018-6=1\n\nSUSE Linux Enterprise Server for SAP 12:zypper in -t patch\nSUSE-SLE-SAP-12-2018-6=1\n\nSUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t\npatch SUSE-SLE-RPI-12-SP2-2018-6=1\n\nSUSE Linux Enterprise Server 12-SP3:zypper in -t patch\nSUSE-SLE-SERVER-12-SP3-2018-6=1\n\nSUSE Linux Enterprise Server 12-SP2:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-2018-6=1\n\nSUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2018-6=1\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2018-6=1\n\nSUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP3-2018-6=1\n\nSUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP2-2018-6=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-demo-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-headless-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/01/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0|1|2|3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0/1/2/3\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(2|3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP2/3\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"java-1_7_0-openjdk-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"java-1_7_0-openjdk-debuginfo-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"java-1_7_0-openjdk-debugsource-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"java-1_7_0-openjdk-demo-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"java-1_7_0-openjdk-demo-debuginfo-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"java-1_7_0-openjdk-devel-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"java-1_7_0-openjdk-devel-debuginfo-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"java-1_7_0-openjdk-headless-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"java-1_7_0-openjdk-headless-debuginfo-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"java-1_7_0-openjdk-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"java-1_7_0-openjdk-debuginfo-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"java-1_7_0-openjdk-debugsource-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"java-1_7_0-openjdk-demo-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"java-1_7_0-openjdk-demo-debuginfo-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"java-1_7_0-openjdk-devel-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"java-1_7_0-openjdk-devel-debuginfo-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"java-1_7_0-openjdk-headless-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"java-1_7_0-openjdk-headless-debuginfo-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"java-1_7_0-openjdk-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"java-1_7_0-openjdk-debuginfo-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"java-1_7_0-openjdk-debugsource-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"java-1_7_0-openjdk-demo-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"java-1_7_0-openjdk-demo-debuginfo-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"java-1_7_0-openjdk-devel-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"java-1_7_0-openjdk-devel-debuginfo-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"java-1_7_0-openjdk-headless-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"java-1_7_0-openjdk-headless-debuginfo-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"java-1_7_0-openjdk-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"java-1_7_0-openjdk-debuginfo-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"java-1_7_0-openjdk-debugsource-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"java-1_7_0-openjdk-demo-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"java-1_7_0-openjdk-demo-debuginfo-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"java-1_7_0-openjdk-devel-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"java-1_7_0-openjdk-devel-debuginfo-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"java-1_7_0-openjdk-headless-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"java-1_7_0-openjdk-headless-debuginfo-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"java-1_7_0-openjdk-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"java-1_7_0-openjdk-debuginfo-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"java-1_7_0-openjdk-debugsource-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"java-1_7_0-openjdk-headless-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"java-1_7_0-openjdk-headless-debuginfo-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_7_0-openjdk-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_7_0-openjdk-debuginfo-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_7_0-openjdk-debugsource-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_7_0-openjdk-headless-1.7.0.161-43.7.6\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_7_0-openjdk-headless-debuginfo-1.7.0.161-43.7.6\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1_7_0-openjdk\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T12:27:13", "description": "The remote host is running a version of macOS that is prior to 10.13. It is, therefore, affected by multiple vulnerabilities in the following components :\n\n - Apache\n - AppSandbox\n - AppleScript\n - Application Firewall\n - ATS\n - Audio\n - CFNetwork\n - CFNetwork Proxies\n - CFString\n - Captive Network Assistant\n - CoreAudio\n - CoreText\n - DesktopServices\n - Directory Utility\n - file\n - Fonts\n - fsck_msdos\n - HFS\n - Heimdal\n - HelpViewer\n - IOFireWireFamily\n - ImageIO\n - Installer\n - Kernel\n - kext tools\n - libarchive\n - libc\n - libexpat\n - Mail\n - Mail Drafts\n - ntp\n - Open Scripting Architecture\n - PCRE\n - Postfix\n - Quick Look\n - QuickTime\n - Remote Management\n - SQLite\n - Sandbox\n - Screen Lock\n - Security\n - Spotlight\n - WebKit\n - zlib\n\nNote that successful exploitation of the most serious issues can result in arbitrary code execution.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-04-10T00:00:00", "type": "nessus", "title": "macOS < 10.13 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-7659", "CVE-2017-9789", "CVE-2016-8743", "CVE-2017-10989", "CVE-2016-5387", "CVE-2017-0381", "CVE-2016-2161", "CVE-2016-8740", "CVE-2016-0736", "CVE-2016-9042", "CVE-2017-6451", "CVE-2017-6458", "CVE-2017-6460", "CVE-2017-6462", "CVE-2017-6463", "CVE-2017-6464", "CVE-2016-9063", "CVE-2017-9233", "CVE-2017-9788", "CVE-2017-3167", "CVE-2017-3169", "CVE-2017-7679", "CVE-2017-11103", "CVE-2017-7668", "CVE-2017-10140", "CVE-2017-7077", "CVE-2017-7122", "CVE-2017-7121", "CVE-2017-7125", "CVE-2017-7124", "CVE-2017-7123", "CVE-2017-7126", "CVE-2017-13811", "CVE-2017-13851", "CVE-2017-13828", "CVE-2017-7084", "CVE-2017-13827", "CVE-2017-7150", "CVE-2017-13837", "CVE-2017-7078", "CVE-2017-7143", "CVE-2017-7086", "CVE-2017-7149", "CVE-2017-13829", "CVE-2017-13833", "CVE-2017-13831", "CVE-2017-7127", "CVE-2016-4736", "CVE-2017-13853", "CVE-2017-13850", "CVE-2017-13832", "CVE-2017-13809", "CVE-2017-7074", "CVE-2017-13820", "CVE-2017-13807", "CVE-2017-7083", "CVE-2017-13821", "CVE-2017-13825", "CVE-2017-7138", "CVE-2017-13815", "CVE-2017-13819", "CVE-2017-13830", "CVE-2017-13814", "CVE-2017-7119", "CVE-2017-7114", "CVE-2017-13810", "CVE-2017-13817", "CVE-2017-13782", "CVE-2017-13818", "CVE-2017-13836", "CVE-2017-13840", "CVE-2017-13841", "CVE-2017-13842", "CVE-2017-13843", "CVE-2017-13854", "CVE-2017-13834", "CVE-2017-13873", "CVE-2017-13813", "CVE-2017-13816", "CVE-2017-13812", "CVE-2017-1000373", "CVE-2017-7141", "CVE-2017-6452", "CVE-2017-6455", "CVE-2017-6459", "CVE-2017-13824", "CVE-2017-13846", "CVE-2017-13822", "CVE-2017-7132", "CVE-2017-13823", "CVE-2017-13808", "CVE-2017-13838", "CVE-2017-7082", "CVE-2017-7080", "CVE-2017-13839", "CVE-2017-7128", "CVE-2017-7129", "CVE-2017-7130", "CVE-2017-7144"], "modified": "2019-04-10T00:00:00", "cpe": ["cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*"], "id": "700511.PRM", "href": "https://www.tenable.com/plugins/nnm/700511", "sourceData": "Binary data 700511.prm", "cvss": {"score": 10, "vector": "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:27:11", "description": "The version of Apple iOS running on the mobile device is prior to 11.0.1. It is, therefore, affected by multiple vulnerabilities as described in the HT208143 security advisory.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-04-17T00:00:00", "type": "nessus", "title": "Apple iOS < 11.0.1 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-7081", "CVE-2017-7087", "CVE-2017-7089", "CVE-2017-7090", "CVE-2017-7091", "CVE-2017-7092", "CVE-2017-7093", "CVE-2017-7094", "CVE-2017-7095", "CVE-2017-7096", "CVE-2017-7098", "CVE-2017-7099", "CVE-2017-7100", "CVE-2017-7102", "CVE-2017-7104", "CVE-2017-7107", "CVE-2017-7109", "CVE-2017-7111", "CVE-2017-7117", "CVE-2017-7120", "CVE-2017-7142", "CVE-2017-5130", "CVE-2017-10989", "CVE-2017-0381", "CVE-2017-9049", "CVE-2017-9050", "CVE-2017-7376", "CVE-2016-9063", "CVE-2017-9233", "CVE-2017-11103", "CVE-2017-7105", "CVE-2017-11120", "CVE-2017-11121", "CVE-2017-13828", "CVE-2017-13806", "CVE-2017-7133", "CVE-2017-7078", "CVE-2017-7086", "CVE-2017-7146", "CVE-2017-11122", "CVE-2017-13829", "CVE-2017-13833", "CVE-2017-13831", "CVE-2018-4302", "CVE-2017-7127", "CVE-2017-7106", "CVE-2017-13832", "CVE-2017-7083", "CVE-2017-13821", "CVE-2017-13825", "CVE-2017-13815", "CVE-2017-13830", "CVE-2017-13814", "CVE-2017-7114", "CVE-2017-13817", "CVE-2017-13818", "CVE-2017-13836", "CVE-2017-13840", "CVE-2017-13841", "CVE-2017-13842", "CVE-2017-13843", "CVE-2017-13854", "CVE-2017-13834", "CVE-2017-13873", "CVE-2017-13813", "CVE-2017-13816", "CVE-2017-13812", "CVE-2017-1000373", "CVE-2017-13822", "CVE-2017-7132", "CVE-2017-7080", "CVE-2017-7128", "CVE-2017-7129", "CVE-2017-7130", "CVE-2017-7103", "CVE-2017-7108", "CVE-2017-7110", "CVE-2017-7112", "CVE-2017-7116", "CVE-2017-13863", "CVE-2017-7131", "CVE-2017-7088", "CVE-2017-7072", "CVE-2017-7140", "CVE-2017-7148", "CVE-2017-7097", "CVE-2017-7118", "CVE-2017-7075", "CVE-2017-7139", "CVE-2017-7085", "CVE-2017-13877", "CVE-2017-6211", "CVE-2017-7145", "CVE-2017-7144", "CVE-2017-7115"], "modified": "2019-04-17T00:00:00", "cpe": ["cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*"], "id": "700542.PRM", "href": "https://www.tenable.com/plugins/nnm/700542", "sourceData": "Binary data 700542.prm", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-22T15:32:16", "description": "The version of Apple iOS running on the mobile device is prior to 11. It is, therefore, affected by multiple vulnerabilities as described in the HT208112 security advisory.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-09-21T00:00:00", "type": "nessus", "title": "Apple iOS < 11 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9063", "CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-0381", "CVE-2017-1000373", "CVE-2017-10989", "CVE-2017-11103", "CVE-2017-11120", "CVE-2017-11121", "CVE-2017-11122", "CVE-2017-13806", "CVE-2017-13812", "CVE-2017-13813", "CVE-2017-13814", "CVE-2017-13815", "CVE-2017-13816", "CVE-2017-13817", "CVE-2017-13818", "CVE-2017-13821", "CVE-2017-13822", "CVE-2017-13825", "CVE-2017-13828", "CVE-2017-13829", "CVE-2017-13830", "CVE-2017-13831", "CVE-2017-13832", "CVE-2017-13833", "CVE-2017-13834", "CVE-2017-13836", "CVE-2017-13840", "CVE-2017-13841", "CVE-2017-13842", "CVE-2017-13843", "CVE-2017-13854", "CVE-2017-13863", "CVE-2017-13873", "CVE-2017-13877", "CVE-2017-5130", "CVE-2017-6211", "CVE-2017-7072", "CVE-2017-7075", "CVE-2017-7078", "CVE-2017-7080", "CVE-2017-7081", "CVE-2017-7083", "CVE-2017-7085", "CVE-2017-7086", "CVE-2017-7087", "CVE-2017-7088", "CVE-2017-7089", "CVE-2017-7090", "CVE-2017-7091", "CVE-2017-7092", "CVE-2017-7093", "CVE-2017-7094", "CVE-2017-7095", "CVE-2017-7096", "CVE-2017-7097", "CVE-2017-7098", "CVE-2017-7099", "CVE-2017-7100", "CVE-2017-7102", "CVE-2017-7103", "CVE-2017-7104", "CVE-2017-7105", "CVE-2017-7106", "CVE-2017-7107", "CVE-2017-7108", "CVE-2017-7109", "CVE-2017-7110", "CVE-2017-7111", "CVE-2017-7112", "CVE-2017-7114", "CVE-2017-7115", "CVE-2017-7116", "CVE-2017-7117", "CVE-2017-7118", "CVE-2017-7120", "CVE-2017-7127", "CVE-2017-7128", "CVE-2017-7129", "CVE-2017-7130", "CVE-2017-7131", "CVE-2017-7132", "CVE-2017-7133", "CVE-2017-7139", "CVE-2017-7140", "CVE-2017-7142", "CVE-2017-7144", "CVE-2017-7145", "CVE-2017-7146", "CVE-2017-7148", "CVE-2017-7376", "CVE-2017-9049", "CVE-2017-9050", "CVE-2017-9233", "CVE-2018-4302"], "modified": "2022-06-21T00:00:00", "cpe": ["cpe:/o:apple:iphone_os"], "id": "APPLE_IOS_110_CHECK.NBIN", "href": "https://www.tenable.com/plugins/nessus/103420", "sourceData": "Binary data apple_ios_110_check.nbin", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-24T15:45:47", "description": "The remote host is running a version of Mac OS X that is prior to 10.10.5, 10.11.x prior to 10.11.6, 10.12.x prior to 10.12.6, or is not macOS 10.13. It is, therefore, affected by multiple vulnerabilities in the following components :\n\n - apache\n - AppSandbox\n - AppleScript\n - Application Firewall\n - ATS\n - Audio\n - CFNetwork\n - CFNetwork Proxies\n - CFString\n - Captive Network Assistant\n - CoreAudio\n - CoreText\n - DesktopServices\n - Directory Utility\n - file\n - Fonts\n - fsck_msdos\n - HFS\n - Heimdal\n - HelpViewer\n - IOFireWireFamily\n - ImageIO\n - Installer\n - Kernel\n - kext tools\n - libarchive\n - libc\n - libexpat\n - Mail\n - Mail Drafts\n - ntp\n - Open Scripting Architecture\n - PCRE\n - Postfix\n - Quick Look\n - QuickTime\n - Remote Management\n - SQLite\n - Sandbox\n - Screen Lock\n - Security\n - Spotlight\n - WebKit\n - zlib\n\nNote that successful exploitation of the most serious issues can result in arbitrary code execution.