{"edition": 1, "title": "Java vulnerability CVE-2015-4803", "bulletinFamily": "software", "published": "2015-11-21T01:04:00", "lastseen": "2017-06-08T00:16:30", "modified": "2016-01-09T02:33:00", "reporter": "f5", "viewCount": 1, "href": "https://support.f5.com/csp/article/K05534090", "description": "\nF5 Product Development has assigned INSTALLER-1945 (Traffix) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 \n11.4.0 - 11.6.0| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 \n11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 \n11.0.0 - 11.6.0| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 \n11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP PSM| None| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nARX| None| 6.0.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.0.0 - 3.1.1| Not vulnerable| None \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| None| Low| Java\n\nIf you are running a version listed in the **Versions known to be vulnerable **column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the** Severity** values published in the previous table. The **Severity **values and other security vulnerability parameters are defined in [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>).\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "affectedSoftware": [], "type": "f5", "references": [], "enchantments": {"score": {"value": 6.3, "vector": "NONE", "modified": "2017-06-08T00:16:30", "rev": 2}, "dependencies": {"references": [{"type": "f5", "idList": ["SOL05534090", "SOL14132811", "F5:K14132811"]}, {"type": "cve", "idList": ["CVE-2015-4893", "CVE-2015-4911", "CVE-2015-4803"]}, {"type": "nessus", "idList": ["CENTOS_RHSA-2015-2086.NASL", "SL_20151118_JAVA_1_6_0_OPENJDK_ON_SL5_X.NASL", "SL_20151021_JAVA_1_7_0_OPENJDK_ON_SL5_X.NASL", "REDHAT-RHSA-2015-1920.NASL", "DEBIAN_DLA-346.NASL", "REDHAT-RHSA-2015-2086.NASL", "ALA_ALAS-2015-616.NASL", "UBUNTU_USN-2827-1.NASL", "ORACLELINUX_ELSA-2015-2086.NASL", "ORACLE_JROCKIT_CPU_OCT_2015.NASL"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3381-2:F5B92", "DEBIAN:DSA-3381-1:4656D", "DEBIAN:DLA-346-1:13970"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310871474", "OPENVAS:1361412562310108399", "OPENVAS:1361412562310851128", "OPENVAS:1361412562310882302", "OPENVAS:1361412562310120595", "OPENVAS:1361412562310806512", "OPENVAS:1361412562310842548", "OPENVAS:1361412562310851123", "OPENVAS:1361412562310120606", "OPENVAS:1361412562310122736"]}, {"type": "amazon", "idList": ["ALAS-2015-606", "ALAS-2015-616", "ALAS-2015-605"]}, {"type": "centos", "idList": ["CESA-2015:2086", "CESA-2015:1921", "CESA-2015:1920", "CESA-2015:1919"]}, {"type": "redhat", "idList": ["RHSA-2015:2086", "RHSA-2015:1919", "RHSA-2015:1921", "RHSA-2015:1920", "RHSA-2015:1927", "RHSA-2015:1928"]}, {"type": "oraclelinux", "idList": ["ELSA-2015-2086", "ELSA-2015-1919", "ELSA-2015-1920", "ELSA-2015-1921"]}, {"type": "ubuntu", "idList": ["USN-2827-1", "USN-2784-1"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2015:1906-1", "SUSE-SU-2015:1874-2", "OPENSUSE-SU-2015:1971-1", "OPENSUSE-SU-2015:1902-1", "SUSE-SU-2015:1874-1", "SUSE-SU-2015:1875-2", "SUSE-SU-2015:1875-1"]}, {"type": "archlinux", "idList": ["ASA-201510-16", "ASA-201510-15"]}], "modified": "2017-06-08T00:16:30", "rev": 2}, "vulnersScore": 6.3}, "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/", "score": 5.0}, "cvelist": ["CVE-2015-4803", "CVE-2015-4911", "CVE-2015-4893"], "id": "F5:K05534090"}

{"f5": [{"lastseen": "2017-06-08T00:16:23", "bulletinFamily": "software", "cvelist": ["CVE-2015-4803", "CVE-2015-4911", "CVE-2015-4893"], "edition": 1, "description": "\nF5 Product Development has assigned INSTALLER-1947 (Traffix SDC) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 \n11.4.0 - 11.6.0| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 \n11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 \n11.0.0 - 11.6.0| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 \n11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP PSM| None| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nARX| None| 6.0.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.0.0 - 3.1.1| Not vulnerable| None \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| None| Low| None\n\nIf you are running a version listed in the** Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "modified": "2016-12-01T20:07:00", "published": "2015-11-21T01:15:00", "href": "https://support.f5.com/csp/article/K14132811", "id": "F5:K14132811", "type": "f5", "title": "Java vulnerability CVE-2015-4893", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2016-12-01T17:27:59", "bulletinFamily": "software", "cvelist": ["CVE-2015-4803", "CVE-2015-4911", "CVE-2015-4893"], "edition": 1, "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the** Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "modified": "2016-12-01T00:00:00", "published": "2015-11-20T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/k/14/sol14132811.html", "id": "SOL14132811", "title": "SOL14132811 - Java vulnerability CVE-2015-4893", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2016-11-09T00:09:48", "bulletinFamily": "software", "cvelist": ["CVE-2015-4803", "CVE-2015-4911", "CVE-2015-4893"], "edition": 1, "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable **column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the** Severity** values published in the previous table. The **Severity **values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "modified": "2015-11-20T00:00:00", "published": "2015-11-20T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/k/05/sol05534090.html", "id": "SOL05534090", "title": "SOL05534090 - Java vulnerability CVE-2015-4803", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "cve": [{"lastseen": "2021-02-02T06:21:26", "description": "Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allows remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2015-4803 and CVE-2015-4893.", "edition": 5, "cvss3": {}, "published": "2015-10-22T00:00:00", "title": "CVE-2015-4911", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4911"], "modified": "2020-09-08T12:30:00", "cpe": ["cpe:/a:oracle:jre:1.6.0", "cpe:/a:oracle:jrockit:r28.3.7", "cpe:/a:oracle:jdk:1.6.0", "cpe:/a:oracle:jre:1.8.0", "cpe:/a:oracle:jdk:1.7.0", "cpe:/a:oracle:jre:1.7.0", "cpe:/a:oracle:jdk:1.8.0"], "id": "CVE-2015-4911", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4911", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:oracle:jre:1.8.0:update_60:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update_85:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update_85:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update_101:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update_101:*:*:*:*:*:*", "cpe:2.3:a:oracle:jrockit:r28.3.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.8.0:update60:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.8.0:update51:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.8.0:update_51:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:21:26", "description": "Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allows remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2015-4803 and CVE-2015-4911.\nPer <a href=\"http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\">LINK</a>: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.", "edition": 5, "cvss3": {}, "published": "2015-10-21T23:59:00", "title": "CVE-2015-4893", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4893"], "modified": "2020-09-08T12:30:00", "cpe": ["cpe:/a:oracle:jre:1.6.0", "cpe:/a:oracle:jrockit:r28.3.7", "cpe:/a:oracle:jdk:1.6.0", "cpe:/a:oracle:jre:1.8.0", "cpe:/a:oracle:jdk:1.7.0", "cpe:/a:oracle:jre:1.7.0", "cpe:/a:oracle:jdk:1.8.0"], "id": "CVE-2015-4893", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4893", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:oracle:jre:1.8.0:update_60:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update_85:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update_85:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update_101:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update_101:*:*:*:*:*:*", "cpe:2.3:a:oracle:jrockit:r28.3.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.8.0:update60:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.8.0:update51:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.8.0:update_51:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:21:25", "description": "Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allows remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2015-4893 and CVE-2015-4911.\nPer <a href=\"http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\">LINK</a>: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.", "edition": 5, "cvss3": {}, "published": "2015-10-21T21:59:00", "title": "CVE-2015-4803", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4803"], "modified": "2020-09-08T12:30:00", "cpe": ["cpe:/a:oracle:jre:1.6.0", "cpe:/a:oracle:jrockit:r28.3.7", "cpe:/a:oracle:jdk:1.6.0", "cpe:/a:oracle:jre:1.8.0", "cpe:/a:oracle:jdk:1.7.0", "cpe:/a:oracle:jre:1.7.0", "cpe:/a:oracle:jdk:1.8.0"], "id": "CVE-2015-4803", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4803", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:oracle:jre:1.8.0:update_60:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update_85:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update_85:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update_101:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update_101:*:*:*:*:*:*", "cpe:2.3:a:oracle:jrockit:r28.3.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.8.0:update60:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.8.0:update51:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.8.0:update_51:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2021-03-01T04:58:47", "description": "The version of Oracle JRockit installed on the remote Windows host is\nR28 prior to R28.3.8. It is, therefore, affected by multiple\nvulnerabilities :\n\n - Multiple denial of service vulnerabilities exist due to\n multiple unspecified flaws in the JAXP subcomponent. A\n remote attacker can exploit these flaws to cause a\n denial of service condition. (CVE-2015-4803,\n CVE-2015-4893, CVE-2015-4911)\n\n - An unspecified flaw exists in the Security subcomponent\n that allows a remote attacker to impact integrity.\n (CVE-2015-4872)", "edition": 26, "published": "2015-10-21T00:00:00", "title": "Oracle JRockit R28 < R28.3.8 Multiple Vulnerabilities (October 2015 CPU)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-4872", "CVE-2015-4803", "CVE-2015-4911", "CVE-2015-4893"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/a:oracle:jrockit"], "id": "ORACLE_JROCKIT_CPU_OCT_2015.NASL", "href": "https://www.tenable.com/plugins/nessus/86474", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86474);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/11/20\");\n\n script_cve_id(\n \"CVE-2015-4803\",\n \"CVE-2015-4872\",\n \"CVE-2015-4893\",\n \"CVE-2015-4911\"\n );\n\n script_name(english:\"Oracle JRockit R28 < R28.3.8 Multiple Vulnerabilities (October 2015 CPU)\");\n script_summary(english:\"Checks the version of jvm.dll.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A programming platform installed on the remote Windows host is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle JRockit installed on the remote Windows host is\nR28 prior to R28.3.8. It is, therefore, affected by multiple\nvulnerabilities :\n\n - Multiple denial of service vulnerabilities exist due to\n multiple unspecified flaws in the JAXP subcomponent. A\n remote attacker can exploit these flaws to cause a\n denial of service condition. (CVE-2015-4803,\n CVE-2015-4893, CVE-2015-4911)\n\n - An unspecified flaw exists in the Security subcomponent\n that allows a remote attacker to impact integrity.\n (CVE-2015-4872)\");\n # http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?75a4a4fb\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Oracle JRockit version R28.3.8 or later as referenced in\nthe October 2015 Oracle Critical Patch Update advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-4872\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jrockit\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_jrockit_installed.nasl\");\n script_require_keys(\"installed_sw/Oracle JRockit\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\napp = \"Oracle JRockit\";\ninstall = get_single_install(app_name:app, exit_if_unknown_ver:TRUE);\nver = install['version'];\ntype = install['type'];\npath = install['path'];\n\nif (ver =~ \"^28(\\.3)?$\") audit(AUDIT_VER_NOT_GRANULAR, app, ver);\nif (ver !~ \"^28\\.3($|[^0-9])\") audit(AUDIT_NOT_INST, app + \" 28.3.x\");\n\n# Affected :\n# 28.3.7.x\nif (ver =~ \"^28\\.3\\.7($|[^0-9])\")\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n if (report_verbosity > 0)\n {\n # The DLL we're looking at is a level deeper in the JDK, since it\n # keeps a subset of the JRE in a subdirectory.\n if (type == \"JDK\") path += \"\\jre\";\n path += \"\\bin\\jrockit\\jvm.dll\";\n\n report =\n '\\n Type : ' + type +\n '\\n Path : ' + path +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : 28.3.8' +\n '\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, app, ver, path);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-17T12:50:13", "description": "From Red Hat Security Advisory 2015:2086 :\n\nUpdated java-1.6.0-openjdk packages that fix multiple security issues\nare now available for Red Hat Enterprise Linux 5, 6, and 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime\nEnvironment and the OpenJDK 6 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843,\nCVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734,\nCVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting\nthe CVE-2015-4806 issue.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.", "edition": 25, "published": "2015-11-19T00:00:00", "title": "Oracle Linux 5 / 6 / 7 : java-1.6.0-openjdk (ELSA-2015-2086)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4893"], "modified": "2015-11-19T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:java-1.6.0-openjdk-devel", "cpe:/o:oracle:linux:5", "p-cpe:/a:oracle:linux:java-1.6.0-openjdk-src", "p-cpe:/a:oracle:linux:java-1.6.0-openjdk-demo", "p-cpe:/a:oracle:linux:java-1.6.0-openjdk", "p-cpe:/a:oracle:linux:java-1.6.0-openjdk-javadoc", "cpe:/o:oracle:linux:7"], "id": "ORACLELINUX_ELSA-2015-2086.NASL", "href": "https://www.tenable.com/plugins/nessus/86927", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2015:2086 and \n# Oracle Linux Security Advisory ELSA-2015-2086 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(86927);\n script_version(\"2.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\", \"CVE-2015-4835\", \"CVE-2015-4842\", \"CVE-2015-4843\", \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4872\", \"CVE-2015-4881\", \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\", \"CVE-2015-4911\");\n script_xref(name:\"RHSA\", value:\"2015:2086\");\n\n script_name(english:\"Oracle Linux 5 / 6 / 7 : java-1.6.0-openjdk (ELSA-2015-2086)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2015:2086 :\n\nUpdated java-1.6.0-openjdk packages that fix multiple security issues\nare now available for Red Hat Enterprise Linux 5, 6, and 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime\nEnvironment and the OpenJDK 6 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843,\nCVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734,\nCVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting\nthe CVE-2015-4806 issue.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2015-November/005548.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2015-November/005550.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2015-November/005551.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1.6.0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.6.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.6.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.6.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.6.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.6.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/11/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5|6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5 / 6 / 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL5\", reference:\"java-1.6.0-openjdk-1.6.0.37-1.13.9.4.0.1.el5_11\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.0.1.el5_11\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.0.1.el5_11\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.0.1.el5_11\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.0.1.el5_11\")) flag++;\n\nif (rpm_check(release:\"EL6\", reference:\"java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el6_7\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.el6_7\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.el6_7\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.el6_7\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.el6_7\")) flag++;\n\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el7_1\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.el7_1\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.el7_1\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.el7_1\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.el7_1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.6.0-openjdk / java-1.6.0-openjdk-demo / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:49:01", "description": "Multiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843,\nCVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734,\nCVE-2015-4903)\n\nAll running instances of OpenJDK Java must be restarted for the update\nto take effect.", "edition": 14, "published": "2015-11-19T00:00:00", "title": "Scientific Linux Security Update : java-1.6.0-openjdk on SL5.x, SL6.x, SL7.x i386/x86_64 (20151118)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4893"], "modified": "2015-11-19T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:java-1.6.0-openjdk", "p-cpe:/a:fermilab:scientific_linux:java-1.6.0-openjdk-demo", "p-cpe:/a:fermilab:scientific_linux:java-1.6.0-openjdk-src", "p-cpe:/a:fermilab:scientific_linux:java-1.6.0-openjdk-javadoc", "p-cpe:/a:fermilab:scientific_linux:java-1.6.0-openjdk-devel", "p-cpe:/a:fermilab:scientific_linux:java-1.6.0-openjdk-debuginfo", "x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20151118_JAVA_1_6_0_OPENJDK_ON_SL5_X.NASL", "href": "https://www.tenable.com/plugins/nessus/86938", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(86938);\n script_version(\"2.