Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2013-2022 Tenable Network Security, Inc.ALA_ALAS-2013-162.NASL
HistorySep 04, 2013 - 12:00 a.m.

Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2013-162)

2013-09-0400:00:00
This script is Copyright (C) 2013-2022 Tenable Network Security, Inc.
www.tenable.com
13
JSON

Multiple improper permission check issues were discovered in the JMX and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
(CVE-2013-1486 , CVE-2013-1484)

An improper permission check issue was discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions.
(CVE-2013-1485)

It was discovered that OpenJDK leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle. (CVE-2013-0169)

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux AMI Security Advisory ALAS-2013-162.
#

include('compat.inc');

if (description)
{
  script_id(69721);
  script_version("1.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/12/05");

  script_cve_id("CVE-2013-0169", "CVE-2013-1485", "CVE-2013-1486");
  script_xref(name:"ALAS", value:"2013-162");
  script_xref(name:"RHSA", value:"2013:0275");
  script_xref(name:"CEA-ID", value:"CEA-2019-0547");

  script_name(english:"Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2013-162)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Amazon Linux AMI host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"Multiple improper permission check issues were discovered in the JMX
and Libraries components in OpenJDK. An untrusted Java application or
applet could use these flaws to bypass Java sandbox restrictions.
(CVE-2013-1486 , CVE-2013-1484)

An improper permission check issue was discovered in the Libraries
component in OpenJDK. An untrusted Java application or applet could
use this flaw to bypass certain Java sandbox restrictions.
(CVE-2013-1485)

It was discovered that OpenJDK leaked timing information when
decrypting TLS/SSL protocol encrypted records when CBC-mode cipher
suites were used. A remote attacker could possibly use this flaw to
retrieve plain text from the encrypted packets by using a TLS/SSL
server as a padding oracle. (CVE-2013-0169)");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/ALAS-2013-162.html");
  script_set_attribute(attribute:"solution", value:
"Run 'yum update java-1.7.0-openjdk' to update your system.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");

  script_set_attribute(attribute:"patch_publication_date", value:"2013/03/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/09/04");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.7.0-openjdk");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-demo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-javadoc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-src");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Amazon Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2013-2022 Tenable Network Security, Inc.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/AmazonLinux/release");
if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "A")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (rpm_check(release:"ALA", reference:"java-1.7.0-openjdk-1.7.0.9-2.3.7.1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.7.1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"java-1.7.0-openjdk-demo-1.7.0.9-2.3.7.1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"java-1.7.0-openjdk-devel-1.7.0.9-2.3.7.1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.7.1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"java-1.7.0-openjdk-src-1.7.0.9-2.3.7.1.20.amzn1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "java-1.7.0-openjdk / java-1.7.0-openjdk-debuginfo / etc");
}
VendorProductVersionCPE
amazonlinuxjava-1.7.0-openjdkp-cpe:/a:amazon:linux:java-1.7.0-openjdk
amazonlinuxjava-1.7.0-openjdk-debuginfop-cpe:/a:amazon:linux:java-1.7.0-openjdk-debuginfo
amazonlinuxjava-1.7.0-openjdk-demop-cpe:/a:amazon:linux:java-1.7.0-openjdk-demo
amazonlinuxjava-1.7.0-openjdk-develp-cpe:/a:amazon:linux:java-1.7.0-openjdk-devel
amazonlinuxjava-1.7.0-openjdk-javadocp-cpe:/a:amazon:linux:java-1.7.0-openjdk-javadoc
amazonlinuxjava-1.7.0-openjdk-srcp-cpe:/a:amazon:linux:java-1.7.0-openjdk-src
amazonlinuxcpe:/o:amazon:linux

