Azul Zulu Java Multiple Vulnerabilities (2022-04-19)

2022-04-19T00:00:00

Description

The version of Azul Zulu installed on the remote host is prior to 6 < 6.47 / 7 < 7.53.0.16 / 8 < 8.61.0.18 / 11 < 11.55.18 / 13 < 13.47.16 / 15 < 15.39.16 / 17 < 17.33.16 / 18 < 18.30.12. It is, therefore, affected by multiple vulnerabilities as referenced in the 2022-04-19 advisory. - zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. (CVE-2018-25032) - xml/jaxp (CVE-2022-21426) - core-libs/java.lang (CVE-2022-21434) - security-libs/java.security (CVE-2022-21443, CVE-2022-21449, CVE-2022-21476) - core-libs/javax.naming (CVE-2022-21496) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

{"id": "AZUL_ZULU_18_30_12.NASL", "vendorId": null, "type": "nessus", "bulletinFamily": "scanner", "title": "Azul Zulu Java Multiple Vulnerabilities (2022-04-19)", "description": "The version of Azul Zulu installed on the remote host is prior to 6 < 6.47 / 7 < 7.53.0.16 / 8 < 8.61.0.18 / 11 < 11.55.18 / 13 < 13.47.16 / 15 < 15.39.16 / 17 < 17.33.16 / 18 < 18.30.12. It is, therefore, affected by multiple vulnerabilities as referenced in the 2022-04-19 advisory.\n\n - zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. (CVE-2018-25032)\n\n - xml/jaxp (CVE-2022-21426)\n\n - core-libs/java.lang (CVE-2022-21434)\n\n - security-libs/java.security (CVE-2022-21443, CVE-2022-21449, CVE-2022-21476)\n\n - core-libs/javax.naming (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "published": "2022-04-19T00:00:00", "modified": "2023-11-01T00:00:00", "epss": [], "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.tenable.com/plugins/nessus/159902", "reporter": "This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://docs.azul.com/core/zulu-openjdk/release-notes/april-2022", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21443", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21426", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21476", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21449", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21496", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21434", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25032"], "cvelist": ["CVE-2018-25032", "CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21449", "CVE-2022-21476", "CVE-2022-21496"], "immutableFields": [], "lastseen": "2023-11-02T15:03:49", "viewCount": 435, "enchantments": {"score": {"value": 7.5, "uncertanity": 1.9, "vector": "NONE"}, "dependencies": {"references": [{"type": "aix", "idList": ["JAVA_JUN2022_ADVISORY.ASC", "JAVA_MAY2023_ADVISORY.ASC", "ZLIB_ADVISORY.ASC"]}, {"type": "almalinux", "idList": ["ALSA-2022:1442", "ALSA-2022:1445", "ALSA-2022:1491", "ALSA-2022:1642", "ALSA-2022:2201", "ALSA-2022:7813", "ALSA-2022:8420"]}, {"type": "alpinelinux", "idList": ["ALPINE:CVE-2018-25032", "ALPINE:CVE-2022-21426", "ALPINE:CVE-2022-21434", "ALPINE:CVE-2022-21443", "ALPINE:CVE-2022-21449", "ALPINE:CVE-2022-21476", "ALPINE:CVE-2022-21496"]}, {"type": "altlinux", "idList": ["11C08B8C28C751E471AEE6CC5818AAAD", "50050394FAC75271D4CBCC5BDF6F2E95"]}, {"type": "amazon", "idList": ["ALAS-2022-1602", "ALAS-2022-1631", "ALAS-2022-1633", "ALAS-2022-1640", "ALAS2-2022-1772", "ALAS2-2022-1778", "ALAS2-2022-1790", "ALAS2-2022-1791", "ALAS2-2022-1835"]}, {"type": "apple", "idList": ["APPLE:63CA0F4232480C58A7826938831F5D5B", "APPLE:9A4969F10DDA950938D09FB74CC40FF8", "APPLE:E82A2A3D978FD519CBF58A36F587B070"]}, {"type": "archlinux", "idList": ["ASA-202204-3"]}, {"type": "avleonov", "idList": ["AVLEONOV:317FBD7DA93C95993A9FFF38FB04A987"]}, {"type": "broadcom", "idList": ["BSNSA22342"]}, {"type": "centos", "idList": ["CESA-2022:1440", "CESA-2022:1487", "CESA-2022:2213"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2022-0231"]}, {"type": "checkpoint_security", "idList": ["CPS:SK178887"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:1D6373C6C34B7DC575670E6C5020D261", "CFOUNDRY:59152B1A416D353D5CC80A97383D433B"]}, {"type": "cloudlinux", "idList": ["CLSA-2022:1652706231", "CLSA-2022:1653004535", "CLSA-2022:1654174749", "CLSA-