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\", \"CVE-2015-4835\", \"CVE-2015-4842\", \"CVE-2015-4843\", \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4872\", \"CVE-2015-4881\", \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\", \"CVE-2015-4911\");\n\n script_name(english:\"Scientific Linux Security Update : java-1.6.0-openjdk on SL5.x, SL6.x, SL7.x i386/x86_64 (20151118)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843,\nCVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734,\nCVE-2015-4903)\n\nAll running instances of OpenJDK Java must be restarted for the update\nto take effect.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1511&L=scientific-linux-errata&F=&S=&P=14793\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0a938c6b\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.6.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.6.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.6.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.6.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.6.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.6.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/11/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL5\", reference:\"java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.el5_11\")) flag++;\n\nif (rpm_check(release:\"SL6\", reference:\"java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el6_7\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el6_7\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.el6_7\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.el6_7\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.el6_7\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.el6_7\")) flag++;\n\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el7_1\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el7_1\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.el7_1\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.el7_1\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.el7_1\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.el7_1\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.6.0-openjdk / java-1.6.0-openjdk-debuginfo / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T09:43:40", "description": "Several vulnerabilities have been discovered in OpenJDK, an\nimplementation of the Oracle Java platform. These vulnerabilities\nrelate to execution of arbitrary code, breakouts of the Java sandbox,\ninformation disclosure and denial of service.\n\nFor Debian 6 'Squeeze', these problems have been fixed in openjdk-6\nversion 6b37-1.13.9-1~deb6u1.\n\nWe recommend you to upgrade your openjdk-6 packages.\n\nLearn more about the Debian Long Term Support (LTS) Project and how to\napply these updates at: https://wiki.debian.org/LTS/\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 16, "published": "2015-11-25T00:00:00", "title": "Debian DLA-346-1 : openjdk-6 security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4893"], "modified": "2015-11-25T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:openjdk-6-jdk", "cpe:/o:debian:debian_linux:6.0", "p-cpe:/a:debian:debian_linux:openjdk-6-jre-zero", "p-cpe:/a:debian:debian_linux:icedtea-6-jre-cacao", "p-cpe:/a:debian:debian_linux:openjdk-6-demo", "p-cpe:/a:debian:debian_linux:openjdk-6-doc", "p-cpe:/a:debian:debian_linux:openjdk-6-jre-lib", "p-cpe:/a:debian:debian_linux:openjdk-6-source", "p-cpe:/a:debian:debian_linux:openjdk-6-jre", "p-cpe:/a:debian:debian_linux:openjdk-6-jre-headless", "p-cpe:/a:debian:debian_linux:openjdk-6-dbg"], "id": "DEBIAN_DLA-346.NASL", "href": "https://www.tenable.com/plugins/nessus/87056", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-346-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(87056);\n script_version(\"2.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\", \"CVE-2015-4835\", \"CVE-2015-4842\", \"CVE-2015-4843\", \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4872\", \"CVE-2015-4881\", \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\", \"CVE-2015-4911\");\n\n script_name(english:\"Debian DLA-346-1 : openjdk-6 security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities have been discovered in OpenJDK, an\nimplementation of the Oracle Java platform. These vulnerabilities\nrelate to execution of arbitrary code, breakouts of the Java sandbox,\ninformation disclosure and denial of service.\n\nFor Debian 6 'Squeeze', these problems have been fixed in openjdk-6\nversion 6b37-1.13.9-1~deb6u1.\n\nWe recommend you to upgrade your openjdk-6 packages.\n\nLearn more about the Debian Long Term Support (LTS) Project and how to\napply these updates at: https://wiki.debian.org/LTS/\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2015/11/msg00007.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze-lts/openjdk-6\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://wiki.debian.org/LTS/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:icedtea-6-jre-cacao\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openjdk-6-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openjdk-6-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openjdk-6-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openjdk-6-jdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openjdk-6-jre\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openjdk-6-jre-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openjdk-6-jre-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openjdk-6-jre-zero\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openjdk-6-source\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/11/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"icedtea-6-jre-cacao\", reference:\"6b37-1.13.9-1~deb6u1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"openjdk-6-dbg\", reference:\"6b37-1.13.9-1~deb6u1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"openjdk-6-demo\", reference:\"6b37-1.13.9-1~deb6u1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"openjdk-6-doc\", reference:\"6b37-1.13.9-1~deb6u1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"openjdk-6-jdk\", reference:\"6b37-1.13.9-1~deb6u1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"openjdk-6-jre\", reference:\"6b37-1.13.9-1~deb6u1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"openjdk-6-jre-headless\", reference:\"6b37-1.13.9-1~deb6u1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"openjdk-6-jre-lib\", reference:\"6b37-1.13.9-1~deb6u1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"openjdk-6-jre-zero\", reference:\"6b37-1.13.9-1~deb6u1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"openjdk-6-source\", reference:\"6b37-1.13.9-1~deb6u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:30:22", "description": "Updated java-1.6.0-openjdk packages that fix multiple security issues\nare now available for Red Hat Enterprise Linux 5, 6, and 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime\nEnvironment and the OpenJDK 6 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843,\nCVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734,\nCVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting\nthe CVE-2015-4806 issue.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.", "edition": 28, "published": "2015-11-19T00:00:00", "title": "CentOS 5 / 6 / 7 : java-1.6.0-openjdk (CESA-2015:2086)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4893"], "modified": "2015-11-19T00:00:00", "cpe": ["cpe:/o:centos:centos:6", "cpe:/o:centos:centos:7", "p-cpe:/a:centos:centos:java-1.6.0-openjdk", "p-cpe:/a:centos:centos:java-1.6.0-openjdk-src", "p-cpe:/a:centos:centos:java-1.6.0-openjdk-javadoc", "p-cpe:/a:centos:centos:java-1.6.0-openjdk-demo", "p-cpe:/a:centos:centos:java-1.6.0-openjdk-devel", "cpe:/o:centos:centos:5"], "id": "CENTOS_RHSA-2015-2086.NASL", "href": "https://www.tenable.com/plugins/nessus/86919", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:2086 and \n# CentOS Errata and Security Advisory 2015:2086 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(86919);\n script_version(\"2.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\", \"CVE-2015-4835\", \"CVE-2015-4842\", \"CVE-2015-4843\", \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4872\", \"CVE-2015-4881\", \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\", \"CVE-2015-4911\");\n script_xref(name:\"RHSA\", value:\"2015:2086\");\n\n script_name(english:\"CentOS 5 / 6 / 7 : java-1.6.0-openjdk (CESA-2015:2086)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.6.0-openjdk packages that fix multiple security issues\nare now available for Red Hat Enterprise Linux 5, 6, and 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime\nEnvironment and the OpenJDK 6 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843,\nCVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734,\nCVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting\nthe CVE-2015-4806 issue.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2015-November/021505.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b0775553\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2015-November/021506.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ac302beb\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2015-November/021507.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?888abf2c\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1.6.0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-4805\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.6.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.6.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.6.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.6.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.6.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/11/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5|6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 5.x / 6.x / 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el5_11\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.el5_11\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.el5_11\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.el5_11\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.el5_11\")) flag++;\n\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.el6_7\")) flag++;\n\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.el7_1\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.6.0-openjdk / java-1.6.0-openjdk-demo / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T15:29:14", "description": "Multiple vulnerabilities were discovered in the OpenJDK JRE related to\ninformation disclosure, data integrity and availability. An attacker\ncould exploit these to cause a denial of service or expose sensitive\ndata over the network. (CVE-2015-4805, CVE-2015-4835, CVE-2015-4843,\nCVE-2015-4844, CVE-2015-4860, CVE-2015-4881, CVE-2015-4883)\n\nA vulnerability was discovered in the OpenJDK JRE related to\ninformation disclosure and data integrity. An attacker could exploit\nthis to expose sensitive data over the network. (CVE-2015-4806)\n\nA vulnerability was discovered in the OpenJDK JRE related to data\nintegrity. An attacker could exploit this expose sensitive data over\nthe network. (CVE-2015-4872)\n\nMultiple vulnerabilities were discovered in the OpenJDK JRE related to\ninformation disclosure. An attacker could exploit these to expose\nsensitive data over the network. (CVE-2015-4734, CVE-2015-4842,\nCVE-2015-4903)\n\nMultiple vulnerabilities were discovered in the OpenJDK JRE related to\navailability. An attacker could exploit these to cause a denial of\nservice. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 23, "published": "2015-12-04T00:00:00", "title": "Ubuntu 12.04 LTS : openjdk-6 vulnerabilities (USN-2827-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4893"], "modified": "2015-12-04T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:icedtea-6-jre-cacao", "p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre-zero", "p-cpe:/a:canonical:ubuntu_linux:icedtea-6-jre-jamvm", "p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre", "p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre-lib", "p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre-headless", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts"], "id": "UBUNTU_USN-2827-1.NASL", "href": "https://www.tenable.com/plugins/nessus/87204", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2827-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(87204);\n script_version(\"2.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\", \"CVE-2015-4835\", \"CVE-2015-4842\", \"CVE-2015-4843\", \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4872\", \"CVE-2015-4881\", \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\", \"CVE-2015-4911\");\n script_xref(name:\"USN\", value:\"2827-1\");\n\n script_name(english:\"Ubuntu 12.04 LTS : openjdk-6 vulnerabilities (USN-2827-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple vulnerabilities were discovered in the OpenJDK JRE related to\ninformation disclosure, data integrity and availability. An attacker\ncould exploit these to cause a denial of service or expose sensitive\ndata over the network. (CVE-2015-4805, CVE-2015-4835, CVE-2015-4843,\nCVE-2015-4844, CVE-2015-4860, CVE-2015-4881, CVE-2015-4883)\n\nA vulnerability was discovered in the OpenJDK JRE related to\ninformation disclosure and data integrity. An attacker could exploit\nthis to expose sensitive data over the network. (CVE-2015-4806)\n\nA vulnerability was discovered in the OpenJDK JRE related to data\nintegrity. An attacker could exploit this expose sensitive data over\nthe network. (CVE-2015-4872)\n\nMultiple vulnerabilities were discovered in the OpenJDK JRE related to\ninformation disclosure. An attacker could exploit these to expose\nsensitive data over the network. (CVE-2015-4734, CVE-2015-4842,\nCVE-2015-4903)\n\nMultiple vulnerabilities were discovered in the OpenJDK JRE related to\navailability. An attacker could exploit these to cause a denial of\nservice. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2827-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:icedtea-6-jre-cacao\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:icedtea-6-jre-jamvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre-zero\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2015-2020 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(12\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"12.04\", pkgname:\"icedtea-6-jre-cacao\", pkgver:\"6b37-1.13.9-1ubuntu0.12.04.1\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"icedtea-6-jre-jamvm\", pkgver:\"6b37-1.13.9-1ubuntu0.12.04.1\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"openjdk-6-jre\", pkgver:\"6b37-1.13.9-1ubuntu0.12.04.1\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"openjdk-6-jre-headless\", pkgver:\"6b37-1.13.9-1ubuntu0.12.04.1\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"openjdk-6-jre-lib\", pkgver:\"6b37-1.13.9-1ubuntu0.12.04.1\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"openjdk-6-jre-zero\", pkgver:\"6b37-1.13.9-1ubuntu0.12.04.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"icedtea-6-jre-cacao / icedtea-6-jre-jamvm / openjdk-6-jre / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-01T01:22:18", "description": "Multiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835 , CVE-2015-4881 , CVE-2015-4843 ,\nCVE-2015-4883 , CVE-2015-4860 , CVE-2015-4805 , CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803 , CVE-2015-4893 , CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806 , CVE-2015-4882 , CVE-2015-4842 , CVE-2015-4734 ,\nCVE-2015-4903)", "edition": 25, "published": "2015-12-15T00:00:00", "title": "Amazon Linux AMI : java-1.6.0-openjdk (ALAS-2015-616)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4893"], "modified": "2021-03-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:java-1.6.0-openjdk-src", "p-cpe:/a:amazon:linux:java-1.6.0-openjdk-devel", "p-cpe:/a:amazon:linux:java-1.6.0-openjdk", "p-cpe:/a:amazon:linux:java-1.6.0-openjdk-demo", "p-cpe:/a:amazon:linux:java-1.6.0-openjdk-javadoc", "cpe:/o:amazon:linux", "p-cpe:/a:amazon:linux:java-1.6.0-openjdk-debuginfo"], "id": "ALA_ALAS-2015-616.NASL", "href": "https://www.tenable.com/plugins/nessus/87342", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2015-616.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(87342);\n script_version(\"2.2\");\n script_cvs_date(\"Date: 2018/04/18 15:09:35\");\n\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\", \"CVE-2015-4835\", \"CVE-2015-4842\", \"CVE-2015-4843\", \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4872\", \"CVE-2015-4881\", \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\", \"CVE-2015-4911\");\n script_xref(name:\"ALAS\", value:\"2015-616\");\n script_xref(name:\"RHSA\", value:\"2015:2086\");\n\n script_name(english:\"Amazon Linux AMI : java-1.6.0-openjdk (ALAS-2015-616)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835 , CVE-2015-4881 , CVE-2015-4843 ,\nCVE-2015-4883 , CVE-2015-4860 , CVE-2015-4805 , CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803 , CVE-2015-4893 , CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806 , CVE-2015-4882 , CVE-2015-4842 , CVE-2015-4734 ,\nCVE-2015-4903)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2015-616.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update java-1.6.0-openjdk' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.6.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.6.