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-10-03T00:00:00", "type": "nessus", "title": "macOS < 10.13 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-0736", "CVE-2016-2161", "CVE-2016-4736", "CVE-2016-5387", "CVE-2016-8740", "CVE-2016-8743", "CVE-2016-9042", "CVE-2016-9063", "CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-0381", "CVE-2017-1000373", "CVE-2017-10140", "CVE-2017-10989", "CVE-2017-11103", "CVE-2017-13782", "CVE-2017-13807", "CVE-2017-13808", "CVE-2017-13809", "CVE-2017-13810", "CVE-2017-13811", "CVE-2017-13812", "CVE-2017-13813", "CVE-2017-13814", "CVE-2017-13815", "CVE-2017-13816", "CVE-2017-13817", "CVE-2017-13818", "CVE-2017-13819", "CVE-2017-13820", "CVE-2017-13821", "CVE-2017-13822", "CVE-2017-13823", "CVE-2017-13824", "CVE-2017-13825", "CVE-2017-13827", "CVE-2017-13828", "CVE-2017-13829", "CVE-2017-13830", "CVE-2017-13831", "CVE-2017-13832", "CVE-2017-13833", "CVE-2017-13834", "CVE-2017-13836", "CVE-2017-13837", "CVE-2017-13838", "CVE-2017-13839", "CVE-2017-13840", "CVE-2017-13841", "CVE-2017-13842", "CVE-2017-13843", "CVE-2017-13846", "CVE-2017-13850", "CVE-2017-13851", "CVE-2017-13853", "CVE-2017-13854", "CVE-2017-13873", "CVE-2017-3167", "CVE-2017-3169", "CVE-2017-6451", "CVE-2017-6452", "CVE-2017-6455", "CVE-2017-6458", "CVE-2017-6459", "CVE-2017-6460", "CVE-2017-6462", "CVE-2017-6463", "CVE-2017-6464", "CVE-2017-7074", "CVE-2017-7077", "CVE-2017-7078", "CVE-2017-7080", "CVE-2017-7082", "CVE-2017-7083", "CVE-2017-7084", "CVE-2017-7086", "CVE-2017-7114", "CVE-2017-7119", "CVE-2017-7121", "CVE-2017-7122", "CVE-2017-7123", "CVE-2017-7124", "CVE-2017-7125", "CVE-2017-7126", "CVE-2017-7127", "CVE-2017-7128", "CVE-2017-7129", "CVE-2017-7130", "CVE-2017-7132", "CVE-2017-7138", "CVE-2017-7141", "CVE-2017-7143", "CVE-2017-7144", "CVE-2017-7149", "CVE-2017-7150", "CVE-2017-7659", "CVE-2017-7668", "CVE-2017-7679", "CVE-2017-9233", "CVE-2017-9788", "CVE-2017-9789"], "modified": "2018-07-14T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x", "cpe:/o:apple:macos"], "id": "MACOS_10_13.NASL", "href": "https://www.tenable.com/plugins/nessus/103598", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103598);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/07/14 1:59:37\");\n\n script_cve_id(\n \"CVE-2016-0736\",\n \"CVE-2016-2161\",\n \"CVE-2016-4736\",\n \"CVE-2016-5387\",\n \"CVE-2016-8740\",\n \"CVE-2016-8743\",\n \"CVE-2016-9042\",\n \"CVE-2016-9063\",\n \"CVE-2016-9840\",\n \"CVE-2016-9841\",\n \"CVE-2016-9842\",\n \"CVE-2016-9843\",\n \"CVE-2017-0381\",\n \"CVE-2017-3167\",\n \"CVE-2017-3169\",\n \"CVE-2017-6451\",\n \"CVE-2017-6452\",\n \"CVE-2017-6455\",\n \"CVE-2017-6458\",\n \"CVE-2017-6459\",\n \"CVE-2017-6460\",\n \"CVE-2017-6462\",\n \"CVE-2017-6463\",\n \"CVE-2017-6464\",\n \"CVE-2017-7074\",\n \"CVE-2017-7077\",\n \"CVE-2017-7078\",\n \"CVE-2017-7080\",\n \"CVE-2017-7082\",\n \"CVE-2017-7083\",\n \"CVE-2017-7084\",\n \"CVE-2017-7086\",\n \"CVE-2017-7114\",\n \"CVE-2017-7119\",\n \"CVE-2017-7121\",\n \"CVE-2017-7122\",\n \"CVE-2017-7123\",\n \"CVE-2017-7124\",\n \"CVE-2017-7125\",\n \"CVE-2017-7126\",\n \"CVE-2017-7127\",\n \"CVE-2017-7128\",\n \"CVE-2017-7129\",\n \"CVE-2017-7130\",\n \"CVE-2017-7132\",\n \"CVE-2017-7138\",\n \"CVE-2017-7141\",\n \"CVE-2017-7143\",\n \"CVE-2017-7144\",\n \"CVE-2017-7149\",\n \"CVE-2017-7150\",\n \"CVE-2017-7659\",\n \"CVE-2017-7668\",\n \"CVE-2017-7679\",\n \"CVE-2017-9233\",\n \"CVE-2017-9788\",\n \"CVE-2017-9789\",\n \"CVE-2017-10140\",\n \"CVE-2017-10989\",\n \"CVE-2017-11103\",\n \"CVE-2017-13782\",\n \"CVE-2017-13807\",\n \"CVE-2017-13808\",\n \"CVE-2017-13809\",\n \"CVE-2017-13810\",\n \"CVE-2017-13811\",\n \"CVE-2017-13812\",\n \"CVE-2017-13813\",\n \"CVE-2017-13814\",\n \"CVE-2017-13815\",\n \"CVE-2017-13816\",\n \"CVE-2017-13817\",\n \"CVE-2017-13818\",\n \"CVE-2017-13819\",\n \"CVE-2017-13820\",\n \"CVE-2017-13821\",\n \"CVE-2017-13822\",\n \"CVE-2017-13823\",\n \"CVE-2017-13824\",\n \"CVE-2017-13825\",\n \"CVE-2017-13827\",\n \"CVE-2017-13828\",\n \"CVE-2017-13829\",\n \"CVE-2017-13830\",\n \"CVE-2017-13831\",\n \"CVE-2017-13832\",\n \"CVE-2017-13833\",\n \"CVE-2017-13834\",\n \"CVE-2017-13836\",\n \"CVE-2017-13837\",\n \"CVE-2017-13838\",\n \"CVE-2017-13839\",\n \"CVE-2017-13840\",\n \"CVE-2017-13841\",\n \"CVE-2017-13842\",\n \"CVE-2017-13843\",\n \"CVE-2017-13846\",\n \"CVE-2017-13850\",\n \"CVE-2017-13851\",\n \"CVE-2017-13853\",\n \"CVE-2017-13854\",\n \"CVE-2017-13873\",\n \"CVE-2017-1000373\"\n );\n script_bugtraq_id(\n 91816,\n 93055,\n 94337,\n 94650,\n 95076,\n 95077,\n 95078,\n 95131,\n 95248,\n 97045,\n 97046,\n 97049,\n 97050,\n 97051,\n 97052,\n 97058,\n 97074,\n 97076,\n 97078,\n 97201,\n 99132,\n 99134,\n 99135,\n 99137,\n 99170,\n 99177,\n 99276,\n 99502,\n 99551,\n 99568,\n 99569,\n 100987,\n 100990,\n 100991,\n 100992,\n 100993,\n 100999,\n 102100\n );\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2017-09-25-1\");\n\n script_name(english:\"macOS < 10.13 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of Mac OS X / macOS.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a macOS update that fixes multiple security\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Mac OS X that is prior to\n10.10.5, 10.11.x prior to 10.11.6, 10.12.x prior to 10.12.6, or is\nnot macOS 10.13. It is, therefore, affected by multiple\nvulnerabilities in the following components :\n\n - apache\n - AppSandbox\n - AppleScript\n - Application Firewall\n - ATS\n - Audio\n - CFNetwork\n - CFNetwork Proxies\n - CFString\n - Captive Network Assistant\n - CoreAudio\n - CoreText\n - DesktopServices\n - Directory Utility\n - file\n - Fonts\n - fsck_msdos\n - HFS\n - Heimdal\n - HelpViewer\n - IOFireWireFamily\n - ImageIO\n - Installer\n - Kernel\n - kext tools\n - libarchive\n - libc\n - libexpat\n - Mail\n - Mail Drafts\n - ntp\n - Open Scripting Architecture\n - PCRE\n - Postfix\n - Quick Look\n - QuickTime\n - Remote Management\n - SQLite\n - Sandbox\n - Screen Lock\n - Security\n - Spotlight\n - WebKit\n - zlib\n\nNote that successful exploitation of the most serious issues can\nresult in arbitrary code execution.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT208144\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT208165\");\n # https://lists.apple.com/archives/security-announce/2017/Sep/msg00005.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9cfca404\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to macOS version 10.13 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:macos\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"os_fingerprint.nasl\");\n script_require_ports(\"Host/MacOSX/Version\", \"Host/OS\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os)\n{\n os = get_kb_item_or_exit(\"Host/OS\");\n if (\"Mac OS X\" >!< os) audit(AUDIT_OS_NOT, \"macOS / Mac OS X\");\n\n c = get_kb_item(\"Host/OS/Confidence\");\n if (c <= 70) exit(1, \"Can't determine the host's OS with sufficient confidence.\");\n}\nif (!os) audit(AUDIT_OS_NOT, \"macOS / Mac OS X\");\n\nmatches = pregmatch(pattern:\"Mac OS X ([0-9]+(\\.[0-9]+)+)\", string:os);\nif (empty_or_null(matches)) exit(1, \"Failed to parse the macOS / Mac OS X version ('\" + os + \"').\");\n\nversion = matches[1];\nfixed_version = \"10.13\";\n\n# Patches exist for 10.10.5, OS X Yosemite v10.11.6 and OS X El Capitan v10.12.6\n# https://support.apple.com/en-us/HT208221\n# Do NOT mark them as vuln\nif (\n # No 10.x patch below 10.10.5\n ver_compare(ver:version, fix:'10.10.5', strict:FALSE) == -1\n ||\n # No 10.11.x patch below 10.11.6\n (\n version =~\"^10\\.11($|[^0-9])\"\n &&\n ver_compare(ver:version, fix:'10.11.6', strict:FALSE) == -1\n )\n ||\n # No 10.12.x patch below 10.12.6\n (\n version =~\"^10\\.12($|[^0-9])\"\n &&\n ver_compare(ver:version, fix:'10.12.6', strict:FALSE) == -1\n )\n)\n{\n security_report_v4(\n port:0,\n severity:SECURITY_HOLE,\n extra:\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version +\n '\\n'\n );\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"macOS / Mac OS X\", version);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntucve": [{"lastseen": "2022-02-10T00:00:00", "description": "inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have\nunspecified impact by leveraging improper pointer arithmetic.\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847270>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[ebarretto](<https://launchpad.net/~ebarretto>) | since v3.1.1-1, rsync uses the included zlib instead of system zlib\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-05-23T00:00:00", "type": "ubuntucve", "title": "CVE-2016-9840", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840"], "modified": "2017-05-23T00:00:00", "id": "UB:CVE-2016-9840", "href": "https://ubuntu.com/security/CVE-2016-9840", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "ibm": [{"lastseen": "2022-06-28T22:07:10", "description": "## Summary\n\nIBM Tivoli Monitoring uses zlib compression library in both the General services library and the File Transfer component. This bulletin address several reported vulnerabilities in the zlib compression library. \n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-9840](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120508> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n\n**CVEID:** [CVE-2016-9841](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120509> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9843](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120511> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nThe TEMS(KMS) and TEMA(KAX) components for IBM Tivoli Monitoring 622 Fix Pack 9, 623 Fix Pack5 and 630 Fix Pack 7 are affected. For IBM Tivoli Monitoring 623 Fix pack 5 and 630 Fix pack 7, the following components are also affected: TEMA(KGL), TEPS(KCQ) and the User Interface Extensions (KUE)\n\n## Remediation/Fixes\n\nThe patches below update the TEMA(ax), TEMS(ms), TEPS(cq) and User Interface(ue) components which are shipped as part of ITM \n \nThe technote [_Upgrading Shared Components for IBM Tivoli Monitoring Agents_](<http://www.ibm.com/support/docview.wss?uid=swg21673490>) provides information on updating Shared Libraries. \n \n\n\n**Fix**| **VRMF**| **How to acquire fix** \n---|---|--- \n6.3.0-TIV-ITM-FP0007-IV97602| 6.3.0| \n<http://www.ibm.com/support/docview.wss?uid=swg24043952> \n6.2.3-TIV-ITM-FP0005-IV97602| 6.2.3 \n6.2.2-TIV-ITM-FP0009-IV97602| 6.2.2 \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n17 July 2017 Draft bulletin created\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSTFXA\",\"label\":\"Tivoli Monitoring\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud &amp; Data Platform\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"6.3.0.7;6.2.3.5;6.2.2.9\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:41:57", "type": "ibm", "title": "Security Bulletin: IBM Tivoli Monitoring Agent Framework component. (CVE-2016-9840, CVE-2016-9841, CVE-2016-9843)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9843"], "modified": "2018-06-17T15:41:57", "id": "FBBDA7CB379F4EF8DCEBAF120EA12F80CCC30DE0F47FC9D7596617C5FA098440", "href": "https://www.ibm.com/support/pages/node/563433", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-10T00:00:00", "description": "## Summary\n\nzlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \n\n## Vulnerability Details\n\n**CVE IDs: **CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 \n \n**CVEID:** [CVE-2016-9840](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120508> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n\n**CVEID:** [CVE-2016-9841](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120509> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9842](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120510> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9843](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120511> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nIBM SPSS Analytic Server 2.0.1.0 \nIBM SPSS Analytic Server 2.0.0.0\n\n## Remediation/Fixes\n\nThe fixes for these vulnerabilities are included in IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 3 Fix Pack 50 and subsequent releases. \n\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n[{\"Product\":{\"code\":\"SSWLVY\",\"label\":\"IBM SPSS Analytic Server\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"Analytic Server\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"2.0;2.0.