Related

nessus 40
openvas 38
oraclelinux 3
centos 3
amazon 3
redhat 6
ubuntu 1
suse 3
threatpost 1
veracode 6
zdi 3
ubuntucve 13
cve 12
prion 11
ibm 24
securityvulns 5
f5 8
slackware 1
openssl 2
hackerone 1
debiancve 4
pentestpartners 1
osv 3
altlinux 5
freebsd 1
fedora 1
nessus
nessus
RHEL 5 / 6 : java-1.7.0-openjdk (RHSA-2013:0275)
2013-02-21 00:00:00
CentOS 5 / 6 : java-1.7.0-openjdk (CESA-2013:0275)
2013-02-21 00:00:00
Oracle Linux 5 / 6 : java-1.7.0-openjdk (ELSA-2013-0275)
2013-07-12 00:00:00
openvas
openvas
CentOS Update for java CESA-2013:0275 centos6
2013-02-22 00:00:00
CentOS Update for java CESA-2013:0275 centos5
2013-02-22 00:00:00
Oracle: Security Advisory (ELSA-2013-0275)
2015-10-06 00:00:00
oraclelinux
oraclelinux
java-1.7.0-openjdk security update
2013-02-20 00:00:00
java-1.6.0-openjdk security update
2013-02-20 00:00:00
java-1.6.0-openjdk security update
2013-02-20 00:00:00
centos
centos
java security update
2013-02-20 20:12:54
java security update
2013-02-20 20:11:32
java security update
2013-02-20 20:33:43
amazon
amazon
Important: java-1.7.0-openjdk
2013-03-02 16:49:00
Important: java-1.6.0-openjdk
2013-03-02 16:50:00
Critical: openssl
2014-04-07 17:26:00
redhat
redhat
(RHSA-2013:0275) Important: java-1.7.0-openjdk security update
2013-02-20 00:00:00
(RHSA-2013:0532) Critical: java-1.7.0-oracle security update
2013-02-20 00:00:00
(RHSA-2013:0274) Important: java-1.6.0-openjdk security update
2013-02-20 00:00:00
ubuntu
ubuntu
OpenJDK vulnerabilities
2013-02-21 00:00:00
suse
suse
Security update for Java (important)
2013-02-22 20:04:33
java-1_6_0-openjdk: update to icedtea 1.12.3 (important)
2013-03-01 17:04:41
java-1_6_0-openjdk: update to icedtea 1.12.3 (important)
2013-03-01 18:04:30
threatpost
threatpost
Oracle Patches Critical Java Flaws in 7u15
2013-02-19 22:30:02
veracode
veracode
Sandbox Restrictions Bypass
2019-05-02 04:52:53
Sandbox Restrictions Bypass
2019-05-02 04:52:53
Sandbox Restrictions Bypass
2019-05-02 04:52:52
zdi
zdi
Oracle Java Proxy.newProxyInstance Security Manager Bypass Remote Code Execution Vulnerability
2013-03-22 00:00:00
Oracle Java setUncaughtExceptionHandler Security Manager Bypass Remote Code Execution Vulnerability
2013-03-22 00:00:00
Oracle Java doPrivilegedWithCombiner Security Manager Bypass Remote Code Execution Vulnerability
2013-03-22 00:00:00
ubuntucve
ubuntucve
CVE-2013-1484
2013-02-20 00:00:00
CVE-2013-1485
2013-02-20 00:00:00
CVE-2013-1486
2013-02-20 00:00:00
cve
cve
CVE-2013-1484
2013-02-20 21:55:00
CVE-2013-1485
2013-02-20 21:55:00
CVE-2013-1486
2013-02-20 21:55:00
prion
prion
Design/Logic Flaw
2013-02-20 21:55:00
Design/Logic Flaw
2013-02-20 21:55:00
Design/Logic Flaw
2013-02-20 21:55:00
ibm
ibm
Security Bulletin: Rational Build Forge Security Advisory (CVE-2013-0169)
2018-06-17 04:47:31
Security Bulletin: Potential security vulnerabilities in WebSphere Partner Gateway Express for the Oracle CPU April 2013.
2022-09-25 21:06:56
Security Bulletin: Java Vulnerability in Rational Automation Framework (CVE-2013-0169)
2018-06-17 04:48:04
securityvulns
securityvulns
ESA-2013-032 RSA BSAFEĀ® Micro Edition Suite Security Update for SSL/TLS Plaintext Recovery (aka ā€œLucky Thirteenā€) Vulnerability
2013-07-15 00:00:00
ESA-2013-045: RSA BSAFEĀ® SSL-C Security Update for SSL/TLS Plaintext Recovery (aka ā€œLucky Thirteenā€) Vulnerability
2013-07-15 00:00:00
ESA-2013-039: RSA BSAFEĀ® SSL-J Multiple Vulnerabilities
2014-04-07 00:00:00
f5
f5
K14190 : TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169
2015-04-30 00:00:00
SOL14190 - TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169
2013-02-08 00:00:00
K15637 : GnuTLS vulnerability CVE-2013-2116
2014-10-16 00:00:00
slackware
slackware
openssl
2013-02-11 23:49:59
openssl
openssl
Vulnerability in OpenSSL CVE-2013-0169
2013-02-04 00:00:00
Vulnerability in OpenSSL CVE-2016-2107
2016-05-03 00:00:00
hackerone
hackerone
Legal Robot: LUCKY13 (CVE-2013-0169) effects legalrobot.com
2017-07-30 20:00:47
debiancve
debiancve
CVE-2013-0169
2013-02-08 19:55:00
CVE-2013-1620
2013-02-08 19:55:00
CVE-2013-1624
2013-02-08 19:55:00
pentestpartners
pentestpartners
Vulnerabilities that (mostly) arenā€™t: LUCKY13
2024-05-03 05:12:27
osv
osv
CVE-2016-2107
2016-05-05 01:59:00
Improper Input Validation in Bouncy Castle
2022-05-14 02:14:04
openssl - several vulnerabilities
2013-02-13 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 9 package openssl10 version 1.0.0k-alt1
2013-02-27 00:00:00
Security fix for the ALT Linux 9 package openssl1.1 version 1.0.0k-alt1
2013-02-27 00:00:00
Security fix for the ALT Linux 6 package openssl10 version 1.0.0k-alt1
2013-02-27 00:00:00
freebsd
freebsd
FreeBSD -- OpenSSL multiple vulnerabilities
2013-04-02 00:00:00
fedora
fedora
[SECURITY] Fedora 18 Update: mingw-openssl-1.0.1e-1.fc18
2013-04-03 04:51:11
JSON
Related for ALA_ALAS-2013-162.NASL
nessus40openvas38oraclelinux3centos3amazon3redhat6ubuntu1suse3threatpost1veracode6zdi3ubuntucve13cve12prion11ibm24securityvulns5f58slackware1openssl2hackerone1debiancve4pentestpartners1osv3altlinux5freebsd1fedora1