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.6.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.6.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.6.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.6.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"java-1.6.0-openjdk-1.6.0.37-1.13.9.4.72.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.72.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.72.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.72.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.72.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.72.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.6.0-openjdk / java-1.6.0-openjdk-debuginfo / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-01T05:37:09", "description": "Updated java-1.6.0-openjdk packages that fix multiple security issues\nare now available for Red Hat Enterprise Linux 5, 6, and 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime\nEnvironment and the OpenJDK 6 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843,\nCVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734,\nCVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting\nthe CVE-2015-4806 issue.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.", "edition": 32, "published": "2015-11-19T00:00:00", "title": "RHEL 5 / 6 / 7 : java-1.6.0-openjdk (RHSA-2015:2086)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4893"], "modified": "2021-03-02T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-devel", "cpe:/o:redhat:enterprise_linux:6.7", "cpe:/o:redhat:enterprise_linux:5", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-src", "cpe:/o:redhat:enterprise_linux:7.4", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-demo", "cpe:/o:redhat:enterprise_linux:7.1", "cpe:/o:redhat:enterprise_linux:7.7", "cpe:/o:redhat:enterprise_linux:7.5", "cpe:/o:redhat:enterprise_linux:7", "cpe:/o:redhat:enterprise_linux:7.3", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-javadoc", "cpe:/o:redhat:enterprise_linux:7.6", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-debuginfo"], "id": "REDHAT-RHSA-2015-2086.NASL", "href": "https://www.tenable.com/plugins/nessus/86930", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:2086. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86930);\n script_version(\"2.15\");\n script_cvs_date(\"Date: 2019/10/24 15:35:40\");\n\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\", \"CVE-2015-4835\", \"CVE-2015-4842\", \"CVE-2015-4843\", \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4872\", \"CVE-2015-4881\", \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\", \"CVE-2015-4911\");\n script_xref(name:\"RHSA\", value:\"2015:2086\");\n\n script_name(english:\"RHEL 5 / 6 / 7 : java-1.6.0-openjdk (RHSA-2015:2086)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.6.0-openjdk packages that fix multiple security issues\nare now available for Red Hat Enterprise Linux 5, 6, and 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime\nEnvironment and the OpenJDK 6 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843,\nCVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734,\nCVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting\nthe CVE-2015-4806 issue.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:2086\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4843\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4842\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4872\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4860\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4844\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4911\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4893\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4883\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4734\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4881\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4882\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4903\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4806\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4805\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4803\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4835\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/11/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5|6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x / 6.x / 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:2086\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el5_11\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el5_11\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el5_11\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el5_11\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.el5_11\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.el5_11\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.el5_11\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.el5_11\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.el5_11\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.el5_11\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.el5_11\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.el5_11\")) flag++;\n\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.el6_7\")) flag++;\n\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el7_1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el7_1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el7_1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.el7_1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.el7_1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.el7_1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.el7_1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.el7_1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.el7_1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.el7_1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.el7_1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.el7_1\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.6.0-openjdk / java-1.6.0-openjdk-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-01T05:37:07", "description": "Updated java-1.6.0-sun packages that fix several security issues are\nnow available for Oracle Java for Red Hat Enterprise Linux 5, 6, and\n7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nOracle Java SE version 6 includes the Oracle Java Runtime Environment\nand the Oracle Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the Oracle Java Runtime\nEnvironment and the Oracle Java Software Development Kit. Further\ninformation about these flaws can be found on the Oracle Java SE\nCritical Patch Update Advisory page, listed in the References section.\n(CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806,\nCVE-2015-4835, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844,\nCVE-2015-4860, CVE-2015-4872, CVE-2015-4881, CVE-2015-4882,\nCVE-2015-4883, CVE-2015-4893, CVE-2015-4902, CVE-2015-4903,\nCVE-2015-4911)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting\nthe CVE-2015-4806 issue.\n\nAll users of java-1.6.0-sun are advised to upgrade to these updated\npackages, which provide Oracle Java 6 Update 105 and resolve these\nissues. All running instances of Oracle Java must be restarted for the\nupdate to take effect.", "edition": 29, "published": "2015-10-23T00:00:00", "title": "RHEL 5 / 6 / 7 : java-1.6.0-sun (RHSA-2015:1928)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4902", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4893"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:6.7", "cpe:/o:redhat:enterprise_linux:5", "cpe:/o:redhat:enterprise_linux:7.1", "cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-sun-devel", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-sun-src", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-sun-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-sun", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-sun-jdbc", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-sun-plugin"], "id": "REDHAT-RHSA-2015-1928.NASL", "href": "https://www.tenable.com/plugins/nessus/86562", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:1928. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86562);\n script_version(\"2.9\");\n script_cvs_date(\"Date: 2019/10/24 15:35:40\");\n\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\", \"CVE-2015-4835\", \"CVE-2015-4842\", \"CVE-2015-4843\", \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4872\", \"CVE-2015-4881\", \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4902\", \"CVE-2015-4903\", \"CVE-2015-4911\");\n script_xref(name:\"RHSA\", value:\"2015:1928\");\n\n script_name(english:\"RHEL 5 / 6 / 7 : java-1.6.0-sun (RHSA-2015:1928)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.6.0-sun packages that fix several security issues are\nnow available for Oracle Java for Red Hat Enterprise Linux 5, 6, and\n7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nOracle Java SE version 6 includes the Oracle Java Runtime Environment\nand the Oracle Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the Oracle Java Runtime\nEnvironment and the Oracle Java Software Development Kit. Further\ninformation about these flaws can be found on the Oracle Java SE\nCritical Patch Update Advisory page, listed in the References section.\n(CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806,\nCVE-2015-4835, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844,\nCVE-2015-4860, CVE-2015-4872, CVE-2015-4881, CVE-2015-4882,\nCVE-2015-4883, CVE-2015-4893, CVE-2015-4902, CVE-2015-4903,\nCVE-2015-4911)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting\nthe CVE-2015-4806 issue.\n\nAll users of java-1.6.0-sun are advised to upgrade to these updated\npackages, which provide Oracle Java 6 Update 105 and resolve these\nissues. All running instances of Oracle Java must be restarted for the\nupdate to take effect.\"\n );\n # http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html#\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?312cfac8\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:1928\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4734\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4803\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4805\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4806\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4835\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4842\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4843\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4844\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4860\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4872\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4881\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4882\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4883\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4893\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4902\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4903\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4911\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-sun\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-sun-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-sun-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-sun-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-sun-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-sun-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(5|6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x / 6.x / 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:1928\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", cpu:\"i586\", reference:\"java-1.6.0-sun-1.6.0.105-1jpp.2.el5_11\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.6.0-sun-1.6.0.105-1jpp.2.el5_11\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i586\", reference:\"java-1.6.0-sun-demo-1.6.0.105-1jpp.2.el5_11\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.6.0-sun-demo-1.6.0.105-1jpp.2.el5_11\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i586\", reference:\"java-1.6.0-sun-devel-1.6.0.105-1jpp.2.el5_11\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.6.0-sun-devel-1.6.0.105-1jpp.2.el5_11\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i586\", reference:\"java-1.6.0-sun-jdbc-1.6.0.105-1jpp.2.el5_11\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.6.0-sun-jdbc-1.6.0.105-1jpp.2.el5_11\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i586\", reference:\"java-1.6.0-sun-plugin-1.6.0.105-1jpp.2.el5_11\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.6.0-sun-plugin-1.6.0.105-1jpp.2.el5_11\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i586\", reference:\"java-1.6.0-sun-src-1.6.0.105-1jpp.2.el5_11\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.6.0-sun-src-1.6.0.105-1jpp.2.el5_11\")) flag++;\n\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-sun-1.6.0.105-1jpp.2.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-sun-1.6.0.105-1jpp.2.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-sun-demo-1.6.0.105-1jpp.2.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-sun-demo-1.6.0.105-1jpp.2.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-sun-devel-1.6.0.105-1jpp.2.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-sun-devel-1.6.0.105-1jpp.2.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-sun-jdbc-1.6.0.105-1jpp.2.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-sun-jdbc-1.6.0.105-1jpp.2.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-sun-plugin-1.6.0.105-1jpp.2.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-sun-plugin-1.6.0.105-1jpp.2.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-sun-src-1.6.0.105-1jpp.2.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-sun-src-1.6.0.105-1jpp.2.el6_7\")) flag++;\n\n\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"java-1.6.0-sun-1.6.0.105-1jpp.2.el7_1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.6.0-sun-1.6.0.105-1jpp.2.el7_1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.6.0-sun-demo-1.6.0.105-1jpp.2.el7_1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"java-1.6.0-sun-devel-1.6.0.105-1jpp.2.el7_1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.6.0-sun-devel-1.6.0.105-1jpp.2.el7_1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.6.0-sun-jdbc-1.6.0.105-1jpp.2.el7_1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.6.0-sun-plugin-1.6.0.105-1jpp.2.el7_1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.6.0-sun-src-1.6.0.105-1jpp.2.el7_1\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.6.0-sun / java-1.6.0-sun-demo / java-1.6.0-sun-devel / etc\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T09:49:16", "description": "Several vulnerabilities have been discovered in OpenJDK, an\nimplementation of the Oracle Java platform, resulting in the execution\nof arbitrary code, breakouts of the Java sandbox, information\ndisclosure, or denial of service.", "edition": 23, "published": "2015-10-29T00:00:00", "title": "Debian DSA-3381-1 : openjdk-7 - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "modified": "2015-10-29T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:openjdk-7", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DSA-3381.NASL", "href": "https://www.tenable.com/plugins/nessus/86642", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3381. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(86642);\n script_version(\"2.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\", \"CVE-2015-4835\", \"CVE-2015-4840\", \"CVE-2015-4842\", \"CVE-2015-4843\", \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4872\", \"CVE-2015-4881\", \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\", \"CVE-2015-4911\");\n script_xref(name:\"DSA\", value:\"3381\");\n\n script_name(english:\"Debian DSA-3381-1 : openjdk-7 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities have been discovered in OpenJDK, an\nimplementation of the Oracle Java platform, resulting in the execution\nof arbitrary code, breakouts of the Java sandbox, information\ndisclosure, or denial of service.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/openjdk-7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/openjdk-7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2015/dsa-3381\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the openjdk-7 packages.\n\nFor the oldstable distribution (wheezy), these problems have been\nfixed in version 7u85-2.6.1-6~deb7u1.