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-16T13:48:22", "type": "ibm", "title": "Security Bulletin: zlib vulnerability may affect IBM\u00ae SDK, Java\u2122 Technology Edition", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2018-06-16T13:48:22", "id": "6C5CA7A0756525376C7822618AC97C4C45E220AEABF472D45F8EB40E1DAA2ECD", "href": "https://www.ibm.com/support/pages/node/562329", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-28T22:06:37", "description": "## Summary\n\nzlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-9840_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840>)\n\n \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9841_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9841>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9842>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nIBM eDiscovery Manager Version 2.2.2\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRM_| _Remediation_ \n---|---|--- \nIBM eDiscovery Manager| 2.2.2| _Use_ IBM eDiscovery Manager 2.2.2 Interim Fix 11 available at [__https://www.ibm.com/support/fixcentral/__](<https://www-933.ibm.com/support/fixcentral/>) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\nJune 16, 2017: Original version published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SS8JHU\",\"label\":\"eDiscovery Manager\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud &amp; Data Platform\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"2.2.2.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T12:17:44", "type": "ibm", "title": "Security Bulletin: Open Source zlib Vulnerabilities in IBM eDiscovery Manager", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2018-06-17T12:17:44", "id": "3D812A2E5E1DE6B82054618E3EBB76C91CE2365FE982C3392DE97D4AEC269290", "href": "https://www.ibm.com/support/pages/node/291267", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-28T22:06:28", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Versions 7, 7R1 and 8 used by IBM MessageSight. These issues were disclosed as part of the IBM Java SDK updates in April 2017.\n\n## Vulnerability Details\n\nIf you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether the complete list of vulnerabilities are applicable to your code. For a complete list of vulnerabilities, refer to the \u201cIBM Java SDK Security Bulletin\u201d, located in the References section for more information. \n \n**CVEID:** [_CVE-2016-9840_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2016-9841_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nIBM MessageSight\n\n| v2.0 - 2.0.0.1 \n---|--- \nIBM MessageSight| v1.2 - 1.2.0.3 \nIBM MessageSight| v1.1 - 1.1.0.1 \n \n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n_IBM MessageSight_| \n\n_2.0_\n\n| \n\n_IT20660_\n\n| \n\n[_2.0.0.1-IBM-IMA-IF__IT20660_](<http://www.ibm.com/support/docview.wss?uid=swg22004204>) \n \n_IBM MessageSight_| \n\n_1.2_\n\n| \n\n_IT20660_\n\n| \n\n[_1.2.0.3-IBM-IMA-IF__IT20660_](<http://www.ibm.com/support/docview.wss?uid=swg22004281>) \n \n_IBM MessageSight_| \n\n_1.1_\n\n| \n\n_IT20660_\n\n| \n\n_1.1.0.1-IBM-IMA-IF__IT20660_ \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\nNone\n\n## Change History\n\nMarch 29, 2018\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSCGGQ\",\"label\":\"IBM MessageSight\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud &amp; Data Platform\"},\"Component\":\"Security\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"1.1;1.2;2.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:40:33", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MessageSight", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2018-06-17T15:40:33", "id": "44FD06DF739AE850EF4B0FD8EDFD9F3CA1D49EF6D12D841D2F929127DE9A82D8", "href": "https://www.ibm.com/support/pages/node/560997", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-28T22:16:11", "description": "## Summary\n\nSecurity Bulletin: Multiple vulnerabilities may affect IBM\u00ae SDK Java\u2122 Technology Edition Version 6, 7, 8 and IBM\u00ae Runtime Environment Java\u2122 Version 6, 7, 8 in IBM FileNet Content Manager, and IBM Content Foundation. \nJava SE issues disclosed in the Oracle April 2017 Critical Patch Update. \n\n\n## Vulnerability Details\n\nAdvisory CVEs: \nCVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843 \n\n \nThis bulletin covers all applicable Java SE CVEs published by Oracle as part of their April 2017 Critical Patch Update. For more information please refer to [_Oracle's April 2017 CPU Advisory_](<http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixJAVA>) and the X-Force database entries referenced below. \n\n \n**CVEID:** [_CVE-2016-9840_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2016-9841_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nFileNet Content Manager 5.0.0, 5.2.1\n\n## Remediation/Fixes\n\nTo address this vulnerability install one of the fixes listed below to upgrade the IBM Java JRE. \nThe fixes supply the proper Java JRE for the various release levels of the affected products. Depending upon the product and release level, these fixes will upgrade the Java JRE (April 2017) to one of the following: \n\n * IBM JRE, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 45\n * IBM JRE, Java Technology Edition, Version 7 Service Refresh 10 Fix Pack 15\n * IBM JRE, Java Technology Edition, Version 8 Service Refresh 4 Fix Pack 5\n**Product**| **VRMF**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \nFileNet Content Manager| 5.0.0 \n5.2.1| [PJ44768](<http://www.ibm.com/support/docview.wss?uid=swg1PJ44768>)| [5.0.0.10-P8PE-FP010](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=FileNet%20Product%20Family&product=ibm/Information+Management/FileNet+Process+Engine&release=5.0.0.10&platform=All&function=all>) \\- 8/11/2017 \n[5.2.1.7-P8CSS-FP007](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=FileNet%20Product%20Family&product=ibm/Information+Management/FileNet+Content+Search+Services&release=5.2.1.7&platform=All&function=all>) \\- 6/26/2017 \n \nIn the above table, the APAR links will provide more information about the fix. \n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n## Important Note\n\nIBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the [System z Security web site](<http://www.ibm.com/systems/z/solutions/security_subintegrity.html>). Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n[_Oracle April 2017 Java SE Critical Patch Update Advisory_](<http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixJAVA>) _ \n_[_IBM SDK, Java Technology Edition Security Vulnerabilities_](<https://developer.ibm.com/javasdk/support/security-vulnerabilities/>)\n\n## Change History\n\n26 June, 2017: Initial release \n11 August 2017: 5.0.0.10-P8PE-FP010 release\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSNVNV\",\"label\":\"FileNet Content Manager\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud &amp; Data Platform\"},\"Component\":\"Content Search Services\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"5.2.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}},{\"Product\":{\"code\":\"SSNW2F\",\"label\":\"FileNet P8 Platform\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud &amp; Data Platform\"},\"Component\":\"Process Engine\",\"Platform\":[{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"}],\"Version\":\"5.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T12:18:13", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities may affect IBM\u00ae SDK Java\u2122 Technology Edition Version 6, 7, 8 and IBM\u00ae Runtime Environment Java\u2122 Version 6, 7, 8 in IBM FileNet Content Manager, and IBM Content Foundation", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2018-06-17T12:18:13", "id": "701FCAB3C800D9AB919F50251A3540E3B87060D18EDCC6A9FF0C96423F3804E0", "href": "https://www.ibm.com/support/pages/node/560357", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-28T22:12:42", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 8.0.4.2 and earlier used by Rational Asset Analyzer. Rational Asset Analyzer has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-9840_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2016-9841_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9841>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9842>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nRational Asset Analyzer 6.1.x.x\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n_Rational Asset Analyzer_| _6.1.x.x_| \n| [_Upgrade to Fixpack 14_](<http://www-01.ibm.com/support/docview.wss?uid=swg27021389>) \n \n## Workarounds and Mitigations\n\nNone.\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\nNone\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SS3JHP\",\"label\":\"Rational Asset Analyzer\"},\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Component\":\"General Information\",\"Platform\":[{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"6.1;6.1.0.1;6.1.0.2;6.1.0.3;6.1.0.4;6.1.0.5;6.1.0.6;6.1.0.7;6.1.0.8;6.1.0.9;6.1.0.10;6.1.0.11;6.1.0.12;6.1.0.13\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB35\",\"label\":\"Mainframe SW\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-03T04:23:43", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Asset Analyzer", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2018-08-03T04:23:43", "id": "33998453A003DBEE91ADD9693A86AFA03B4197141BC03C7326ABC834DD122179", "href": "https://www.ibm.com/support/pages/node/560751", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-28T21:59:24", "description": "## Summary\n\nIBM DB2 is shipped as components of IBM Predictive Maintenance and Quality. Information about some security vulnerability affecting IBM DB2 have been published their respective security bulletins. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [_IBM\u00ae DB2\u00ae LUW on AIX and Linux Affected by vulnerabilities in zlib (CVE-2016-9840, CVE-2016-9841)_](<http://www-01.ibm.com/support/docview.wss?uid=swg22004735>) for vulnerability details and information about fixes. \nPlease consult the security bulletin [_IBM\u00ae DB2\u00ae LUW's Command Line Processor Contains Buffer Overflow Vulnerability (CVE-2017-1297)_](<http://www-01.ibm.com/support/docview.wss?uid=swg22004878>) for vulnerability details and information about fixes. \nPlease consult the security bulletin [_Buffer overflow vulnerability in IBM\u00ae DB2\u00ae LUW (CVE-2017-1105)_](<http://www-01.ibm.com/support/docview.wss?uid=swg22003877>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM Predictive Maintenance and Quality 2.6.0 \nIBM Predictive Maintenance and Quality 2.5.3 \nIBM IoT Predictive Maintenance and Optimization 1.0.0| IBM DB2 Enterprise Server Edition V10.5 \n \n## Remediation/Fixes\n\n1\\. Stop COGNOS server, CNDS server, IIB server and DB2 server. \n\nFor details, refer <https://www.ibm.com/support/knowledgecenter/en/SSTNNL_2.6.0/com.ibm.pmq.doc/c_inst_pmq_stopsolutionservices.html>\n\n2\\. Get the v10.5fp8_linuxx64_nlpack.tar.gz from installation payload pm_q_svr_2.6_1_l86-64_en.tar.gz, pm_q_svr_2.5.3_1_l86-64_en.tar.gz or pmo_srv_1.0_1_l86-64_en.tar.gz , and unpack v10.5fp8_linuxx64_nlpack.tar.gz to a temp directory, for example: /home/user/tmp.