\n\nFor the stable distribution (jessie), these problems have been fixed\nin version 7u85-2.6.1-5~deb8u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openjdk-7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/29\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"icedtea-7-jre-cacao\", reference:\"7u85-2.6.1-6~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"icedtea-7-jre-jamvm\", reference:\"7u85-2.6.1-6~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"openjdk-7-dbg\", reference:\"7u85-2.6.1-6~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"openjdk-7-demo\", reference:\"7u85-2.6.1-6~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"openjdk-7-doc\", reference:\"7u85-2.6.1-6~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"openjdk-7-jdk\", reference:\"7u85-2.6.1-6~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"openjdk-7-jre\", reference:\"7u85-2.6.1-6~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"openjdk-7-jre-headless\", reference:\"7u85-2.6.1-6~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"openjdk-7-jre-lib\", reference:\"7u85-2.6.1-6~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"openjdk-7-jre-zero\", reference:\"7u85-2.6.1-6~deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"openjdk-7-source\", reference:\"7u85-2.6.1-6~deb7u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"icedtea-7-jre-jamvm\", reference:\"7u85-2.6.1-5~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"openjdk-7-dbg\", reference:\"7u85-2.6.1-5~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"openjdk-7-demo\", reference:\"7u85-2.6.1-5~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"openjdk-7-doc\", reference:\"7u85-2.6.1-5~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"openjdk-7-jdk\", reference:\"7u85-2.6.1-5~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"openjdk-7-jre\", reference:\"7u85-2.6.1-5~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"openjdk-7-jre-headless\", reference:\"7u85-2.6.1-5~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"openjdk-7-jre-lib\", reference:\"7u85-2.6.1-5~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"openjdk-7-jre-zero\", reference:\"7u85-2.6.1-5~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"openjdk-7-source\", reference:\"7u85-2.6.1-5~deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:36:25", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4893"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2015-11-19T00:00:00", "id": "OPENVAS:1361412562310871474", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871474", "type": "openvas", "title": "RedHat Update for java-1.6.0-openjdk RHSA-2015:2086-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for java-1.6.0-openjdk RHSA-2015:2086-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871474\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-11-19 06:34:05 +0100 (Thu, 19 Nov 2015)\");\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\",\n \"CVE-2015-4835\", \"CVE-2015-4842\", \"CVE-2015-4843\", \"CVE-2015-4844\",\n \"CVE-2015-4860\", \"CVE-2015-4872\", \"CVE-2015-4881\", \"CVE-2015-4882\",\n \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\", \"CVE-2015-4911\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for java-1.6.0-openjdk RHSA-2015:2086-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java-1.6.0-openjdk'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The java-1.6.0-openjdk packages provide the\nOpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization,\nand 2D components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to completely bypass Java sandbox restrictions.\n(CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860,\nCVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application using\nJAXP to consume an excessive amount of CPU and memory when parsed.\n(CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to properly\ncheck if a certificate satisfied all defined constraints. In certain cases,\nthis could cause a Java application to accept an X.509 certificate which\ndoes not meet requirements of the defined policy. (CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806,\nCVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\");\n script_tag(name:\"affected\", value:\"java-1.6.0-openjdk on Red Hat Enterprise Linux (v. 5 server),\n Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Server (v. 7),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_xref(name:\"RHSA\", value:\"2015:2086-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2015-November/msg00012.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_(7|6|5)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk\", rpm:\"java-1.6.0-openjdk~1.6.0.37~1.13.9.4.el7_1\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-debuginfo\", rpm:\"java-1.6.0-openjdk-debuginfo~1.6.0.37~1.13.9.4.el7_1\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-devel\", rpm:\"java-1.6.0-openjdk-devel~1.6.0.37~1.13.9.4.el7_1\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk\", rpm:\"java-1.6.0-openjdk~1.6.0.37~1.13.9.4.el6_7\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-debuginfo\", rpm:\"java-1.6.0-openjdk-debuginfo~1.6.0.37~1.13.9.4.el6_7\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-devel\", rpm:\"java-1.6.0-openjdk-devel~1.6.0.37~1.13.9.4.el6_7\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-javadoc\", rpm:\"java-1.6.0-openjdk-javadoc~1.6.0.37~1.13.9.4.el6_7\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk\", rpm:\"java-1.6.0-openjdk~1.6.0.37~1.13.9.4.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-debuginfo\", rpm:\"java-1.6.0-openjdk-debuginfo~1.6.0.37~1.13.9.4.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-demo\", rpm:\"java-1.6.0-openjdk-demo~1.6.0.37~1.13.9.4.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-devel\", rpm:\"java-1.6.0-openjdk-devel~1.6.0.37~1.13.9.4.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-javadoc\", rpm:\"java-1.6.0-openjdk-javadoc~1.6.0.37~1.13.9.4.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-src\", rpm:\"java-1.6.0-openjdk-src~1.6.0.37~1.13.9.4.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:57", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4893"], "description": "Oracle Linux Local Security Checks ELSA-2015-2086", "modified": "2018-09-28T00:00:00", "published": "2015-11-19T00:00:00", "id": "OPENVAS:1361412562310122736", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122736", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2015-2086", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2015-2086.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.122736\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-11-19 07:51:09 +0200 (Thu, 19 Nov 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2015-2086\");\n script_tag(name:\"insight\", value:\"ELSA-2015-2086 - java-1.6.0-openjdk security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2015-2086\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2015-2086.html\");\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\", \"CVE-2015-4835\", \"CVE-2015-4842\", \"CVE-2015-4843\", \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4872\", \"CVE-2015-4881\", \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\", \"CVE-2015-4911\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux(7|5|6)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux7\")\n{\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk\", rpm:\"java-1.6.0-openjdk~1.6.0.37~1.13.9.4.el7_1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-demo\", rpm:\"java-1.6.0-openjdk-demo~1.6.0.37~1.13.9.4.el7_1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-devel\", rpm:\"java-1.6.0-openjdk-devel~1.6.0.37~1.13.9.4.el7_1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-javadoc\", rpm:\"java-1.6.0-openjdk-javadoc~1.6.0.37~1.13.9.4.el7_1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-src\", rpm:\"java-1.6.0-openjdk-src~1.6.0.37~1.13.9.4.el7_1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk\", rpm:\"java-1.6.0-openjdk~1.6.0.37~1.13.9.4.0.1.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-demo\", rpm:\"java-1.6.0-openjdk-demo~1.6.0.37~1.13.9.4.0.1.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-devel\", rpm:\"java-1.6.0-openjdk-devel~1.6.0.37~1.13.9.4.0.1.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-javadoc\", rpm:\"java-1.6.0-openjdk-javadoc~1.6.0.37~1.13.9.4.0.1.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-src\", rpm:\"java-1.6.0-openjdk-src~1.6.0.37~1.13.9.4.0.1.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk\", rpm:\"java-1.6.0-openjdk~1.6.0.37~1.13.9.4.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-demo\", rpm:\"java-1.6.0-openjdk-demo~1.6.0.37~1.13.9.4.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-devel\", rpm:\"java-1.6.0-openjdk-devel~1.6.0.37~1.13.9.4.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-javadoc\", rpm:\"java-1.6.0-openjdk-javadoc~1.6.0.37~1.13.9.4.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-src\", rpm:\"java-1.6.0-openjdk-src~1.6.0.37~1.13.9.4.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4893"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2015-12-04T00:00:00", "id": "OPENVAS:1361412562310842548", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842548", "type": "openvas", "title": "Ubuntu Update for openjdk-6 USN-2827-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for openjdk-6 USN-2827-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842548\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-12-04 06:12:57 +0100 (Fri, 04 Dec 2015)\");\n script_cve_id(\"CVE-2015-4805\", \"CVE-2015-4835\", \"CVE-2015-4843\", \"CVE-2015-4844\",\n \"CVE-2015-4860\", \"CVE-2015-4881\", \"CVE-2015-4883\", \"CVE-2015-4806\",\n \"CVE-2015-4872\", \"CVE-2015-4734\", \"CVE-2015-4842\", \"CVE-2015-4903\",\n \"CVE-2015-4803\", \"CVE-2015-4893\", \"CVE-2015-4911\", \"CVE-2015-4882\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for openjdk-6 USN-2827-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'openjdk-6'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Multiple vulnerabilities were discovered in\nthe OpenJDK JRE related to information disclosure, data integrity and availability.\nAn attacker could exploit these to cause a denial of service or expose sensitive\ndata over the network. (CVE-2015-4805, CVE-2015-4835, CVE-2015-4843,\nCVE-2015-4844, CVE-2015-4860, CVE-2015-4881, CVE-2015-4883)\n\nA vulnerability was discovered in the OpenJDK JRE related to\ninformation disclosure and data integrity. An attacker could exploit\nthis to expose sensitive data over the network. (CVE-2015-4806)\n\nA vulnerability was discovered in the OpenJDK JRE related to data\nintegrity. An attacker could exploit this expose sensitive data over\nthe network. (CVE-2015-4872)\n\nMultiple vulnerabilities were discovered in the OpenJDK JRE related\nto information disclosure. An attacker could exploit these to expose\nsensitive data over the network. (CVE-2015-4734, CVE-2015-4842,\nCVE-2015-4903)\n\nMultiple vulnerabilities were discovered in the OpenJDK JRE related\nto availability. An attacker could exploit these to cause a denial of\nservice. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\");\n script_tag(name:\"affected\", value:\"openjdk-6 on Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_xref(name:\"USN\", value:\"2827-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2827-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU12\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"icedtea-6-jre-cacao\", ver:\"6b37-1.13.9-1ubuntu0.12.04.1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"icedtea-6-jre-jamvm\", ver:\"6b37-1.13.9-1ubuntu0.12.04.1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"openjdk-6-jre\", ver:\"6b37-1.13.9-1ubuntu0.12.04.1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"openjdk-6-jre-headless\", ver:\"6b37-1.13.9-1ubuntu0.12.04.1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"openjdk-6-jre-lib\", ver:\"6b37-1.13.9-1ubuntu0.12.04.1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"openjdk-6-jre-zero\", ver:\"6b37-1.13.9-1ubuntu0.12.04.1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-17T23:00:20", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4893"], "description": "The remote host is missing an update announced via the referenced Security Advisory.", "modified": "2020-03-13T00:00:00", "published": "2015-12-15T00:00:00", "id": "OPENVAS:1361412562310120606", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120606", "type": "openvas", "title": "Amazon Linux: Security Advisory (ALAS-2015-616)", "sourceData": "# Copyright (C) 2015 Eero Volotinen\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120606\");\n script_version(\"2020-03-13T13:19:50+0000\");\n script_tag(name:\"creation_date\", value:\"2015-12-15 02:51:19 +0200 (Tue, 15 Dec 2015)\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 13:19:50 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Amazon Linux: Security Advisory (ALAS-2015-616)\");\n script_tag(name:\"insight\", value:\"Multiple flaws were found in OpenJDK. Please see the references for more information.\");\n script_tag(name:\"solution\", value:\"Run yum update java-1.6.0-openjdk to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2015-616.html\");\n script_cve_id(\"CVE-2015-4843\", \"CVE-2015-4842\", \"CVE-2015-4872\", \"CVE-2015-4860\", \"CVE-2015-4844\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4911\", \"CVE-2015-4734\", \"CVE-2015-4881\", \"CVE-2015-4882\", \"CVE-2015-4903\", \"CVE-2015-4806\", \"CVE-2015-4805\", \"CVE-2015-4803\", \"CVE-2015-4835\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"The remote host is missing an update announced via the referenced Security Advisory.\");\n script_copyright(\"Copyright (C) 2015 Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"AMAZON\") {\n if(!isnull(res = isrpmvuln(pkg:\"java-1.6.0-openjdk-demo\", rpm:\"java-1.6.0-openjdk-demo~1.6.0.37~1.13.9.4.72.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.6.0-openjdk-src\", rpm:\"java-1.6.0-openjdk-src~1.6.0.37~1.13.9.4.72.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.6.0-openjdk-devel\", rpm:\"java-1.6.0-openjdk-devel~1.6.0.37~1.13.9.4.72.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.6.0-openjdk\", rpm:\"java-1.6.0-openjdk~1.6.0.37~1.13.9.4.72.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.6.0-openjdk-javadoc\", rpm:\"java-1.6.0-openjdk-javadoc~1.6.0.37~1.13.9.4.72.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.6.0-openjdk-debuginfo\", rpm:\"java-1.6.0-openjdk-debuginfo~1.6.0.37~1.13.9.4.72.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-15T17:26:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4902", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4893"], "description": "The host is installed with Oracle Java SE\n JRE and is prone to multiple unspecified vulnerabilities.", "modified": "2020-05-12T00:00:00", "published": "2015-10-27T00:00:00", "id": "OPENVAS:1361412562310108399", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108399", "type": "openvas", "title": "Oracle Java SE JRE Multiple Unspecified Vulnerabilities-02 Oct 2015 (Linux)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Oracle Java SE JRE Multiple Unspecified Vulnerabilities-02 Oct 2015 (Linux)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108399\");\n script_version(\"2020-05-12T13:57:17+0000\");\n script_cve_id(\"CVE-2015-4902\", \"CVE-2015-4903\", \"CVE-2015-4911\", \"CVE-2015-4893\",\n \"CVE-2015-4883\", \"CVE-2015-4882\", \"CVE-2015-4881\", \"CVE-2015-4872\",\n \"CVE-2015-4860\", \"CVE-2015-4844\", \"CVE-2015-4843\", \"CVE-2015-4842\",\n \"CVE-2015-4835\", \"CVE-2015-4806\", \"CVE-2015-4805\", \"CVE-2015-4803\",\n \"CVE-2015-4734\");\n script_bugtraq_id(77241, 77194, 77209, 77207, 77161, 77181, 77159, 77211, 77162,\n 77164, 77160, 77154, 77148, 77126, 77163, 77200, 77192);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-05-12 13:57:17 +0000 (Tue, 12 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-10-27 11:40:31 +0530 (Tue, 27 Oct 2015)\");\n script_name(\"Oracle Java SE JRE Multiple Unspecified Vulnerabilities-02 Oct 2015 (Linux)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Oracle Java SE\n JRE and is prone to multiple unspecified vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to multiple\n unspecified errors.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to have an impact on confidentiality, integrity, and availability via different\n vectors.\");\n\n script_tag(name:\"affected\", value:\"Oracle Java SE 6 update 101 and prior, 7\n update 85 and prior, 8 update 60 and prior on Linux.\");\n\n script_tag(name:\"solution\", value:\"Apply the patch from the referenced advisory.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/topics/security/alerts-086861.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_java_prdts_detect_lin.nasl\");\n script_mandatory_keys(\"Sun/Java/JRE/Linux/Ver\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\ncpe_list = make_list(\"cpe:/a:oracle:jre\", \"cpe:/a:sun:jre\");\n\nif(!infos = get_app_version_and_location_from_list(cpe_list:cpe_list, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif(vers =~ \"^1\\.[6-8]\") {\n if(version_in_range(version:vers, test_version:\"1.8.0\", test_version2:\"1.8.0.60\") ||\n version_in_range(version:vers, test_version:\"1.7.0\", test_version2:\"1.7.0.85\") ||\n version_in_range(version:vers, test_version:\"1.6.0\", test_version2:\"1.6.0.101\")) {\n report = 'Installed version: ' + vers + '\\n' +\n 'Fixed version: ' + \"Apply the patch\" + '\\n';\n security_message(data:report);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T18:37:20", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2015-11-03T00:00:00", "id": "OPENVAS:1361412562310851122", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851122", "type": "openvas", "title": "SUSE: Security Advisory for java-1_7_0-openjdk (SUSE-SU-2015:1874-2)", "sourceData": "# Copyright (C) 2015 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851122\");\n script_version(\"2020-01-31T07:58:03+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 07:58:03 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-11-03 06:07:41 +0100 (Tue, 03 Nov 2015)\");\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\",\n \"CVE-2015-4835\", \"CVE-2015-4840\", \"CVE-2015-4842\", \"CVE-2015-4843\",\n \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4872\", \"CVE-2015-4881\",\n \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\",\n \"CVE-2015-4911\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SUSE: Security Advisory for java-1_7_0-openjdk (SUSE-SU-2015:1874-2)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java-1_7_0-openjdk'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"java-1_7_0-openjdk was updated to version 7u91 to fix 17 security issues.\n\n These security issues were fixed:\n\n - CVE-2015-4843: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Libraries (bsc#951376).\n\n - CVE-2015-4842: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JAXP (bsc#951376).\n\n - CVE-2015-4840: Unspecified vulnerability in Oracle Java SE 7u85 and\n 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via unknown vectors related to 2D (bsc#951376).\n\n - CVE-2015-4872: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60 Java SE Embedded 8u51 and JRockit R28.3.7 allowed remote\n attackers to affect integrity via unknown vectors related to Security\n (bsc#951376).\n\n - CVE-2015-4860: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4883 (bsc#951376).\n\n - CVE-2015-4844: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to 2D (bsc#951376).\n\n - CVE-2015-4883: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4860 (bsc#951376).\n\n - CVE-2015-4893: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60 Java SE Embedded 8u51 and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4911\n (bsc#951376).\n\n - CVE-2015-4911: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60 Java SE Embedded 8u51 and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4893\n (bsc#951376).\n\n - CVE-2015-4882: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n av ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n\n script_tag(name:\"affected\", value:\"java-1_7_0-openjdk on SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Desktop 12\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"SUSE-SU\", value:\"2015:1874-2\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=(SLED12\\.0SP0|SLES12\\.0SP0)\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"SLED12.0SP0\") {\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk\", rpm:\"java-1_7_0-openjdk~1.7.0.91~21.2\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-debuginfo\", rpm:\"java-1_7_0-openjdk-debuginfo~1.7.0.91~21.2\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-debugsource\", rpm:\"java-1_7_0-openjdk-debugsource~1.7.0.91~21.2\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-headless\", rpm:\"java-1_7_0-openjdk-headless~1.7.0.91~21.2\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-headless-debuginfo\", rpm:\"java-1_7_0-openjdk-headless-debuginfo~1.7.0.91~21.2\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"SLES12.0SP0\") {\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk\", rpm:\"java-1_7_0-openjdk~1.7.0.91~21.2\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-debuginfo\", rpm:\"java-1_7_0-openjdk-debuginfo~1.7.0.91~21.2\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-debugsource\", rpm:\"java-1_7_0-openjdk-debugsource~1.7.0.91~21.2\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-demo\", rpm:\"java-1_7_0-openjdk-demo~1.7.0.91~21.2\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-demo-debuginfo\", rpm:\"java-1_7_0-openjdk-demo-debuginfo~1.7.0.91~21.2\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-devel\", rpm:\"java-1_7_0-openjdk-devel~1.7.0.91~21.2\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-devel-debuginfo\", rpm:\"java-1_7_0-openjdk-devel-debuginfo~1.7.0.91~21.2\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-headless\", rpm:\"java-1_7_0-openjdk-headless~1.7.0.91~21.2\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-headless-debuginfo\", rpm:\"java-1_7_0-openjdk-headless-debuginfo~1.7.0.91~21.2\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:12", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "description": "Check the version of java", "modified": "2019-03-08T00:00:00", "published": "2015-10-22T00:00:00", "id": "OPENVAS:1361412562310882304", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882304", "type": "openvas", "title": "CentOS Update for java CESA-2015:1921 centos5", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for java CESA-2015:1921 centos5\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882304\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-10-22 07:26:20 +0200 (Thu, 22 Oct 2015)\");\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\",\n \"CVE-2015-4835\", \"CVE-2015-4840\", \"CVE-2015-4842\", \"CVE-2015-4843\",\n \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4872\", \"CVE-2015-4881\",\n \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\",\n \"CVE-2015-4911\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for java CESA-2015:1921 centos5\");\n script_tag(name:\"summary\", value:\"Check the version of java\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization,\nand 2D components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to completely bypass Java sandbox restrictions.\n(CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860,\nCVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application using\nJAXP to consume an excessive amount of CPU and memory when parsed.\n(CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to properly\ncheck if a certificate satisfied all defined constraints. In certain cases,\nthis could cause a Java application to accept an X.509 certificate which\ndoes not meet requirements of the defined policy. (CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806,\nCVE-2015-4840, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\");\n script_tag(name:\"affected\", value:\"java on CentOS 5\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_xref(name:\"CESA\", value:\"2015:1921\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2015-October/021438.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS5\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.91~2.6.2.1.el5_11\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.91~2.6.2.1.el5_11\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.91~2.6.2.1.el5_11\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.91~2.6.2.1.el5_11\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.91~2.6.2.1.el5_11\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "description": "Oracle Linux Local Security Checks ELSA-2015-1921", "modified": "2018-09-28T00:00:00", "published": "2015-10-22T00:00:00", "id": "OPENVAS:1361412562310122718", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122718", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2015-1921", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2015-1921.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.122718\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-22 08:30:59 +0300 (Thu, 22 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2015-1921\");\n script_tag(name:\"insight\", value:\"ELSA-2015-1921 - java-1.7.0-openjdk security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2015-1921\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2015-1921.html\");\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\", \"CVE-2015-4835\", \"CVE-2015-4840\", \"CVE-2015-4842\", \"CVE-2015-4843\", \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4872\", \"CVE-2015-4881\", \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\", \"CVE-2015-4911\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux5\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.91~2.6.2.1.0.1.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.91~2.6.2.1.0.1.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.91~2.6.2.1.0.1.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.91~2.6.2.1.0.1.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.91~2.6.2.1.0.1.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "description": "Check the version of java", "modified": "2019-03-08T00:00:00", "published": "2015-10-22T00:00:00", "id": "OPENVAS:1361412562310882301", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882301", "type": "openvas", "title": "CentOS Update for java CESA-2015:1920 centos7", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for java CESA-2015:1920 centos7\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882301\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-10-22 07:25:11 +0200 (Thu, 22 Oct 2015)\");\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\", \"CVE-2015-4835\",\n \"CVE-2015-4840\", \"CVE-2015-4842\", \"CVE-2015-4843\", \"CVE-2015-4844\", \"CVE-2015-4860\",\n \"CVE-2015-4872\", \"CVE-2015-4881\", \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\",\n \"CVE-2015-4903\", \"CVE-2015-4911\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for java CESA-2015:1920 centos7\");\n script_tag(name:\"summary\", value:\"Check the version of java\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization,\nand 2D components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to completely bypass Java sandbox restrictions.\n(CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860,\nCVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application using\nJAXP to consume an excessive amount of CPU and memory when parsed.\n(CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to properly\ncheck if a certificate satisfied all defined constraints. In certain cases,\nthis could cause a Java application to accept an X.509 certificate which\ndoes not meet requirements of the defined policy. (CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806,\nCVE-2015-4840, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nNote: If the web browser plug-in provided by the icedtea-web package was\ninstalled, the issues exposed via Java applets could have been exploited\nwithout user interaction if a user visited a malicious website.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\");\n script_tag(name:\"affected\", value:\"java on CentOS 7\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_xref(name:\"CESA\", value:\"2015:1920\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2015-October/021439.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS7\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.91~2.6.2.1.el7_1\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-accessibility\", rpm:\"java-1.7.0-openjdk-accessibility~1.7.0.91~2.6.2.1.el7_1\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.91~2.6.2.1.el7_1\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.91~2.6.2.1.el7_1\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-headless\", rpm:\"java-1.7.0-openjdk-headless~1.7.0.91~2.6.2.1.el7_1\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.91~2.6.2.1.el7_1\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.91~2.6.2.1.el7_1\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "description": "Oracle Linux Local Security Checks ELSA-2015-1920", "modified": "2018-09-28T00:00:00", "published": "2015-10-22T00:00:00", "id": "OPENVAS:1361412562310122716", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122716", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2015-1920", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2015-1920.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.122716\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-22 08:30:57 +0300 (Thu, 22 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2015-1920\");\n script_tag(name:\"insight\", value:\"ELSA-2015-1920 - java-1.7.0-openjdk security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2015-1920\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2015-1920.html\");\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\", \"CVE-2015-4835\", \"CVE-2015-4840\", \"CVE-2015-4842\", \"CVE-2015-4843\", \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4872\", \"CVE-2015-4881\", \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\", \"CVE-2015-4911\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux(7|6)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux7\")\n{\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.91~2.6.2.1.0.1.el7_1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-accessibility\", rpm:\"java-1.7.0-openjdk-accessibility~1.7.0.91~2.6.2.1.0.1.el7_1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.91~2.6.2.1.0.1.el7_1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.91~2.6.2.1.0.1.el7_1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-headless\", rpm:\"java-1.7.0-openjdk-headless~1.7.0.91~2.6.2.1.0.1.el7_1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.91~2.6.2.1.0.1.el7_1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.91~2.6.2.1.0.1.el7_1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.91~2.6.2.2.0.1.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.91~2.6.2.2.0.1.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.91~2.6.2.2.0.1.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.91~2.6.2.2.0.1.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.91~2.6.2.2.0.1.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "amazon": [{"lastseen": "2020-11-10T12:37:48", "bulletinFamily": "unix", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4893"], "description": "**Issue Overview:**\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. ([CVE-2015-4835 __](<https://access.redhat.com/security/cve/CVE-2015-4835>), [CVE-2015-4881 __](<https://access.redhat.com/security/cve/CVE-2015-4881>), [CVE-2015-4843 __](<https://access.redhat.com/security/cve/CVE-2015-4843>), [CVE-2015-4883 __](<https://access.redhat.com/security/cve/CVE-2015-4883>), [CVE-2015-4860 __](<https://access.redhat.com/security/cve/CVE-2015-4860>), [CVE-2015-4805 __](<https://access.redhat.com/security/cve/CVE-2015-4805>), [CVE-2015-4844 __](<https://access.redhat.com/security/cve/CVE-2015-4844>))\n\nMultiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. ([CVE-2015-4803 __](<https://access.redhat.com/security/cve/CVE-2015-4803>), [CVE-2015-4893 __](<https://access.redhat.com/security/cve/CVE-2015-4893>), [CVE-2015-4911 __](<https://access.redhat.com/security/cve/CVE-2015-4911>))\n\nIt was discovered that the Security component in OpenJDK failed to properly check if a certificate satisfied all defined constraints. In certain cases, this could cause a Java application to accept an X.509 certificate which does not meet requirements of the defined policy. ([CVE-2015-4872 __](<https://access.redhat.com/security/cve/CVE-2015-4872>))\n\nMultiple flaws were found in the Libraries, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. ([CVE-2015-4806 __](<https://access.redhat.com/security/cve/CVE-2015-4806>), [CVE-2015-4882 __](<https://access.redhat.com/security/cve/CVE-2015-4882>), [CVE-2015-4842 __](<https://access.redhat.com/security/cve/CVE-2015-4842>), [CVE-2015-4734 __](<https://access.redhat.com/security/cve/CVE-2015-4734>), [CVE-2015-4903 __](<https://access.redhat.com/security/cve/CVE-2015-4903>))\n\n \n**Affected Packages:** \n\n\njava-1.6.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.6.0-openjdk_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.72.amzn1.i686 \n java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.72.amzn1.i686 \n java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.72.amzn1.i686 \n java-1.6.0-openjdk-1.6.0.37-1.13.9.4.72.amzn1.i686 \n java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.72.amzn1.i686 \n java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.72.amzn1.i686 \n \n src: \n java-1.6.0-openjdk-1.6.0.37-1.13.9.4.72.amzn1.src \n \n x86_64: \n java-1.6.0-openjdk-1.6.0.37-1.13.9.4.72.amzn1.x86_64 \n java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.72.amzn1.x86_64 \n java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.72.amzn1.x86_64 \n java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.72.amzn1.x86_64 \n java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.72.amzn1.x86_64 \n java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.72.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2015-12-14T10:00:00", "published": "2015-12-14T10:00:00", "id": "ALAS-2015-616", "href": "https://alas.aws.amazon.com/ALAS-2015-616.html", "title": "Important: java-1.6.0-openjdk", "type": "amazon", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-10T12:36:54", "bulletinFamily": "unix", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "description": "**Issue Overview:**\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. ([CVE-2015-4835 __](<https://access.redhat.com/security/cve/CVE-2015-4835>), [CVE-2015-4881 __](<https://access.redhat.com/security/cve/CVE-2015-4881>), [CVE-2015-4843 __](<https://access.redhat.com/security/cve/CVE-2015-4843>), [CVE-2015-4883 __](<https://access.redhat.com/security/cve/CVE-2015-4883>), [CVE-2015-4860 __](<https://access.redhat.com/security/cve/CVE-2015-4860>), [CVE-2015-4805 __](<https://access.redhat.com/security/cve/CVE-2015-4805>), [CVE-2015-4844 __](<https://access.redhat.com/security/cve/CVE-2015-4844>))\n\nMultiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. ([CVE-2015-4803 __](<https://access.redhat.com/security/cve/CVE-2015-4803>), [CVE-2015-4893 __](<https://access.redhat.com/security/cve/CVE-2015-4893>), [CVE-2015-4911 __](<https://access.redhat.com/security/cve/CVE-2015-4911>))\n\nIt was discovered that the Security component in OpenJDK failed to properly check if a certificate satisfied all defined constraints. In certain cases, this could cause a Java application to accept an X.509 certificate which does not meet requirements of the defined policy. ([CVE-2015-4872 __](<https://access.redhat.com/security/cve/CVE-2015-4872>))\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. ([CVE-2015-4806 __](<https://access.redhat.com/security/cve/CVE-2015-4806>), [CVE-2015-4840 __](<https://access.redhat.com/security/cve/CVE-2015-4840>), [CVE-2015-4882 __](<https://access.redhat.com/security/cve/CVE-2015-4882>), [CVE-2015-4842 __](<https://access.redhat.com/security/cve/CVE-2015-4842>), [CVE-2015-4734 __](<https://access.redhat.com/security/cve/CVE-2015-4734>), [CVE-2015-4903 __](<https://access.redhat.com/security/cve/CVE-2015-4903>))\n\n \n**Affected Packages:** \n\n\njava-1.7.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.7.0-openjdk_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.2.63.amzn1.i686 \n java-1.7.0-openjdk-debuginfo-1.7.0.91-2.6.2.2.63.amzn1.i686 \n java-1.7.0-openjdk-1.7.0.91-2.6.2.2.63.amzn1.i686 \n java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.2.63.amzn1.i686 \n java-1.7.0-openjdk-src-1.7.0.91-2.6.2.2.63.amzn1.i686 \n \n noarch: \n java-1.7.0-openjdk-javadoc-1.7.0.91-2.6.2.2.63.amzn1.noarch \n \n src: \n java-1.7.0-openjdk-1.7.0.91-2.6.2.2.63.amzn1.src \n \n x86_64: \n java-1.7.0-openjdk-1.7.0.91-2.6.2.2.63.amzn1.x86_64 \n java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.2.63.amzn1.x86_64 \n java-1.7.0-openjdk-debuginfo-1.7.0.91-2.6.2.2.63.amzn1.x86_64 \n java-1.7.0-openjdk-src-1.7.0.91-2.6.2.2.63.amzn1.x86_64 \n java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.2.63.