\n\n3\\. Download the fixpack mentioned in vulnerability details, unpack and install by below command provided in that pack\n\n./installFixPack\n\n \n \n4\\. During the installation, need to input the db2 installtion directory, the default should be, /opt/ibm/db2/V10.5 \n \n5\\. During the installation, need to input path for \u201cVolume label DB2 National Language Package\u201d, then input the temporary path created above, /home/user/tmp/nlpack/, for example \n\n6\\. Start the servers being stopped. For details, refer\n\n<https://www.ibm.com/support/knowledgecenter/en/SSTNNL_2.6.0/com.ibm.pmq.doc/c_inst_pmq_startsolutionservices.html>\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n03 August 2017: Original Version Published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSTNNL\",\"label\":\"Predictive Maintenance and Quality\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"2.6\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-25T05:54:54", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been identified in IBM DB2 shipped with IBM Predictive Maintenance and Quality (CVE-2016-9840, CVE-2016-9841, CVE-2017-1297, CVE-2017-1105)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2017-1105", "CVE-2017-1297"], "modified": "2018-06-25T05:54:54", "id": "EF15DBE9DF088EEA41E61AFA61E2908FA17CEBFD7F299E7B8954046C59CDBA62", "href": "https://www.ibm.com/support/pages/node/565795", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-10T00:00:00", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Versions 6 and 7 that are used by Tivoli Netcool/OMNIbus. These were disclosed as part of the IBM Java SDK updates in January 2017 and April 2017. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-5552_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5552>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE Java SE Embedded and Jrockit related to the Networking component has no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120872_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120872>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n\n**C****VEID:** [_CVE-2016-9840_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9841_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n\n## Affected Products and Versions\n\nTivoli Netcool/OMNIbus 7.4.0 \nTivoli Netcool/OMNIbus 8.1.0\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nOMNIbus| 7.4.0.14| IV94202| <http://www-01.ibm.com/support/docview.wss?uid=swg24043837> \nOMNIbus | 8.1.0.12| IV94202| <http://www-01.ibm.com/support/docview.wss?uid=swg24043823> \n \n## Workarounds and Mitigations\n\nUpgrading the JRE is the only solution.\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n30 June 2017: Original version published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n[{\"Product\":{\"code\":\"SSSHTQ\",\"label\":\"Tivoli Netcool\\/OMNIbus\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud &amp; Data Platform\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"7.4.0;8.1.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-17T15:42:17", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Tivoli Netcool/OMNIbus (Multiple CVEs)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5552", "CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843"], "modified": "2018-06-17T15:42:17", "id": "24DFABA5B2EC0AE6CB408AFF790D7F41BC7385C13B55076C79F5992C78869191", "href": "https://www.ibm.com/support/pages/node/563921", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-28T21:58:22", "description": "## Summary\n\nJazz Team Server is shipped as a component of Jazz Reporting Service (JRS). Information about multiple security vulnerabilities affecting Jazz Team Server and Jazz-based products has been published in a security bulletin. \n\n## Vulnerability Details\n\n**CVEID:** [CVE-2017-3511](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3511>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JCE component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124890> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n\n**CVEID:** [CVE-2016-9840](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120508> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9841](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120509> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9842](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120510> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9843](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120511> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product(s) and Version(s) \n---|--- \nJRS 5.0, 5.0.1, 5.0.2| Jazz Foundation 5.0, 5.0.1, 5.0.2 \nJRS 6.0, 6.0.1, 6.0.2, 6.0.3| Jazz Foundation 6.0, 6.0.1, 6.0.2, 6.0.3 \n* Both JRS and Jazz Foundation are part of Rational Collaborative Lifecycle Management. \n\n## Remediation/Fixes\n\nConsult the security bulletin [Security Bulletin: Vulnerability in IBM\u00ae Java SDK affects multiple IBM Rational products based on IBM Jazz technology](<http://www-01.ibm.com/support/docview.wss?uid=swg22004599>) for vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n22 June 2017: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Internal Use Only\n\nPSIRT # 8420 Record # 95166\n\n[{\"Product\":{\"code\":\"SSTU9C\",\"label\":\"Jazz Reporting Service\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud &amp; Data Platform\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"5.0;5.0.1;5.0.2;6.0;6.0.1;6.0.2;6.0.3\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"\",\"label\":\"\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T05:22:19", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been identified in Jazz Team Server shipped with Jazz Reporting Service", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-3511"], "modified": "2018-06-17T05:22:19", "id": "2F9B8E7CD04F88375E7DA644A637018DCE889D492AB253B36AAC20CA2B0659B3", "href": "https://www.ibm.com/support/pages/node/562985", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-10T00:00:00", "description": "## Summary\n\nThere are multiple vulnerabilities in SDK Java\u2122 Technology Edition used by IBM b-type SAN directors and switches. These issues were disclosed as part of the Java SDK updates in October 2017.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2017-10356](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10356>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/133785> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n\n**CVEID:** [CVE-2017-10355](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10355>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/133784> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n**CVEID:** [CVE-2016-9840](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840>)\n\n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120508> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n\n**CVEID:** [CVE-2017-10281](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10281>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/133720> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n**CVEID:** [CVE-2017-10295](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10295>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/133729> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N) \n\n**CVEID:** [CVE-2017-10345](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10345>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/133774> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nProduct | VRMF \n---|--- \nIBM Network Advisor | All VRMF prior to 14.4.2 \n \n## Remediation/Fixes\n\nProduct | VRMF | FIX \n---|---|--- \nIBM Network Advisor | 14.4.2 | https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=SAN%20management%20software&amp;product=ibm/StorageAreaNetwork/Network+Advisor&amp;release=14.x&amp;platform=All&amp;function=all \n \n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n9-28-2018: Original Creation\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n[{\"Business Unit\":{\"code\":\"BU054\",\"label\":\"Systems w\\/TPS\"},\"Product\":{\"code\":\"STMSDB\",\"label\":\"Storage area network (SAN)-&gt;IBM Network Advisor\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF009\",\"label\":\"Firmware\"}],\"Version\":\"All Versions\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"\",\"label\":\"\"}}]", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-10-02T14:15:01", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in Java SDK affect IBM b-type SAN directors and switches.", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2017-10281", "CVE-2017-10295", "CVE-2017-10345", "CVE-2017-10355", "CVE-2017-10356"], "modified": "2018-10-02T14:15:01", "id": "EA291979EDD5CB544FAE11C3A7590423A575F4DF6481A402F8DD15EA9D3A7C93", "href": "https://www.ibm.com/support/pages/node/733523", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-28T22:11:07", "description": "## Summary\n\nMultiple vulnerabilities in IBM Java SDK affect IBM QRadar SIEM.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-3544_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3544>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124920_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124920>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n\n**CVEID:** [_CVE-2017-3533_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3533>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124910_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124910>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2016-9840_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9841_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\n\u00b7 IBM QRadar SIEM 7.2.0 \u2013 7.2.8 Patch 8 \n\n\u00b7 IBM QRadar SIEM 7.3.0 \u2013 7.3.0 Patch 3\n\n## Remediation/Fixes\n\n[\u00b7 _QRadar/QRM/QVM/QRIF/QNI 7.2.8 Patch 9_](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.2.0&platform=All&function=fixId&fixids=7.2.8-QRADAR-QRSIEM-20170726184122&includeRequisites=1&includeS>)\n\n[\u00b7 _QRadar/QRM/QVM/QRIF/QNI 7.3.0 Patch 4_](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.3.0&platform=All&function=fixId&fixids=7.3.0-QRADAR-QRSIEM-20170830160510&includeRequisites=1&includeS>)\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n7 September 2017:First Publish\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSBQAC\",\"label\":\"IBM Security QRadar SIEM\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"7.2;7.3\",\"Edition\":\"All Editions\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T22:02:18", "type": "ibm", "title": "Security Bulletin: IBM Java SDK as used in IBM QRadar SIEM is vulnerable to multiple CVE\u2019s.", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-3533", "CVE-2017-3544"], "modified": "2018-06-16T22:02:18", "id": "4CB34725F1E54FB000F6F431C0E55F2FC9A5C31FD2A568506AABE35E44D674CD", "href": "https://www.ibm.com/support/pages/node/296119", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-28T22:13:32", "description": "## Summary\n\nThe IBM Emptoris Strategic Supply Management Suite and IBM Emptoris Services Procurement products are affected by multiple security vulnerabilities that exist in the IBM SDK Java Technology Edition that is shipped with IBM WebSphere Application Server. The security bulletin includes issues disclosed as part of the IBM Java SDK updates in April 2017. \nThe IBM Emptoris Strategic Supply Management Suite of products include IBM Emptoris Contract Management, IBM Emptoris Sourcing, IBM Emptoris Spend Analysis, IBM Emptoris Program Management, IBM Emptoris Strategic Supply Management and IBM Emptoris Supplier Lifecycle Management.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-3511_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3511>)** \nDESCRIPTION:** An unspecified vulnerability related to the Java SE JCE component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124890_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124890>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n \n**CVEID:** [_CVE-2017-1289_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1289>)** \nDESCRIPTION:** IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. \nCVSS Base Score: 8.