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2015-10-27T13:52:00", "published": "2015-10-27T13:52:00", "id": "ALAS-2015-605", "href": "https://alas.aws.amazon.com/ALAS-2015-605.html", "title": "Critical: java-1.7.0-openjdk", "type": "amazon", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-10T12:35:18", "bulletinFamily": "unix", "cvelist": ["CVE-2015-4860", "CVE-2015-4868", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "description": "**Issue Overview:**\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. ([CVE-2015-4835 __](<https://access.redhat.com/security/cve/CVE-2015-4835>), [CVE-2015-4881 __](<https://access.redhat.com/security/cve/CVE-2015-4881>), [CVE-2015-4843 __](<https://access.redhat.com/security/cve/CVE-2015-4843>), [CVE-2015-4883 __](<https://access.redhat.com/security/cve/CVE-2015-4883>), [CVE-2015-4860 __](<https://access.redhat.com/security/cve/CVE-2015-4860>), [CVE-2015-4805 __](<https://access.redhat.com/security/cve/CVE-2015-4805>), [CVE-2015-4844 __](<https://access.redhat.com/security/cve/CVE-2015-4844>))\n\nMultiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. ([CVE-2015-4803 __](<https://access.redhat.com/security/cve/CVE-2015-4803>), [CVE-2015-4893 __](<https://access.redhat.com/security/cve/CVE-2015-4893>), [CVE-2015-4911 __](<https://access.redhat.com/security/cve/CVE-2015-4911>))\n\nA flaw was found in the way the Libraries component in OpenJDK handled certificate revocation lists (CRL). In certain cases, CRL checking code could fail to report a revoked certificate, causing the application to accept it as trusted. ([CVE-2015-4868 __](<https://access.redhat.com/security/cve/CVE-2015-4868>))\n\nIt was discovered that the Security component in OpenJDK failed to properly check if a certificate satisfied all defined constraints. In certain cases, this could cause a Java application to accept an X.509 certificate which does not meet requirements of the defined policy. ([CVE-2015-4872 __](<https://access.redhat.com/security/cve/CVE-2015-4872>))\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. ([CVE-2015-4806 __](<https://access.redhat.com/security/cve/CVE-2015-4806>), [CVE-2015-4840 __](<https://access.redhat.com/security/cve/CVE-2015-4840>), [CVE-2015-4882 __](<https://access.redhat.com/security/cve/CVE-2015-4882>), [CVE-2015-4842 __](<https://access.redhat.com/security/cve/CVE-2015-4842>), [CVE-2015-4734 __](<https://access.redhat.com/security/cve/CVE-2015-4734>), [CVE-2015-4903 __](<https://access.redhat.com/security/cve/CVE-2015-4903>))\n\n \n**Affected Packages:** \n\n\njava-1.8.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.8.0-openjdk_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n java-1.8.0-openjdk-demo-1.8.0.65-2.b17.7.amzn1.i686 \n java-1.8.0-openjdk-debuginfo-1.8.0.65-2.b17.7.amzn1.i686 \n java-1.8.0-openjdk-headless-1.8.0.65-2.b17.7.amzn1.i686 \n java-1.8.0-openjdk-src-1.8.0.65-2.b17.7.amzn1.i686 \n java-1.8.0-openjdk-1.8.0.65-2.b17.7.amzn1.i686 \n java-1.8.0-openjdk-devel-1.8.0.65-2.b17.7.amzn1.i686 \n \n noarch: \n java-1.8.0-openjdk-javadoc-1.8.0.65-2.b17.7.amzn1.noarch \n \n src: \n java-1.8.0-openjdk-1.8.0.65-2.b17.7.amzn1.src \n \n x86_64: \n java-1.8.0-openjdk-debuginfo-1.8.0.65-2.b17.7.amzn1.x86_64 \n java-1.8.0-openjdk-devel-1.8.0.65-2.b17.7.amzn1.x86_64 \n java-1.8.0-openjdk-src-1.8.0.65-2.b17.7.amzn1.x86_64 \n java-1.8.0-openjdk-demo-1.8.0.65-2.b17.7.amzn1.x86_64 \n java-1.8.0-openjdk-headless-1.8.0.65-2.b17.7.amzn1.x86_64 \n java-1.8.0-openjdk-1.8.0.65-2.b17.7.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2015-10-27T16:39:00", "published": "2015-10-27T16:39:00", "id": "ALAS-2015-606", "href": "https://alas.aws.amazon.com/ALAS-2015-606.html", "title": "Important: java-1.8.0-openjdk", "type": "amazon", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2019-08-13T18:47:10", "bulletinFamily": "unix", "cvelist": ["CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4872", "CVE-2015-4881", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4903", "CVE-2015-4911"], "description": "The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime\nEnvironment and the OpenJDK 6 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization,\nand 2D components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to completely bypass Java sandbox restrictions.\n(CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860,\nCVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application using\nJAXP to consume an excessive amount of CPU and memory when parsed.\n(CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to properly\ncheck if a certificate satisfied all defined constraints. In certain cases,\nthis could cause a Java application to accept an X.509 certificate which\ndoes not meet requirements of the defined policy. (CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806,\nCVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "modified": "2018-06-06T20:24:16", "published": "2015-11-18T05:00:00", "id": "RHSA-2015:2086", "href": "https://access.redhat.com/errata/RHSA-2015:2086", "type": "redhat", "title": "(RHSA-2015:2086) Important: java-1.6.0-openjdk security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:47:13", "bulletinFamily": "unix", "cvelist": ["CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4872", "CVE-2015-4881", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4902", "CVE-2015-4903", "CVE-2015-4911"], "description": "Oracle Java SE version 6 includes the Oracle Java Runtime Environment and\nthe Oracle Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the Oracle Java Runtime\nEnvironment and the Oracle Java Software Development Kit. Further\ninformation about these flaws can be found on the Oracle Java SE Critical\nPatch Update Advisory page, listed in the References section.\n(CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4835,\nCVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4872,\nCVE-2015-4881, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4902,\nCVE-2015-4903, CVE-2015-4911)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nAll users of java-1.6.0-sun are advised to upgrade to these updated\npackages, which provide Oracle Java 6 Update 105 and resolve these issues.\nAll running instances of Oracle Java must be restarted for the update to\ntake effect.", "modified": "2018-06-07T18:20:30", "published": "2015-10-22T22:21:17", "id": "RHSA-2015:1928", "href": "https://access.redhat.com/errata/RHSA-2015:1928", "type": "redhat", "title": "(RHSA-2015:1928) Important: java-1.6.0-sun security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:45:30", "bulletinFamily": "unix", "cvelist": ["CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4840", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4872", "CVE-2015-4881", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4903", "CVE-2015-4911"], "description": "The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization,\nand 2D components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to completely bypass Java sandbox restrictions.\n(CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860,\nCVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application using\nJAXP to consume an excessive amount of CPU and memory when parsed.\n(CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to properly\ncheck if a certificate satisfied all defined constraints. In certain cases,\nthis could cause a Java application to accept an X.509 certificate which\ndoes not meet requirements of the defined policy. (CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806,\nCVE-2015-4840, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nNote: If the web browser plug-in provided by the icedtea-web package was\ninstalled, the issues exposed via Java applets could have been exploited\nwithout user interaction if a user visited a malicious website.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "modified": "2018-06-06T20:24:16", "published": "2015-10-21T04:00:00", "id": "RHSA-2015:1920", "href": "https://access.redhat.com/errata/RHSA-2015:1920", "type": "redhat", "title": "(RHSA-2015:1920) Critical: java-1.7.0-openjdk security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:12", "bulletinFamily": "unix", "cvelist": ["CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4840", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4872", "CVE-2015-4881", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4903", "CVE-2015-4911"], "description": "The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization,\nand 2D components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to completely bypass Java sandbox restrictions.\n(CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860,\nCVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application using\nJAXP to consume an excessive amount of CPU and memory when parsed.\n(CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to properly\ncheck if a certificate satisfied all defined constraints. In certain cases,\nthis could cause a Java application to accept an X.509 certificate which\ndoes not meet requirements of the defined policy. (CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806,\nCVE-2015-4840, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "modified": "2017-09-08T12:08:43", "published": "2015-10-21T04:00:00", "id": "RHSA-2015:1921", "href": "https://access.redhat.com/errata/RHSA-2015:1921", "type": "redhat", "title": "(RHSA-2015:1921) Important: java-1.7.0-openjdk security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:48", "bulletinFamily": "unix", "cvelist": ["CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4840", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4868", "CVE-2015-4872", "CVE-2015-4881", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4903", "CVE-2015-4911"], "description": "The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime\nEnvironment and the OpenJDK 8 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization,\nand 2D components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to completely bypass Java sandbox restrictions.\n(CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860,\nCVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application using\nJAXP to consume an excessive amount of CPU and memory when parsed.\n(CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nA flaw was found in the way the Libraries component in OpenJDK handled\ncertificate revocation lists (CRL). In certain cases, CRL checking code\ncould fail to report a revoked certificate, causing the application to\naccept it as trusted. (CVE-2015-4868)\n\nIt was discovered that the Security component in OpenJDK failed to properly\ncheck if a certificate satisfied all defined constraints. In certain cases,\nthis could cause a Java application to accept an X.509 certificate which\ndoes not meet requirements of the defined policy. (CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806,\nCVE-2015-4840, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nAll users of java-1.8.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "modified": "2018-06-06T20:24:23", "published": "2015-10-21T04:00:00", "id": "RHSA-2015:1919", "href": "https://access.redhat.com/errata/RHSA-2015:1919", "type": "redhat", "title": "(RHSA-2015:1919) Important: java-1.8.0-openjdk security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:09", "bulletinFamily": "unix", "cvelist": ["CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4835", "CVE-2015-4840", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4871", "CVE-2015-4872", "CVE-2015-4881", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4902", "CVE-2015-4903", "CVE-2015-4911"], "description": "Oracle Java SE version 7 includes the Oracle Java Runtime Environment and\nthe Oracle Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the Oracle Java Runtime\nEnvironment and the Oracle Java Software Development Kit. Further\ninformation about these flaws can be found on the Oracle Java SE Critical\nPatch Update Advisory page, listed in the References section.\n(CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4810,\nCVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844,\nCVE-2015-4860, CVE-2015-4871, CVE-2015-4872, CVE-2015-4881, CVE-2015-4882,\nCVE-2015-4883, CVE-2015-4893, CVE-2015-4902, CVE-2015-4903, CVE-2015-4911)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nAll users of java-1.7.0-oracle are advised to upgrade to these updated\npackages, which provide Oracle Java 7 Update 91 and resolve these issues.\nAll running instances of Oracle Java must be restarted for the update to\ntake effect.", "modified": "2018-06-07T18:20:34", "published": "2015-10-22T22:20:48", "id": "RHSA-2015:1927", "href": "https://access.redhat.com/errata/RHSA-2015:1927", "type": "redhat", "title": "(RHSA-2015:1927) Critical: java-1.7.0-oracle security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntu": [{"lastseen": "2020-07-02T11:41:42", "bulletinFamily": "unix", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4893"], "description": "Multiple vulnerabilities were discovered in the OpenJDK JRE related to \ninformation disclosure, data integrity and availability. An attacker \ncould exploit these to cause a denial of service or expose sensitive \ndata over the network. (CVE-2015-4805, CVE-2015-4835, CVE-2015-4843, \nCVE-2015-4844, CVE-2015-4860, CVE-2015-4881, CVE-2015-4883)\n\nA vulnerability was discovered in the OpenJDK JRE related to \ninformation disclosure and data integrity. An attacker could exploit \nthis to expose sensitive data over the network. (CVE-2015-4806)\n\nA vulnerability was discovered in the OpenJDK JRE related to data \nintegrity. An attacker could exploit this expose sensitive data over \nthe network. (CVE-2015-4872)\n\nMultiple vulnerabilities were discovered in the OpenJDK JRE related \nto information disclosure. An attacker could exploit these to expose \nsensitive data over the network. (CVE-2015-4734, CVE-2015-4842, \nCVE-2015-4903)\n\nMultiple vulnerabilities were discovered in the OpenJDK JRE related \nto availability. An attacker could exploit these to cause a denial of \nservice. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)", "edition": 5, "modified": "2015-12-03T00:00:00", "published": "2015-12-03T00:00:00", "id": "USN-2827-1", "href": "https://ubuntu.com/security/notices/USN-2827-1", "title": "OpenJDK 6 vulnerabilities", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:42:26", "bulletinFamily": "unix", "cvelist": ["CVE-2015-4860", "CVE-2015-4868", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "description": "Multiple vulnerabilities were discovered in the OpenJDK JRE related to \ninformation disclosure, data integrity and availability. An attacker \ncould exploit these to cause a denial of service or expose sensitive \ndata over the network. (CVE-2015-4805, CVE-2015-4835, CVE-2015-4843, \nCVE-2015-4844, CVE-2015-4860, CVE-2015-4868, CVE-2015-4881, \nCVE-2015-4883)\n\nA vulnerability was discovered in the OpenJDK JRE related to \ninformation disclosure and data integrity. An attacker could exploit \nthis to expose sensitive data over the network. (CVE-2015-4806)\n\nA vulnerability was discovered in the OpenJDK JRE related to data \nintegrity. An attacker could exploit this expose sensitive data over \nthe network. (CVE-2015-4872)\n\nMultiple vulnerabilities were discovered in the OpenJDK JRE related \nto information disclosure. An attacker could exploit these to expose \nsensitive data over the network. (CVE-2015-4734, CVE-2015-4840, \nCVE-2015-4842, CVE-2015-4903)\n\nMultiple vulnerabilities were discovered in the OpenJDK JRE related \nto availability. An attacker could exploit these to cause a denial of \nservice. (CVE-2015-4803, CVE-2015-4882, CVE-2015-4893, CVE-2015-4911)", "edition": 5, "modified": "2015-10-28T00:00:00", "published": "2015-10-28T00:00:00", "id": "USN-2784-1", "href": "https://ubuntu.com/security/notices/USN-2784-1", "title": "OpenJDK 7 vulnerabilities", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2020-11-11T13:13:03", "bulletinFamily": "unix", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4893"], "description": "Package : openjdk-6\nVersion : 6b37-1.13.9-1~deb6u1\nCVE ID : CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806\n CVE-2015-4835 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844\n CVE-2015-4860 CVE-2015-4872 CVE-2015-4881 CVE-2015-4882\n CVE-2015-4883 CVE-2015-4893 CVE-2015-4903 CVE-2015-4911\n\nSeveral vulnerabilities have been discovered in OpenJDK, an implementation of\nthe Oracle Java platform. These vulnerabilities relate to execution of\narbitrary code, breakouts of the Java sandbox, information disclosure and\ndenial of service.\n\nFor Debian 6 &quot;Squeeze&quot;, these problems have been fixed in openjdk-6\nversion 6b37-1.13.9-1~deb6u1.\n\nWe recommend you to upgrade your openjdk-6 packages.\n\nLearn more about the Debian Long Term Support (LTS) Project and how to\napply these updates at: https://wiki.debian.org/LTS/\n", "edition": 9, "modified": "2015-11-24T08:57:17", "published": "2015-11-24T08:57:17", "id": "DEBIAN:DLA-346-1:13970", "href": "https://lists.debian.org/debian-lts-announce/2015/debian-lts-announce-201511/msg00007.html", "title": "[SECURITY] [DLA 346-1] openjdk-6 security update", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-12T00:51:55", "bulletinFamily": "unix", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4871", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3381-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nOctober 27, 2015 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : openjdk-7\nCVE ID : CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 \n CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843\n CVE-2015-4844 CVE-2015-4860 CVE-2015-4871 CVE-2015-4872\n CVE-2015-4881 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893\n CVE-2015-4903 CVE-2015-4911\n\nSeveral vulnerabilities have been discovered in OpenJDK, an\nimplementation of the Oracle Java platform, resulting in the execution\nof arbitrary code, breakouts of the Java sandbox, information disclosure,\nor denial of service.\n\nFor the oldstable distribution (wheezy), these problems have been fixed\nin version 7u85-2.6.1-6~deb7u1.\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 7u85-2.6.1-5~deb8u1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 7u85-2.6.1-5.\n\nWe recommend that you upgrade your openjdk-7 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 11, "modified": "2015-10-27T21:21:47", "published": "2015-10-27T21:21:47", "id": "DEBIAN:DSA-3381-1:4656D", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2015/msg00280.html", "title": "[SECURITY] [DSA 3381-1] openjdk-7 security update", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T02:21:28", "bulletinFamily": "unix", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4871", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3381-2 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nNovember 1, 2015 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : openjdk-7\nCVE ID : CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 \n CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843\n CVE-2015-4844 CVE-2015-4860 CVE-2015-4871 CVE-2015-4872\n CVE-2015-4881 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893\n CVE-2015-4903 CVE-2015-4911\n\nSeveral vulnerabilities have been discovered in OpenJDK, an\nimplementation of the Oracle Java platform, resulting in the execution\nof arbitrary code, breakouts of the Java sandbox, information disclosure,\nor denial of service.\n\nThe jessie update in DSA 3381 was built incorrectly, we apologise for\nthe inconvenience. In addition the version number in jessie-security\nwas lower than in wheezy-security which could result in upgrade problems\nduring distribution updates. This has been fixed in 7u85-2.6.1-6~deb8u1.\n\nWe recommend that you upgrade your openjdk-7 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 2, "modified": "2015-11-01T22:22:16", "published": "2015-11-01T22:22:16", "id": "DEBIAN:DSA-3381-2:F5B92", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2015/msg00289.html", "title": "[SECURITY] [DSA 3381-2] openjdk-7 security update", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "centos": [{"lastseen": "2019-12-20T18:25:54", "bulletinFamily": "unix", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4893"], "description": "**CentOS Errata and Security Advisory** CESA-2015:2086\n\n\nThe java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime\nEnvironment and the OpenJDK 6 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization,\nand 2D components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to completely bypass Java sandbox restrictions.\n(CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860,\nCVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application using\nJAXP to consume an excessive amount of CPU and memory when parsed.\n(CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to properly\ncheck if a certificate satisfied all defined constraints. In certain cases,\nthis could cause a Java application to accept an X.509 certificate which\ndoes not meet requirements of the defined policy. (CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806,\nCVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-November/033543.html\nhttp://lists.centos.org/pipermail/centos-announce/2015-November/033544.html\nhttp://lists.centos.org/pipermail/centos-announce/2015-November/033545.html\n\n**Affected packages:**\njava-1.6.0-openjdk\njava-1.6.0-openjdk-demo\njava-1.6.0-openjdk-devel\njava-1.6.0-openjdk-javadoc\njava-1.6.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-2086.html", "edition": 3, "modified": "2015-11-18T20:38:46", "published": "2015-11-18T19:46:16", "href": "http://lists.centos.org/pipermail/centos-announce/2015-November/033543.html", "id": "CESA-2015:2086", "title": "java security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-20T18:28:51", "bulletinFamily": "unix", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "description": "**CentOS Errata and Security Advisory** CESA-2015:1920\n\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization,\nand 2D components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to completely bypass Java sandbox restrictions.\n(CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860,\nCVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application using\nJAXP to consume an excessive amount of CPU and memory when parsed.\n(CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to properly\ncheck if a certificate satisfied all defined constraints. In certain cases,\nthis could cause a Java application to accept an X.509 certificate which\ndoes not meet requirements of the defined policy. (CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806,\nCVE-2015-4840, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nNote: If the web browser plug-in provided by the icedtea-web package was\ninstalled, the issues exposed via Java applets could have been exploited\nwithout user interaction if a user visited a malicious website.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-October/033475.html\nhttp://lists.centos.org/pipermail/centos-announce/2015-October/033477.html\n\n**Affected packages:**\njava-1.7.0-openjdk\njava-1.7.0-openjdk-accessibility\njava-1.7.0-openjdk-demo\njava-1.7.0-openjdk-devel\njava-1.7.0-openjdk-headless\njava-1.7.0-openjdk-javadoc\njava-1.7.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-1920.html", "edition": 3, "modified": "2015-10-22T00:07:57", "published": "2015-10-21T23:14:14", "href": "http://lists.centos.org/pipermail/centos-announce/2015-October/033475.html", "id": "CESA-2015:1920", "title": "java security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-20T18:28:51", "bulletinFamily": "unix", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "description": "**CentOS Errata and Security Advisory** CESA-2015:1921\n\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization,\nand 2D components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to completely bypass Java sandbox restrictions.\n(CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860,\nCVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application using\nJAXP to consume an excessive amount of CPU and memory when parsed.\n(CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to properly\ncheck if a certificate satisfied all defined constraints. In certain cases,\nthis could cause a Java application to accept an X.509 certificate which\ndoes not meet requirements of the defined policy. (CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806,\nCVE-2015-4840, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-October/033476.html\n\n**Affected packages:**\njava-1.7.0-openjdk\njava-1.7.0-openjdk-demo\njava-1.7.0-openjdk-devel\njava-1.7.0-openjdk-javadoc\njava-1.7.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-1921.html", "edition": 3, "modified": "2015-10-21T23:24:30", "published": "2015-10-21T23:24:30", "href": "http://lists.centos.org/pipermail/centos-announce/2015-October/033476.html", "id": "CESA-2015:1921", "title": "java security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-20T18:25:43", "bulletinFamily": "unix", "cvelist": ["CVE-2015-4860", "CVE-2015-4868", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "description": "**CentOS Errata and Security Advisory** CESA-2015:1919\n\n\nThe java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime\nEnvironment and the OpenJDK 8 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization,\nand 2D components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to completely bypass Java sandbox restrictions.\n(CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860,\nCVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application using\nJAXP to consume an excessive amount of CPU and memory when parsed.\n(CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nA flaw was found in the way the Libraries component in OpenJDK handled\ncertificate revocation lists (CRL). In certain cases, CRL checking code\ncould fail to report a revoked certificate, causing the application to\naccept it as trusted. (CVE-2015-4868)\n\nIt was discovered that the Security component in OpenJDK failed to properly\ncheck if a certificate satisfied all defined constraints. In certain cases,\nthis could cause a Java application to accept an X.509 certificate which\ndoes not meet requirements of the defined policy. (CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806,\nCVE-2015-4840, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nAll users of java-1.8.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-October/033474.html\nhttp://lists.centos.org/pipermail/centos-announce/2015-October/033478.html\n\n**Affected packages:**\njava-1.8.0-openjdk\njava-1.8.0-openjdk-accessibility\njava-1.8.0-openjdk-debug\njava-1.8.0-openjdk-demo\njava-1.8.0-openjdk-demo-debug\njava-1.8.0-openjdk-devel\njava-1.8.0-openjdk-devel-debug\njava-1.8.0-openjdk-headless\njava-1.8.0-openjdk-headless-debug\njava-1.8.0-openjdk-javadoc\njava-1.8.0-openjdk-javadoc-debug\njava-1.8.0-openjdk-src\njava-1.8.0-openjdk-src-debug\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-1919.html", "edition": 3, "modified": "2015-10-22T00:08:18", "published": "2015-10-21T23:13:49", "href": "http://lists.centos.org/pipermail/centos-announce/2015-October/033474.html", "id": "CESA-2015:1919", "title": "java security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:36:37", "bulletinFamily": "unix", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4893"], "description": "[1:1.6.0.35-1.13.9.4.0.1.el5_11]\n- Add oracle-enterprise.patch\n[1:1.6.0.37-1.13.9.4]\n- Update with new IcedTea & b37 tarballs, including fix for appletviewer regression.\n- Resolves: rhbz#1271926\n[1:1.6.0.37-1.13.9.3]\n- Update with new IcedTea & b37 tarballs, including more Kerberos fixes for TCK regression.\n- Resolves: rhbz#1271926\n[1:1.6.0.37-1.13.9.2]\n- Update with new IcedTea & b37 tarballs, including Kerberos fixes for TCK regression.\n- Resolves: rhbz#1271926\n[1:1.6.0.37-1.13.9.1]\n- Update with newer tarball, including 6763122 fix for TCK regression.\n- Resolves: rhbz#1271926\n[1:1.6.0.37-1.13.9.1]\n- Drop java-1.6.0-openjdk-pstack.patch. 6310967, the upstream version, is applied in OpenJDK 6.\n- Resolves: rhbz#1271926\n[1:1.6.0.37-1.13.9.0]\n- Update to IcedTea 1.13.9\n- Resolves: rhbz#1271926", "edition": 4, "modified": "2015-11-18T00:00:00", "published": "2015-11-18T00:00:00", "id": "ELSA-2015-2086", "href": "http://linux.oracle.com/errata/ELSA-2015-2086.html", "title": "java-1.6.0-openjdk security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:07", "bulletinFamily": "unix", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "description": "[1:1.7.0.91-2.6.2.1.0.1]\n- Add oracle-enterprise.patch\n- Fix DISTRO_NAME to 'Oracle Linux'\n[1:1.7.0.91-2.6.2.1]\n- added and applied patch500 8072932or8074489.patch to fix tck failure\n- Resolves: rhbz#1271918\n[1:1.7.0.91-2.6.2.0]\n- Drop patch for PR2521/RH1242587 now resolved upstream.\n- Resolves: rhbz#1271918\n[1:1.7.0.91-2.6.2.0]\n- Bump to 2.6.2 and u91b00.\n- Resolves: rhbz#1271918", "edition": 4, "modified": "2015-10-21T00:00:00", "published": "2015-10-21T00:00:00", "id": "ELSA-2015-1921", "href": "http://linux.oracle.com/errata/ELSA-2015-1921.html", "title": "java-1.7.0-openjdk security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:15", "bulletinFamily": "unix", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "description": "[1:1.7.0.91-2.6.2.2.0.1]\n- Update DISTRO_NAME in specfile\n[1:1.7.0.91-2.6.2.2]\n- added and applied patch500 8072932or8074489.patch to fix tck failure\n- Resolves: rhbz#1271919\n[1:1.7.0.91-2.6.2.1]\n- Bump to 2.6.2 and u91b00.\n- Resolves: rhbz#1271919", "edition": 4, "modified": "2015-10-21T00:00:00", "published": "2015-10-21T00:00:00", "id": "ELSA-2015-1920", "href": "http://linux.oracle.com/errata/ELSA-2015-1920.html", "title": "java-1.7.0-openjdk security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:39:11", "bulletinFamily": "unix", "cvelist": ["CVE-2015-4860", "CVE-2015-4868", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "description": "[1:1.8.0.65-0.b17]\n- October 2015 security update to u65b17.\n- Add script for generating OpenJDK tarballs from a local Mercurial tree.\n- Update RH1191652 patch to build against current AArch64 tree.\n- Use appropriate source ID to avoid unpacking both tarballs on AArch64.\n- Fix library removal script so jpeg, giflib and png sources are removed.\n- Update system-lcms.patch to regenerated upstream (8042159) version.\n- Drop LCMS update from rhel6-built.patch\n- Resolves: rhbz#1257654\n[1:1.8.0.51-4.b16]\n- bumped release to do an build, so test whether 1251560 was really fixed\n- Resolves: rhbz#1254197\n[1:1.8.0.60-4.b27]\n- updated to u60 (1255352)\n- Resolves: rhbz#1257654", "edition": 4, "modified": "2015-10-21T00:00:00", "published": "2015-10-21T00:00:00", "id": "ELSA-2015-1919", "href": "http://linux.oracle.com/errata/ELSA-2015-1919.html", "title": "java-1.8.0-openjdk security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2016-09-04T12:19:41", "bulletinFamily": "unix", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "description": "java-1_7_0-openjdk was updated to version 7u91 to fix 17 security issues.\n\n These security issues were fixed:\n - CVE-2015-4843: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Libraries (bsc#951376).\n - CVE-2015-4842: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JAXP (bsc#951376).\n - CVE-2015-4840: Unspecified vulnerability in Oracle Java SE 7u85 and\n 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via unknown vectors related to 2D (bsc#951376).\n - CVE-2015-4872: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect integrity via unknown vectors related to Security\n (bsc#951376).\n - CVE-2015-4860: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4883 (bsc#951376).\n - CVE-2015-4844: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to 2D (bsc#951376).\n - CVE-2015-4883: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4860 (bsc#951376).\n - CVE-2015-4893: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4911: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4893\n (bsc#951376).\n - CVE-2015-4882: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n availability via vectors related to CORBA (bsc#951376).\n - CVE-2015-4881: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4835 (bsc#951376).\n - CVE-2015-4734: Unspecified vulnerability in Oracle Java SE 6u101, 7u85\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JGSS (bsc#951376).\n - CVE-2015-4806: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality and integrity via unknown vectors related to Libraries\n (bsc#951376).\n - CVE-2015-4805: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Serialization (bsc#951376).\n - CVE-2015-4803: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4893 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4835: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4881 (bsc#951376).\n - CVE-2015-4903: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to RMI (bsc#951376).\n\n", "edition": 1, "modified": "2015-11-02T17:11:48", "published": "2015-11-02T17:11:48", "id": "SUSE-SU-2015:1875-2", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00004.html", "title": "Security update for java-1_7_0-openjdk (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:50:21", "bulletinFamily": "unix", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "edition": 1, "description": "java-1_7_0-openjdk was updated to fix 17 security issues.\n\n These security issues were fixed:\n - CVE-2015-4843: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Libraries (bsc#951376).\n - CVE-2015-4842: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JAXP (bsc#951376).\n - CVE-2015-4840: Unspecified vulnerability in Oracle Java SE 7u85 and\n 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via unknown vectors related to 2D (bsc#951376).\n - CVE-2015-4872: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect integrity via unknown vectors related to Security\n (bsc#951376).\n - CVE-2015-4860: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4883 (bsc#951376).\n - CVE-2015-4844: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to 2D (bsc#951376).\n - CVE-2015-4883: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4860 (bsc#951376).\n - CVE-2015-4893: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4911: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4893\n (bsc#951376).\n - CVE-2015-4882: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n availability via vectors related to CORBA (bsc#951376).\n - CVE-2015-4881: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4835 (bsc#951376).\n - CVE-2015-4734: Unspecified vulnerability in Oracle Java SE 6u101, 7u85\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JGSS (bsc#951376).\n - CVE-2015-4806: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality and integrity via unknown vectors related to Libraries\n (bsc#951376).\n - CVE-2015-4805: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Serialization (bsc#951376).\n - CVE-2015-4803: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4893 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4835: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4881 (bsc#951376).\n - CVE-2015-4903: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to RMI (bsc#951376).\n\n", "modified": "2015-11-04T17:12:29", "published": "2015-11-04T17:12:29", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00010.html", "id": "OPENSUSE-SU-2015:1906-1", "type": "suse", "title": "Security update for java-1_7_0-openjdk (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:49:41", "bulletinFamily": "unix", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "description": "java-1_7_0-openjdk was updated to version 7u91 to fix 17 security issues.\n\n These security issues were fixed:\n - CVE-2015-4843: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Libraries (bsc#951376).\n - CVE-2015-4842: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JAXP (bsc#951376).\n - CVE-2015-4840: Unspecified vulnerability in Oracle Java SE 7u85 and\n 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via unknown vectors related to 2D (bsc#951376).\n - CVE-2015-4872: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect integrity via unknown vectors related to Security\n (bsc#951376).