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/125150_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125150>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L) \n\n**CVEID:** [_CVE-2016-9840_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n \n \n**CVEID:** [_CVE-2016-9841_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n\n**CVEID:** [_CVE-2016-9842_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n\n \n \n**CVEID:** [_CVE-2016-9843_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n\n## Affected Products and Versions\n\nIBM Emptoris Contract Management 9.5 through 10.1.x \nIBM Emptoris Program Management 10.0.0 through 10.1.x \nIBM Emptoris Sourcing 10.0.0 through 10.1.x \nIBM Emptoris Spend Analysis 10.0.0 through 10.1.x \nIBM Emptoris Supplier Lifecycle Management 9.5 through 10.1.x \nIBM Emptoris Strategic Supply Management 10.0.0 through 10.1.x \nIBM Emptoris Services Procurement 10.x\n\n## Remediation/Fixes\n\nAn interim fix has been issued for the IBM WebSphere Application Server (WAS) which will upgrade the IBM Java Development Kit to a version which is not susceptible to this vulnerability. Customers running any of the IBM Emptoris products listed above should apply the interim fix to all IBM WebSphere Application Server installations that are used to run IBM Emptoris applications. Please refer to [Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affects WebSphere Application Server April 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22003016>) for details. \n \nSelect the appropriate WebSphere Application Server fix based on the version being used for IBM Emptoris product version. The following table lists the IBM Emptoris application versions along with the corresponding required version of IBM WebSphere Application Server and a link to the corresponding fix version where further installation instructions are provided. \n \n\n\n**Emptoris Product Version**\n\n| \n\n**WAS Version**\n\n| \n\n**Java Version**\n\n| \n\n**Remediation** \n \n---|---|---|--- \n9.5.x.x| \n\n8.0.0.x\n\n| \n\nJava 6\n\n| Apply Interim Fix [_PI80736_](<http://www-01.ibm.com/support/docview.wss?uid=swg24043640>) \n10.0.0.x, 10.0.1.x| \n\n8.5.0.x\n\n| \n\nJava 6\n\n| Apply Interim Fix[_ PI80734_](<http://www-01.ibm.com/support/docview.wss?uid=swg24043636>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24043321>) \n10.0.2.x , 10.0.4| \n\n8.5.5.x\n\n| \n\nJava 6 \n \n10.1.x| \n\n8.5.5.x\n\n| \n\nJava 7\n\n| Apply Interim Fix [_PI80733_](<http://www-01.ibm.com/support/docview.wss?uid=swg24043628>) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSYQ72\",\"label\":\"Emptoris Strategic Supply Management\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"Platform\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"Version Independent\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYQ89\",\"label\":\"Emptoris Contract Management\"},\"Business Unit\":{\"code\":\"BU055\",\"label\":\"Cognitive Applications\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYRER\",\"label\":\"Emptoris Program Management\"},\"Business Unit\":{\"code\":\"BU055\",\"label\":\"Cognitive Applications\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYR6U\",\"label\":\"Emptoris Services Procurement\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYR8W\",\"label\":\"Emptoris Sourcing\"},\"Business Unit\":{\"code\":\"BU055\",\"label\":\"Cognitive Applications\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYQAR\",\"label\":\"Emptoris Spend Analysis\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYQ72\",\"label\":\"Emptoris Strategic Supply Management\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYRC7\",\"label\":\"Emptoris Supplier Lifecycle Management\"},\"Business Unit\":{\"code\":\"BU055\",\"label\":\"Cognitive Applications\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T20:10:13", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement products.", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3511"], "modified": "2018-06-16T20:10:13", "id": "24BEC163EA3BD84B7E22E782C3DC394F6DF7C93AF1345B97BF7B378DB6C0978E", "href": "https://www.ibm.com/support/pages/node/562289", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-28T22:14:43", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 6 that is used by IBM Cognos Command Center. These issues were disclosed as part of the IBM Java SDK updates in April 2017. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-3544_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3544>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124920_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124920>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n\n**CVEID:** [_CVE-2017-3533_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3533>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124910_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124910>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2016-9840_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9841_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nIBM Cognos Command Center 10.2 All Editions \n\nIBM Cognos Command Center 10.2.1 All Editions\n\nIBM Cognos Command Center 10.2.2 All Editions\n\nIBM Cognos Command Center 10.2.3 All Editions\n\nIBM Cognos Command Center 10.2.4 All Editions\n\n## Remediation/Fixes\n\nThe recommended fix is to upgrade to the latest Interim Fix : IBM Cognos Command Center 10.2.4 IF3 \n \n[IBM Cognos Command Center 10.2.4 Interim Fix 3](<http://www-01.ibm.com/support/docview.wss?uid=swg24043838>)\n\n## Workarounds and Mitigations\n\nNone.\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n \n[_IBM Java SDK Security Bulletin_](<http://www.ibm.com/support/docview.wss?uid=swg22002169>) \n\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n18 July 2017: Original Version Published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSPLNP\",\"label\":\"Cognos Command Center\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"10.2.4;10.2.3;10.2.2;10.2.1;10.2\",\"Edition\":\"All Editions\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T23:46:50", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java Runtime affect IBM Cognos Command Center", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-3533", "CVE-2017-3544"], "modified": "2018-06-15T23:46:50", "id": "31CE758E4CAEC8E3CF50284009624A075DC3EF2C6C68F39AC01EBA9D5FEFB150", "href": "https://www.ibm.com/support/pages/node/563847", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-28T22:04:05", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Version 1.6 and 1.7 that is used by FSM. These issues were disclosed as part of the IBM Java SDK updates in April 2017. This bulletin addresses these vulnerabilities.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-3539_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3539>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124915_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124915>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N) \n\n**CVEID:** [_CVE-2017-1289_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1289>)** \nDESCRIPTION:** IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. \nCVSS Base Score: 8.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/125150_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125150>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9840_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9841_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\n \nFlex System Manager 1.3.4.0 \nFlex System Manager 1.3.3.0 \nFlex System Manager 1.3.2.1 \nFlex System Manager 1.3.2.0\n\n## Remediation/Fixes\n\nIBM recommends updating the FSM and all affected remote Common Agent Services (CAS) endpoints using the instructions referenced in this table. \n \n \n\n\nProduct| VRMF| Remediation \n---|---|--- \nFlex System Manager| 1.3.4.0| Navigate to the [_Support Portal_](<https://www.ibm.com/support/entry/portal/support/>)_ _and search for technote [829047509](<http://www-01.ibm.com/support/docview.wss?uid=nas7a9c49e57131ba060862581a2005fb4e8>) for instructions on installing updates for FSM version 1.3.4 and Agents. \nFlex System Manager| 1.3.3.0| Navigate to the [_Support Portal_](<https://www.ibm.com/support/entry/portal/support/>)_ _and search for technote [829047509](<http://www-01.ibm.com/support/docview.wss?uid=nas7a9c49e57131ba060862581a2005fb4e8>) for instructions on installing updates for FSM version 1.3.3 and Agents. \nFlex System Manager| 1.3.2.0 \n1.3.2.1| Navigate to the [_Support Portal_](<https://www.ibm.com/support/entry/portal/support/>)_ _and search for technote [829047509](<http://www-01.ibm.com/support/docview.wss?uid=nas7a9c49e57131ba060862581a2005fb4e8>) for instructions on installing updates for FSM version 1.3.2 and Agents. \n \nFor all other VRMF IBM recommends upgrading to a fixed, supported version/release of the product. \n \nNote: Installation of the fixes provided in the technote will install a cumulative fix package that will update the version of the FSM. Reference the technote for more details. \n \n\n\nYou should verify applying this fix does not cause any compatibility issues. The fix may disable older encrypted protocols by default.\n\nIBM recommends that you review your entire environment to identify other areas where you have enabled weak encryption and take appropriate mitigation and remediation actions.\n\nFor a complete listing of FSM security iFixes go to this technote: [http://www-01.ibm.com/support/docview.wss?uid=nas7797054ebc3d9857486258027006ce4a0&amp;myns=purflex&amp;mync=E&amp;cm_sp=purflex-_-NULL-_-E](<http://www-01.ibm.com/support/docview.wss?uid=nas7797054ebc3d9857486258027006ce4a0&myns=purflex&mync=E&cm_sp=purflex-_-NULL-_-E>)\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n29 September 2017: Original version published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"HW94A\",\"label\":\"Flex System Manager Node\"},\"Business Unit\":{\"code\":\"BU054\",\"label\":\"Systems w\\/TPS\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"Version Independent\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"\",\"label\":\"\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-18T01:38:10", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Flex System Manager (FSM)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3539"], "modified": "2018-06-18T01:38:10", "id": "3F639035BAB0EB875C9E9E808512F3E2A87A86BDD91C548658A2E7907F9A7846", "href": "https://www.ibm.com/support/pages/node/632109", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-28T22:11:54", "description": "## Summary\n\nThere are multiple vulnerabilities in the IBM\u00ae SDK Java\u2122 Technology Edition, Versions 6 and 7 that are used by IBM InfoSphere Information Server. These issues were disclosed as part of the IBM Java SDK updates in April 2017.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-3511_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3511>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE JCE component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124890_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124890>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2017-3544_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3544>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124920_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124920>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3533_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3533>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124910_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124910>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3539_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3539>) \n**DESCRIPTION: **An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124915_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124915>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2016-9840_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9841_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9841>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9842>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nThe following products, running on all supported platforms, are affected: \nIBM InfoSphere Information Server: versions 9.1, 11.3 and 11.5 \nIBM InfoSphere Information Server on Cloud: version 11.5\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nInfoSphere Information Server, Information Server on Cloud| 11.5| [_JR57824_](<http://www.ibm.com/support/docview.wss?uid=swg1JR57824>)| \\--Follow instructions in the [_README_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is115_JR57824_ISF_services_engine_*>) \nInfoSphere Information Server| 11.3| [_JR57824_](<http://www.ibm.com/support/docview.wss?uid=swg1JR57824>)| \\--Follow instructions in the [_README_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is113_JR57824_ISF_services_engine_*>) \nInfoSphere Information Server| 9.1| [_JR57824_](<http://www.ibm.com/support/docview.wss?uid=swg1JR57824>)| \\--Apply [_JR57824_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is91_JR57824_ISF_services_engine*>) on all tiers \n \n**Technical Support:** \nIn the United States and Canada dial **1-800-IBM-SERV** \nView the support [_contacts for other countries_](<http://www.ibm.com/planetwide/>) outside of the United States. \nElectronically [_open a Service Request_](<http://www.ibm.com/software/support/probsub.html>) with Information Server Technical Support. \n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n[_IBM Java SDK Security Bulletin_](<https://www.ibm.com/support/docview.wss?uid=swg22002169>)\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\nNone\n\n## Change History\n\n11 July 2017: Original version published \n25 October 2017: Fix for version 9.1 on HP is available\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSZJPZ\",\"label\":\"IBM InfoSphere Information Server\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"9.1;11.5;11.3\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}},{\"Product\":{\"code\":\"SSZJPZ\",\"label\":\"IBM InfoSphere Information Server\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"9.1;11.5;11.3\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T13:48:34", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM InfoSphere Information Server", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-3511", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2018-06-16T13:48:34", "id": "ADC40C69949A3E45DE7D3CD6F77443003EA61DEFE08BECAF5A431BAF9DFF8DD9", "href": "https://www.ibm.com/support/pages/node/562549", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-10T00:00:00", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 7 and 8 used by Rational Business Developer. These issues were disclosed as part of the IBM Java SDK updates in Apr and Jul 2017.\n\n## Vulnerability Details\n\n \n \n**CVEID:** [_CVE-2017-10243_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10243>)** \n****DESCRIPTION:**** Microsoft Office software could allow a remote attacker to execute arbitrary code on the system, caused by improper handling of objects in memory. By persuading a victim to open specially-crafted content, an attacker could exploit this vulnerability to execute arbitrary code on the system with privileges of the victim.**** \n****CVSS Base Score: 7.8** \n**CVSS Temporal Score: See **[**https://exchange.xforce.ibmcloud.com/vulnerabilities/125293**](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125293>)** for the current score**** \n****CVSS Environmental Score*: Undefined**** \n****CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) ** \n \n**CVEID:**** **[**_CVE-2017-10109_**](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10109>)** \nDESCRIPTION:**** An unspecified vulnerability related to the Java SE, Java SE Embedded, JRockit Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.**** \n****CVSS Base Score: 5.3**** \n****CVSS Temporal Score: See **[**https://exchange.xforce.ibmcloud.com/vulnerabilities/128870**](<https://exchange.xforce.ibmcloud.com/vulnerabilities/128870>)** for the current score**** \n****CVSS Environmental Score*: Undefined**** \n****CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) ** \n \n**CVEID:**** **[**_CVE-2017-10108_**](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10108>)** \nDESCRIPTION:**** An unspecified vulnerability related to the Java SE, Java SE Embedded, JRockit Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.**** \n****CVSS Base Score: 5.3**** \n****CVSS Temporal Score: See **[**https://exchange.xforce.ibmcloud.com/vulnerabilities/128869**](<https://exchange.xforce.ibmcloud.com/vulnerabilities/128869>)** for the current score**** \n****CVSS Environmental Score*: Undefined**** \n****CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) **** ** \n \n**CVEID: **[_CVE-2017-3511_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3511>) \n**DESCRIPTION: An unspecified vulnerability related to the Java SE JCE component could allow an unauthenticated attacker to take control of the system.** \n**CVSS Base Score: 7.7** \n**CVSS Temporal Score: See **[**https://exchange.xforce.ibmcloud.com/vulnerabilities/124890**](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124890>)** for the current score** \n**CVSS Environmental Score*: Undefined** \n**CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)** \n \n \n**CVEID: **[_CVE-2017-1289_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1289>) \n**DESCRIPTION: IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources.** \n**CVSS Base Score: 8.2** \n**CVSS Temporal Score: See **[**https://exchange.xforce.ibmcloud.com/vulnerabilities/125150**](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125150>)** for the current score** \n**CVSS Environmental Score*: Undefined** \n**CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)** \n \n**CVEID: ** [_CVE-2016-9840_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840>) \n**DESCRIPTION: zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.** \n**CVSS Base Score: 3.3** \n**CVSS Temporal Score: See **[**https://exchange.xforce.ibmcloud.com/vulnerabilities/120508**](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>)** for the current score** \n**CVSS Environmental Score*: Undefined** \n**CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)** \n \n**CVEID: **[_CVE-2016-9841_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9841>) \n**DESCRIPTION: zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.** \n**CVSS Base Score: 3.3** \n**CVSS Temporal Score: See **[**https://exchange.xforce.ibmcloud.com/vulnerabilities/120509**](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>)** for the current score** \n**CVSS Environmental Score*: Undefined** \n**CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)** \n \n**CVEID: **[_CVE-2016-9842_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9842>) \n**DESCRIPTION: zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.** \n**CVSS Base Score: 3.3** \n**CVSS Temporal Score: See **[**https://exchange.xforce.ibmcloud.com/vulnerabilities/120510**](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>)** for the current score** \n**CVSS Environmental Score*: Undefined** \n**CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)** \n \n**CVEID: **[_CVE-2016-9843_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843>) \n**DESCRIPTION: zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service.** \n**CVSS Base Score: 3.3** \n**CVSS Temporal Score: See **[**https://exchange.xforce.ibmcloud.com/vulnerabilities/120511**](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>)** for the current score** \n**CVSS Environmental Score*: Undefined** \n**CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)** \n\n\n## Affected Products and Versions\n\nRational Business Developer 9.0 - 9.5\n\n## Remediation/Fixes\n\nProduct\n\n| VRMF| APAR| Remediation/First Fix \n---|---|---|--- \nRational Business Developer| 9.0.x, 9.1.x, 9.5.x| None| [_Rational-rbd-IFix-IBMJDK7SR10FP10_](<https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.ibm.com%2Fsupport%2Ffixcentral%2Fquickorder%3Fproduct%3Dibm%252FRational%252FRational%2BBusiness%2BDeveloper%26fixids%3DRational-rbd-IFix-IBMJDK7SR10FP10%26source%3DSAR&data=02%7C01%7Challm%40hcl.com%7C73b831481f0d49f9717e08d593c7312d%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636577406106998150&sdata=hOnHO%2Bko21iJH4%2FEC5acEG54jf0rrbuUGd5MiZVJKt8%3D&reserved=0>) \n[_Rational-rbd-IFix-IBMJDK8SR4FP10_](<https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.ibm.com%2Fsupport%2Ffixcentral%2Fquickorder%3Fproduct%3Dibm%252FRational%252FRational%2BBusiness%2BDeveloper%26fixids%3DRational-rbd-IFix-IBMJDK8SR4FP10%26source%3DSAR&data=02%7C01%7Challm%40hcl.com%7C73b831481f0d49f9717e08d593c7312d%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636577406106998150&sdata=PiT%2FMth3HYj2QnXlzLdw981EQhUX14lr3nWzscIsoLU%3D&reserved=0>) \n \n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n[_IBM Java SDK Security Bulletin_](<http://www-01.ibm.com/support/docview.wss?uid=swg21985393>)\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\nNone\n\n## Change History\n\n18 August 2017: Original version published \n6 March 2018: Edited, added new CVEs\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n[{\"Product\":{\"code\":\"SSMQ79\",\"label\":\"Rational Business Developer\"},\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Component\":\"Eclipse\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"9.0;9.0.1;9.0.1.1;9.0.1.2;9.1;9.1.1;9.1.1.1;9.1.1.2;9.5;9.5.0.1;9.5.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB35\",\"label\":\"Mainframe SW\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-08-03T04:23:43", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Business Developer", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-10108", "CVE-2017-10109", "CVE-2017-10243", "CVE-2017-1289", "CVE-2017-3511"], "modified": "2018-08-03T04:23:43", "id": "DB88427B9B30E7BC27929575B10F1309F406508317076AB2CB83FCDD79124D3A", "href": "https://www.ibm.com/support/pages/node/566943", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-28T22:08:51", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Version 7 used by IBM Planning Analytics. These issues were disclosed as part of the IBM Java SDK updates in April 2017 and July 2017.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-3511_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3511>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE JCE component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124890_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124890>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2017-3539_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3539>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124915_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124915>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2016-9840_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9841_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9841>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9842>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2017-10115_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10115>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE JCE component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/128876_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/128876>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2017-10116_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10116>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/128877_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/128877>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2017-10108_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10108>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/128869_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/128869>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2017-10109_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10109>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/128870_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/128870>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nPlanning Analytics 2.0.3\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the fix for versions listed as soon as practical. \n \nPlanning Analytics 2.0.4 \n \nLink: <http://www-01.ibm.com/support/docview.wss?uid=swg24044410>\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n[IBM Java SDK Security Bulletin (April 2017)](<http://www-01.ibm.com/support/docview.wss?uid=swg22002169>) \n[IBM Java SDK Security Bulletin (July 2017)](<http://www-01.ibm.com/support/docview.wss?uid=swg22006695>)\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSD29G\",\"label\":\"IBM Planning Analytics\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"Planning Analytics\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"2.0.3\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-24T07:27:10", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Planning Analytics.", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-10108", "CVE-2017-10109", "CVE-2017-10115", "CVE-2017-10116", "CVE-2017-3511", "CVE-2017-3539"], "modified": "2020-02-24T07:27:10", "id": "CF2BF653951F57AA7BCC09D12353C414FBEE64EB71182AEEB1BD9B590AD53FF1", "href": "https://www.ibm.com/support/pages/node/566985", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-28T22:09:04", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition that is used by IBM Tivoli Monitoring. These issues were disclosed as part of the IBM Java SDK updates in April 2017.