\n - CVE-2015-4860: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4883 (bsc#951376).\n - CVE-2015-4844: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to 2D (bsc#951376).\n - CVE-2015-4883: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4860 (bsc#951376).\n - CVE-2015-4893: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4911: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4893\n (bsc#951376).\n - CVE-2015-4882: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n availability via vectors related to CORBA (bsc#951376).\n - CVE-2015-4881: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4835 (bsc#951376).\n - CVE-2015-4734: Unspecified vulnerability in Oracle Java SE 6u101, 7u85\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JGSS (bsc#951376).\n - CVE-2015-4806: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality and integrity via unknown vectors related to Libraries\n (bsc#951376).\n - CVE-2015-4805: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Serialization (bsc#951376).\n - CVE-2015-4803: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4893 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4835: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4881 (bsc#951376).\n - CVE-2015-4903: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to RMI (bsc#951376).\n\n", "edition": 1, "modified": "2015-11-02T16:34:56", "published": "2015-11-02T16:34:56", "id": "SUSE-SU-2015:1874-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00000.html", "type": "suse", "title": "Security update for java-1_7_0-openjdk (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:36:29", "bulletinFamily": "unix", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "description": "java-1_7_0-openjdk was updated to fix 17 security issues.\n\n These security issues were fixed:\n - CVE-2015-4843: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Libraries (bsc#951376).\n - CVE-2015-4842: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JAXP (bsc#951376).\n - CVE-2015-4840: Unspecified vulnerability in Oracle Java SE 7u85 and\n 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via unknown vectors related to 2D (bsc#951376).\n - CVE-2015-4872: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect integrity via unknown vectors related to Security\n (bsc#951376).\n - CVE-2015-4860: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4883 (bsc#951376).\n - CVE-2015-4844: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to 2D (bsc#951376).\n - CVE-2015-4883: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4860 (bsc#951376).\n - CVE-2015-4893: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4911: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4893\n (bsc#951376).\n - CVE-2015-4882: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n availability via vectors related to CORBA (bsc#951376).\n - CVE-2015-4881: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4835 (bsc#951376).\n - CVE-2015-4734: Unspecified vulnerability in Oracle Java SE 6u101, 7u85\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JGSS (bsc#951376).\n - CVE-2015-4806: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality and integrity via unknown vectors related to Libraries\n (bsc#951376).\n - CVE-2015-4805: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Serialization (bsc#951376).\n - CVE-2015-4803: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4893 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4835: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4881 (bsc#951376).\n - CVE-2015-4903: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to RMI (bsc#951376).\n\n", "edition": 1, "modified": "2015-11-04T16:14:26", "published": "2015-11-04T16:14:26", "id": "OPENSUSE-SU-2015:1902-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00008.html", "type": "suse", "title": "Security update for java-1_7_0-openjdk (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:21:58", "bulletinFamily": "unix", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "description": "java-1_7_0-openjdk was updated to version 7u91 to fix 17 security issues.\n\n These security issues were fixed:\n - CVE-2015-4843: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Libraries (bsc#951376).\n - CVE-2015-4842: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JAXP (bsc#951376).\n - CVE-2015-4840: Unspecified vulnerability in Oracle Java SE 7u85 and\n 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via unknown vectors related to 2D (bsc#951376).\n - CVE-2015-4872: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect integrity via unknown vectors related to Security\n (bsc#951376).\n - CVE-2015-4860: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4883 (bsc#951376).\n - CVE-2015-4844: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to 2D (bsc#951376).\n - CVE-2015-4883: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4860 (bsc#951376).\n - CVE-2015-4893: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4911: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4893\n (bsc#951376).\n - CVE-2015-4882: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n availability via vectors related to CORBA (bsc#951376).\n - CVE-2015-4881: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4835 (bsc#951376).\n - CVE-2015-4734: Unspecified vulnerability in Oracle Java SE 6u101, 7u85\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JGSS (bsc#951376).\n - CVE-2015-4806: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality and integrity via unknown vectors related to Libraries\n (bsc#951376).\n - CVE-2015-4805: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Serialization (bsc#951376).\n - CVE-2015-4803: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4893 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4835: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4881 (bsc#951376).\n - CVE-2015-4903: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to RMI (bsc#951376).\n\n", "edition": 1, "modified": "2015-11-02T17:11:26", "published": "2015-11-02T17:11:26", "id": "SUSE-SU-2015:1874-2", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00003.html", "type": "suse", "title": "Security update for java-1_7_0-openjdk (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:49:41", "bulletinFamily": "unix", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "edition": 1, "description": "java-1_7_0-openjdk was updated to version 7u91 to fix 17 security issues.\n\n These security issues were fixed:\n - CVE-2015-4843: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Libraries (bsc#951376).\n - CVE-2015-4842: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JAXP (bsc#951376).\n - CVE-2015-4840: Unspecified vulnerability in Oracle Java SE 7u85 and\n 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via unknown vectors related to 2D (bsc#951376).\n - CVE-2015-4872: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect integrity via unknown vectors related to Security\n (bsc#951376).\n - CVE-2015-4860: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4883 (bsc#951376).\n - CVE-2015-4844: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to 2D (bsc#951376).\n - CVE-2015-4883: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4860 (bsc#951376).\n - CVE-2015-4893: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4911: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4893\n (bsc#951376).\n - CVE-2015-4882: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n availability via vectors related to CORBA (bsc#951376).\n - CVE-2015-4881: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4835 (bsc#951376).\n - CVE-2015-4734: Unspecified vulnerability in Oracle Java SE 6u101, 7u85\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JGSS (bsc#951376).\n - CVE-2015-4806: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality and integrity via unknown vectors related to Libraries\n (bsc#951376).\n - CVE-2015-4805: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Serialization (bsc#951376).\n - CVE-2015-4803: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4893 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4835: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4881 (bsc#951376).\n - CVE-2015-4903: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to RMI (bsc#951376).\n\n", "modified": "2015-11-02T16:35:18", "published": "2015-11-02T16:35:18", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00001.html", "id": "SUSE-SU-2015:1875-1", "type": "suse", "title": "Security update for java-1_7_0-openjdk (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:22:46", "bulletinFamily": "unix", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "description": "java-1_7_0-openjdk was updated to version 7u91 to fix 17 security issues.\n\n These security issues were fixed:\n - CVE-2015-4843: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Libraries (bsc#951376).\n - CVE-2015-4842: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JAXP (bsc#951376).\n - CVE-2015-4840: Unspecified vulnerability in Oracle Java SE 7u85 and\n 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via unknown vectors related to 2D (bsc#951376).\n - CVE-2015-4872: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect integrity via unknown vectors related to Security\n (bsc#951376).\n - CVE-2015-4860: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4883 (bsc#951376).\n - CVE-2015-4844: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to 2D (bsc#951376).\n - CVE-2015-4883: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4860 (bsc#951376).\n - CVE-2015-4893: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4911: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4893\n (bsc#951376).\n - CVE-2015-4882: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n availability via vectors related to CORBA (bsc#951376).\n - CVE-2015-4881: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4835 (bsc#951376).\n - CVE-2015-4734: Unspecified vulnerability in Oracle Java SE 6u101, 7u85\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JGSS (bsc#951376).\n - CVE-2015-4806: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality and integrity via unknown vectors related to Libraries\n (bsc#951376).\n - CVE-2015-4805: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Serialization (bsc#951376).\n - CVE-2015-4803: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4893 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4835: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4881 (bsc#951376).\n - CVE-2015-4903: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to RMI (bsc#951376).\n\n", "edition": 1, "modified": "2015-11-12T14:18:13", "published": "2015-11-12T14:18:13", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00019.html", "id": "OPENSUSE-SU-2015:1971-1", "title": "Security update for java-1_7_0-openjdk (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:44", "bulletinFamily": "unix", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4871", "CVE-2015-4803", "CVE-2015-4902", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "description": "- CVE-2015-4734 (information disclosure)\n\nIt was discovered that the JGSS component of OpenJDK did not properly\nhide Kerberos realm information from all error exceptions when running\nunder Security Manager. An untrusted Java application or applet could\nuse this flaw to obtain certain information about the Kerberos\nconfiguration on the host where they were executed, bypassing certain\nJava sandbox restrictions.\n\n- CVE-2015-4803 (denial of service)\n\nIt was discovered that the JAXP component of OpenJDK did not use\nefficient data structures to store data from parsed XML documents. A\nspecially-crafted XML input could cause a Java application using JAXP to\nuse an excessive amount of CPU time by e.g. triggering hash collisions.\n\n- CVE-2015-4805 (arbitrary code execution)\n\nIt was discovered that the ObjectStreamClass in the Serialization\ncomponent of OpenJDK failed to ensure that the object is fully\ninitialized before allowing calls of certain methods. An untrusted Java\napplication or applet could use this flaw to bypass Java sandbox\nrestrictions to execute code.\n\n- CVE-2015-4806 (improper input validation)\n\nA vulnerability has been discovered leading to HttpURLConnection header\nrestriction bypass, allowing remote attackers to affect confidentiality\nand integrity via unknown vectors related to Libraries.\n\n- CVE-2015-4810 (arbitrary code execution)\n\nAn unspecified vulnerability has been discovered that allows local users\nto affect confidentiality, integrity, and availability via unknown\nvectors related to Deployment.\n\n- CVE-2015-4835 (arbitrary code execution)\n\nIt was discovered that the StubGenerator class in the CORBA component of\nOpenJDK failed to generate code with all needed permission checks\nrelated to object (de-)serialization. An untursted Java application or\napplet could use this flaw to bypass Java sandbox restrictions and\nexecute arbitrary code.\n\n- CVE-2015-4840 (information disclosure)\n\nIt was discovered that the 2D component of OpenJDK could perform out of\nbounds access and possibly disclose portions of the Java Virtual Machine\nmemory when processing specially crafted color profiles. The issue was\ncaused by having bundled lcms2 code use fast floor() implementation. An\nuntrusted Java application or applet could use this flaw to bypass\ncertain Java sandbox restrictions.\n\n- CVE-2015-4842 (information disclosure)\n\nAn information disclosure flaw was found in the JAXP component of\nOpenJDK. An untrusted Java application or applet could use this flaw to\nget information about user home directory location (the content of the\n&quot;user.dir&quot; system property), hence bypassing certain Java sandbox\nrestrictions.\n\n- CVE-2015-4843 (arbitrary code execution)\n\nMultiple integer overflow issues were found in the implementation of\nBuffers in the java.nio (Non-blocking I/O) packages in the Libraries\ncomponent of OpenJDK. These could lead to out of bounds buffer access\nand Java Virtual Machine memory corruption. An untursted Java\napplication or applet could use these flaws to run arbitrary code with\nthe Java Virtual Machine privileges or bypass Java sandbox restrictions.\n\n- CVE-2015-4844 (arbitrary code execution)\n\nIt was discovered that ICU Layout Engine was missing multiple boundary\nand error return checks. These could lead to buffer overflows and memory\ncorruption. A specially crafted font file could cause an application\nusing ICU to parse untrusted fonts to crash and, possibly, execute\narbitrary code.\n\n- CVE-2015-4860 (sandbox bypass)\n\nIt was discovered that the DGCImpl (for RMI distributed\ngarbage-collection - DGC) class in the RMI component of OpenJDK failed\nto use restricted access control context when processing untrusted\ninput. An untrusted Java application or applet could use this flaw to\nbypass Java sandbox restrictions.\n\n- CVE-2015-4871 (unknown)\n\nAn unspecified vulnerability has been discovered that allows remote\nattackers to affect confidentiality and integrity via unknown vectors\nrelated to Libraries.\n\n- CVE-2015-4872 (security policy bypass)\n\nIt was discovered that the AlgorithmChecker class in the Security\ncomponent of OpenJDK failed to properly check if a certificate satisfies\nall defined constraints in certain cases. This could cause a Java\napplication to accept an X.509 certificate which does not meet\nrequirements of the policy defined in the java.security file.\n\n- CVE-2015-4881 (sandbox bypass)\n\nIt was discovered that the IIOPInputStream class in the CORBA component\nof OpenJDK failed to properly check object and field types during object\ndeserialization. An untrusted Java application or applet could use this\nflaw to bypass Java sandbox restrictions.\n\n- CVE-2015-4882 (denial of service)\n\nA flaw was found in the way the IIOPInputStream class in the CORBA\ncomponent of OpenJDK performed deserialization of String objects. An\nuntrusted Java application or applet could use this flaw to crash the\nJava Virtual Machine.\n\n- CVE-2015-4883 (sandbox bypass)\n\nIt was discovered that the DGCClient (for RMI distributed\ngarbage-collection - DGC) class in the RMI component of OpenJDK failed\nto use restricted access control context when handling JRMP (Java Remote\nMethod Protocol) messages. An untrusted Java application or applet could\nuse this flaw to bypass Java sandbox restrictions.\n\n- CVE-2015-4893 (denial of service)\n\nIt was discovered that the JAXP component of OpenJDK did not enforce the\nmaximum XML name limit (jdk.xml.MaxXMLNameLimit) when parsing XML files.\nA specially crafted XML document could cause a Java application using\nJAXP to consume an excessive amount of memory and CPU time when parsed.\n\n- CVE-2015-4902 (unknown)\n\nAn unspecified vulnerability has been discovered that allows remote\nattackers to affect integrity via unknown vectors related to Deployment.\n\n- CVE-2015-4903 (sandbox bypass)\n\nIt was discovered that the RemoteObjectInvocationHandler class in the\nRMI component of OpenJDK did not check if object proxy is an instance of\na proxy class and that it uses correct invocation handler. An untrusted\nJava application or applet could use this flaw to bypass certain Java\nsandbox restrictions by gaining access to data that should by protected\nby the sandbox.\n\n- CVE-2015-4911 (denial of service)\n\nIt was discovered that the StAX XML parser in the JAXP component of\nOpenJDK could do certain DTD processing even when DTD support was\ndisabled via the javax.xml.stream.supportDTD system property. A\nspecially crafted XML document could cause a Java application using JAXP\nto consume an excessive amount of memory and CPU time when parsed.", "modified": "2015-10-23T00:00:00", "published": "2015-10-23T00:00:00", "id": "ASA-201510-16", "href": "https://lists.archlinux.org/pipermail/arch-security/2015-October/000418.html", "type": "archlinux", "title": "jre7-openjdk: multiple issues", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}