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2017-3514](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3514>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124893> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n\n**CVEID:** [CVE-2017-3512](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3512>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124891> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2017-3511](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3511>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JCE component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124890> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2017-3509](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3509>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 4.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124888> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)\n\n**CVEID:** [CVE-2017-3544](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3544>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124920> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [CVE-2017-3533](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3533>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124910> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [CVE-2017-3539](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3539>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124915> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)\n\n**CVEID:** [CVE-2017-1289](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1289>)** \nDESCRIPTION:** IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. \nCVSS Base Score: 8.2 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/125150> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)\n\n**CVEID:** [CVE-2016-9840](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120508> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9841](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120509> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9842](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120510> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-9843](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/120511> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nIBM Tivoli Monitoring version 6.2.3 Fix Pack 01 through 6.3.0 Fix Pack 07\n\n## Remediation/Fixes\n\nThese vulnerabilities exist where the affected Java Runtime Environment (JRE) is installed on systems running the Tivoli Enterprise Portal Browser client or Java WebStart client. The affected JRE is installed on a system when logging into the IBM Tivoli Enterprise Portal using the Browser client or WebStart client and a JRE at the required level does not exist. The portal provides an option to download the provided JRE to the system. \n \nThis fix below provides updated JRE packages for the portal server which can be downloaded by new client systems. Once the fix has been installed on the portal server, instructions in the README can be used to download the updated JRE from the portal to the portal clients. \n \n\n\n**_Fix_**| **_VRMF_**| **_How to acquire fix_** \n---|---|--- \n6.X.X-TIV-ITM_JRE_TEP-20170817| 6.2.3 FP1 through 630 FP7| <http://www.ibm.com/support/docview.wss?uid=swg24043981> \n \n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n08/08/2017 Initial document draft. \n08/17/2017 Published to web.\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSTFXA\",\"label\":\"Tivoli Monitoring\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud &amp; Data Platform\"},\"Component\":\"ITM Tivoli Enterprise Portal V6\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"6.3.0.7;6.3.0.6;6.3.0.5;6.3.0.4;6.3.0.3;6.3.0.2;6.3.0.1;6.3.0;6.3;6.2.3.5;6.2.3.4;6.2.3.3;6.2.3.2;6.2.3.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:43:58", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Monitoring", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3512", "CVE-2017-3514", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2018-06-17T15:43:58", "id": "7D7C2F7950E4FCA765164EC739C1CE4D46C2BCAFE840312CE4E8D2D5364FD1D4", "href": "https://www.ibm.com/support/pages/node/566347", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-28T21:57:12", "description": "## Summary\n\nDB2 is shipped with IBM Performance Management products. Some of the information about security vulnerabilities affecting DB2 has been published in security bulletins. \n\n## Vulnerability Details\n\n**CVEID:** [CVE-2017-1520](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1520>)** \nDESCRIPTION:** IBM DB2 9.7, 10,1, 10.5, and 11.1 is vulnerable to an unauthorized command that allows the database to be activated when authentication type is CLIENT. IBM X-Force ID: 129830. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/129830> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n\n**CVEID:** [CVE-2017-1519](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1519>)** \nDESCRIPTION:** IBM DB2 10.5 and 11.1 contains a denial of service vulnerability. A remote user can cause disruption of service for DB2 Connect Server setup with a particular configuration. IBM X-Force ID: 129829. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/129829> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [CVE-2017-1434](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1434>)** \nDESCRIPTION:** IBM DB2 for Linux, UNIX and Windows 11.1 (includes DB2 Connect Server) under unusual circumstances, could expose highly sensitive information in the error log to a local user. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/127806> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2017-1452](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1452>)** \nDESCRIPTION:** IBM DB2 for Linux, UNIX and Windows 9.7, 10,1, 10.5, and 11.1 (includes DB2 Connect Server) could allow a local user to obtain elevated privilege and overwrite DB2 files. IBM X-Force ID: 128180. \nCVSS Base Score: 6.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/128180> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2017-1438](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1438>)** \nDESCRIPTION:** IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1 (includes DB2 Connect Server) could allow a local user with DB2 instance owner privileges to obtain root access. IBM X-Force ID: 128057. \nCVSS Base Score: 6.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/128057> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2017-1451](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1451>)** \nDESCRIPTION:** IBM DB2 for Linux, UNIX and Windows 9.7, 10,1, 10.5, and 11.1 (includes DB2 Connect Server) could allow a local user with DB2 instance owner privileges to obtain root access. IBM X-Force ID: 128178. \nCVSS Base Score: 6.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/128178> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2017-1439](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1439>)** \nDESCRIPTION:** IBM DB2 for Linux, UNIX and Windows 9.7, 10,1, 10.5, and 11.1 (includes DB2 Connect Server) could allow a local user with DB2 instance owner privileges to obtain root access. IBM X-Force ID: 128058. \nCVSS Base Score: 6.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/128058> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)\n\n \nDetails of the following vulnerabilities are published in security bulletins: \n\n\n * [Privilege escalation vulnerability affects IBM\u00ae DB2\u00ae LUW (CVE-2017-1134)](<http://www-01.ibm.com/support/docview.wss?uid=swg22002573>)\n * [IBM\u00ae DB2\u00ae LUW on AIX and Linux Affected by vulnerabilities in zlib (CVE-2016-9840, CVE-2016-9841)](<http://www-01.ibm.com/support/docview.wss?uid=swg22004735>)\n * [IBM\u00ae DB2\u00ae LUW's Command Line Processor Contains Buffer Overflow Vulnerability (CVE-2017-1297)](<http://www-01.ibm.com/support/docview.wss?uid=swg22004878>)\n * [Buffer overflow vulnerability in IBM\u00ae DB2\u00ae LUW (CVE-2017-1105)](<http://www-01.ibm.com/support/docview.wss?uid=swg22003877>)\n\n## Affected Products and Versions\n\nIBM Cloud Application Performance Management, Base Private 8.1.4 \nIBM Cloud Application Performance Management, Advanced Private 8.1.4 \n\nIBM Monitoring 8.1.3\n\nIBM Application Diagnostics 8.1.3\n\nIBM Application Performance Management 8.1.3\n\nIBM Application Performance Management Advanced 8.1.3\n\n## Remediation/Fixes\n\n_Product_\n\n| _Product_ \n_VRMF_| _Remediation_ \n---|---|--- \nIBM Cloud Application Performance Management, Base Private \n\nIBM Cloud Application Performance Management, Advanced Private\n\n| _8.1.4_ \n \n_ _ \n_ _| The vulnerability can be remediated by applying DB2 V10.5 FP9, which is available for download from [Fix Central](<http://www-01.ibm.com/support/docview.wss?uid=swg24044110>), to your DB2 server. For information about applying DB2 V10.5 FP9 to your DB2 server, see the [DB2 for Linux, Unix, and Windows 10.5.0 Knowledge Center](<https://www.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.wn.doc/doc/c0061179.html>). \n \nTo use DB2 V10.5 FP9 with your IBM Performance Management product, after you install the Performance Management server, apply the following 8.1.4.0-IBM-APM-SERVER-1F0002 server patch to the system where the Performance Management server is installed: [ \nhttp://www-01.ibm.com/support/docview.wss?rs=0&amp;uid=isg400003632](<http://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003632>) \n \nYou can apply 8.1.4.0-IBM-APM-SERVER-1F0002 either before or after you install the DB2 fix pack. \nIBM Monitoring \n\nIBM Application Diagnostics\n\nIBM Application Performance Management\n\nIBM Application Performance Management Advanced\n\n| _8.1.3_ \n \n_ _ \n_ _| The vulnerability can be remediated by applying the following 8.1.3.0-IBM-IPM-SERVER-IF0011 server patch to the system where the Performance Management server is installed: [http://www-01.ibm.com/support/docview.wss?rs=0&amp;uid=isg400003678](<http://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003678>) \n \n \n \n## Workarounds and Mitigations\n\nNone.\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\nDecember 7, 2017 Original copy published.\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSTFXA\",\"label\":\"Tivoli Monitoring\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud &amp; Data Platform\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"8.1.3;8.1.4\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:46:17", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in DB2 which is shipped with IBM Performance Management products", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2017-1105", "CVE-2017-1134", "CVE-2017-1297", "CVE-2017-1434", "CVE-2017-1438", "CVE-2017-1439", "CVE-2017-1451", "CVE-2017-1452", "CVE-2017-1519", "CVE-2017-1520"], "modified": "2018-06-17T15:46:17", "id": "31028229FDC1BB19DF989803B4A864D39E803812D894CCF9E11C53D6714A6D33", "href": "https://www.ibm.com/support/pages/node/297163", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-10T00:00:00", "description": "## Summary\n\nMultiple vulnerabilities in the Oracle Java SE and the Java SE Embedded impact the IBM SDK, Java Technology Edition.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-3514_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3514>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124893_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124893>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2017-3512_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3512>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124891_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124891>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2017-3511_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3511>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JCE component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124890_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124890>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2017-3526_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3526>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124904_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124904>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2017-3509_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3509>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 4.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124888_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124888>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3544_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3544>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124920_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124920>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3533_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3533>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124910_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124910>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-3539_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3539>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124915_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124915>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2017-1289_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1289>)** \nDESCRIPTION:** IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. \nCVSS Base Score: 8.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/125150_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125150>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9840_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9841_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9841>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9842_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9842>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-9843_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843>)** \nDESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_Not Applicable_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=Not>)** \nDESCRIPTION:** Use this if you deliver IBM Java and are N/A to the IBM Java SDK update vulnerabilities because the vulnerabilities could not be exploited by your product. However, customers could run their own Java code using the IBM Java Runtime delivered with your product. \nCVSS Base Score: 0 \nCVSS Temporal Score: See [_Not Applicable_](<https://psirt.raleigh.ibm.com/teamworks/Not>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (0)\n\n## Affected Products and Versions\n\nIBM Monitoring 8.1.3 \nIBM Application Diagnostics 8.1.3 \nIBM Application Performance Management 8.1.3 \nIBM Application Performance Management Advanced 8.1.3 \nIBM Cloud Application Performance Management\n\n## Remediation/Fixes\n\n_Product_\n\n| _Product_ \n_VRMF_| _Remediation_ \n---|---|--- \nIBM Monitoring \n\nIBM Application Diagnostics\n\nIBM Application Performance Management\n\nIBM Application Performance Management Advanced\n\n| _8.1.3_ \n \n_ _ \n_ _| The vulnerabilities can be remediated by applying the following 8.1.3.0-IBM-IPM-SERVER-1F0010 server patch to the system where the Performance Management server is installed:[ \nhttp://www-01.ibm.com/support/docview.wss?rs=0&amp;uid=isg400003329](<http://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003329>)\n\nThe vulnerabilities can be remediated by applying the Core Framework patch 8.1.3.0-IBM-IPM-CORE-FRAMEWORK-IPM-IF0004 to all systems where Performance Management agents are installed:\n\n \n[http://www-01.ibm.com/support/docview.wss?rs=0&amp;uid=isg400003459](<http://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003459>)\n\nThe vulnerabilities can be remediated by applying the following 8.1.3.0-IBM-IPM-GATEWAY-1F0006 Hybrid Gateway patch to the system where the Hybrid Gateway is installed:\n\n \n[http://www-01.ibm.com/support/docview.wss?rs=0&amp;uid=isg400003330](<http://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003330>) \nIBM Cloud Application Performance Management| _N/A_| The vulnerabilities can be remediated by applying the Core Framework patch 8.1.3.2-IBM-IPM-CORE-FRAMEWORK-IPM-IF0001 to all systems where Performance Management agents are installed: \n[http://dbluewas1.pok.ibm.com/support/docview.wss?rs=0&amp;uid=isg400001685](<http://dbluewas1.pok.ibm.com/support/docview.wss?rs=0&uid=isg400001685>)\n\n \nThe vulnerabilities can be remediated by applying the following 8.1.3.2.0-IBM-IPM-GATEWAY-IF0001 Hybrid Gateway patch to the system where the Hybrid Gateway is installed: \n\n[_http://dbluewas1.pok.ibm.com/support/docview.wss?rs=0&amp;uid=isg400001684_](<http://dbluewas1.pok.ibm.com/support/docview.wss?rs=0&uid=isg400001684>) \n \n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\nAug 16th, 2017 Original copy published.\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n[{\"Product\":{\"code\":\"SSTFXA\",\"label\":\"Tivoli Monitoring\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud &amp; Data Platform\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"8.1.3\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-17T15:43:36", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in the IBM SDK, Java Technology Edition affects IBM Performance Management products", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3512", "CVE-2017-3514", "CVE-2017-3526", "CVE-2017-3533", "CVE-2017-3539", "CVE-2017-3544"], "modified": "2018-06-17T15:43:36", "id": "93E146998B94EC264E33E7B36FD946A69450033DA52EBD726834D95E2F65C29E", "href": "https://www.ibm.com/support/pages/node/565971", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-30T21:45:10", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Version 8 used by z/TPF. These issues were disclosed as part of the IBM Java SDK updates in April 2017.\n\n## Vulnerability Details\n\nIf you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether the complete list of vulnerabilities are applicable to your code. For a complete list of vulnerabilities please refer to the link for \u201cIBM Java SDK Security Bulletin\" located in the \u201cReferences\u201d section for more information. \n \n**CVEID:** [_CVE-2017-3514_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3514>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124893_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124893>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n \n**CVEID:** [_CVE-2017-3512_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3512>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE AWT component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124891_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124891>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n \n**CVEID:** [_CVE-2017-3511_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3511>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE JCE component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124890_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124890>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n \n**CVEID:** [_CVE-2017-3526_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3526>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124904_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124904>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n**CVEID:** [_CVE-2017-3509_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3509>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 4.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124888_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124888>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N) \n \n**CVEID:** [_CVE-2017-3544_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3544>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124920_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124920>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n**CVEID:** [_CVE-2017-3533_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3533>) \n**DESCRIPTION:** An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124910_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124910>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n**CVEID:** [_CVE-2017-3539_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3539>) \n**DESCRIPTION: **An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124915_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124915>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N) \n \n**CVEID:** [_CVE-2017-1289_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1289>) \n**DESCRIPTION:** IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. \nCVSS Base Score: 8.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/125150_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125150>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L) \n \n**CVEID:** [_CVE-2016-9840_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120508_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120508>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n**CVEID:** [_CVE-2016-9841_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9841>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120509_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120509>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n**CVEID:** [_CVE-2016-9842_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9842>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by an undefined left shift of negative number. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120510_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120510>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n**CVEID:** [_CVE-2016-9843_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843>) \n**DESCRIPTION:** zlib is vulnerable to a denial of service, caused by a big-endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120511_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120511>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nz/TPF Enterprise Edition Version 1.1.14\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRMF**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \nz/TPF| 1.1.14| APAR PJ44655| \n\n 1. Apply APAR PJ44655, which you can download from the [z/TPF maintenance](<http://www.ibm.com/support/docview.wss?uid=swg27049604>) web page.\n 2. Download and install the `PJ44655_ibm-java-jre-8.0-4.5.tar.gz` package from the [IBM 64-bit Runtime Environment for z/TPF, Java Technology Edition, Version 8](<http://www-01.ibm.com/support/docview.wss?uid=swg24043118>) download page. \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n## Important Note\n\nIBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the [System z Security web site](<http://www.ibm.com/systems/z/solutions/security_subintegrity.html>). Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n[IBM SDK Java Technology Edition security bulletin](<http://www.ibm.com/support/docview.wss?uid=swg22002169>)\n\n## Acknowledgement\n\nNone\n\n## Change History\n\n23 May 2017: Original version published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n[{\"Product\":{\"code\":\"SSZL53\",\"label\":\"TPF\"},\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Component\":\"z\\/TPF\",\"Platform\":[{\"code\":\"PF036\",\"label\":\"z\\/TPF\"}],\"Version\":\"1.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB35\",\"label\":\"Mainframe SW\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-08-30T07:48:35", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect z/TPF", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-1289", "CVE-2017-3509", "CVE-2017-3511", "CVE-2017-3512", "CVE-2017-3514", "CVE-2017-3526", "CV