2022:1661176564"]}, {"type": "cve", "idList": ["CVE-2018-25032", "CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21449", "CVE-2022-21476", "CVE-2022-21496"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2968-1:DFF4C", "DEBIAN:DLA-2993-1:EB800", "DEBIAN:DLA-3006-1:837AC", "DEBIAN:DLA-3114-1:9A50E", "DEBIAN:DSA-5111-1:D8F18", "DEBIAN:DSA-5128-1:74A9E", "DEBIAN:DSA-5131-1:B4168"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2018-25032", "DEBIANCVE:CVE-2022-21426", "DEBIANCVE:CVE-2022-21434", "DEBIANCVE:CVE-2022-21443", "DEBIANCVE:CVE-2022-21449", "DEBIANCVE:CVE-2022-21476", "DEBIANCVE:CVE-2022-21496"]}, {"type": "f5", "idList": ["F5:K21548854", "F5:K32172755", "F5:K45356577"]}, {"type": "fedora", "idList": ["FEDORA:2873C310660B", "FEDORA:4ED1D30964A5", "FEDORA:55B76304C3CC", "FEDORA:61ACF309F4BF", "FEDORA:AA920305E2ED", "FEDORA:B0E00301FECB"]}, {"type": "freebsd", "idList": ["36D10AF7-248D-11ED-856E-D4C9EF517024", "38F2E3A0-B61E-11EC-9EBC-1C697AA5A594", "8E150606-08C9-11ED-856E-D4C9EF517024"]}, {"type": "freebsd_advisory", "idList": ["FREEBSD_ADVISORY:FREEBSD-SA-22:08.ZLIB"]}, {"type": "gentoo", "idList": ["GLSA-202210-42"]}, {"type": "github", "idList": ["GHSA-CQCC-MM6X-VMVW", "GHSA-JC36-42CF-VQWJ", "GHSA-V6GP-9MMM-C6P5"]}, {"type": "githubexploit", "idList": ["29679EC9-9C5B-5910-8104-E911791DA3A6", "4A1985F7-D340-579E-8264-6600E6D36EA6", "99B3C890-1098-522A-9048-18114789E396", "9BC861BB-9B85-5E2F-93A5-C10739416EFD", "B8BE8666-FE8E-5782-A850-746E4531A1C5", "D25368E9-0081-5E49-9A97-95E2EA103FBC", "DABB81F8-B135-5BB3-A657-89F3AFF9423D", "EC087842-DE11-5149-B3F6-AAA330A1A7F4"]}, {"type": "ibm", "idList": ["00B8BFFFE9EC2CDB467AF3D17608DB7C5E49C98591131C859F8ADA15204371EB", "017704F263DE498C81E38DCD35C1B649CAC8F2B6DA67887C1DC1F132F6BB1B85", "01A50703477A1B666E966BF1B72B350DC27813F59907D29FAE3903822284A578", "03D00591019CE34D0FD78640476E184E6CD4E23765A0C7A13539B6B78161E1A6", "0427E6AA646DE077D9A0FABE9729FECFF5A0C7757BA113C348506FCB5410F3B3", "05B0D73EFF1926611B9AC08DAC2A173A6A2D7E47E96A50C08B5EF48B15FD7204", "05EC9DE0F5BC041DB66900EACA3531DB498F30CFBA2A0F512211FC0D18A10FF5", "0640B969009F4949540096B6BCAB401C92F393BD37C329262A55A3CC03A3A43A", "0800FED45015812CA59F3FB2B71E7EBC02028DD8D4576D54E210A3FF45EC494B", "0C4B79BFF88AACC358B813B5EBF57229B26D0400A39D0FA7687D92FEE890BC8B", "0C4F33B9834BE4DCCBB315C6A51D7A6C22168F3238B03C20F333D6AA3D1001BD", "1296269A4889FCD8F8D7B4C9F08A0E826EF6165E8399BB26EC1986520611E4C2", "13DF93BE6568A723BC1B1099A6EB825A1766820CCBAA24882A8A0124557F6F8D", "1550D8200201461EC49D4AE69DCCF18DB21420A03A569C1221D5BF7158B80766", "167951D4CB6682B161C7C63B81A840E45EF18CAE83E9A3ED32C423308A35D68F", "17566E28965DC61A276C9A063E8C37A2A5F8A6A9ACF149A1FFA4C315A9A9DE63", "1841E92577ACD6AADDBB49C1995A398D151CBC9679F1BA2B9C77425F2E40A55C", "195918D2F5091119FF3B0CC5A9585BC7AC11F2FEC79E28813AEF279874757FC8", "19C4C882864E6146FC051FFD0D6639DA7D33478F602126A11F952529D4692F5D", "1BD589A2EFA871129365AA28211FAACF45DF2612E504EA283F22F4A22491789B", "1C01FE524F396C4C74AF68BC6472333E0271AA2E077FF9B1BF6BA0B33A77D397", "1C9467683C0D0A8476ABE9FE64162D21CBD301BBD3387CB281A812ECD3DEE4B0", "1C95A04242519BDC2A03052139F8B1CE701A8FAB16B4BB8DE62C177552C4651B", "1E4854A903497616A9D2E489883B7097A216137D8A9C20DACDE93B4250B7ADEF", "2086D78578107C87118705CD43C5319ABE0509F632BBA56B836AF909B50F1A9F", "210E846B804F49660D8B31302CE4B40ED51AFCA74132908CA88497EFC59F683D", "23E8421E36730ABF053F73AB99A0740D1C577B2DF0EEC94B55CAF5BE760F31AB", "247971D1F799EBAD3C90C83116C67B679B282B15485345523054CB1007DF8C21", "24F8EA7EB04EFC7BD25A64FD77684DB61778B7EC6FF4B522D3D85CC6C84A7071", "25BB8EE478BAB36FA7FCE8080766EC4C78D22510783D2348090CF2F616F77A70", "25D690A300D0E42310A8CA7E7EF327D23154BCA8F8F8C7756472D12C2424B272", "2982812924383536764B05E9EE51D50713C760EEBC623C7B5C75FC9B18B6A0F7", "2A46921EEC2CADB61365DF806BD35FD7B978A8C2F7E52A8A76CFA6C311901F49", "2BD5EB1610BFB9D059F9C086849D8EBB4229D9076E95833FFFD115789209904F", "2BE1B762E9F077419A696E0C1B88E2D3F236BE3549BFC2182468480E071BF032", "2CAE8A376FF7C11DC9BF7749C13BD20E32163EED67A505EFAC368EF0BD61D15C", "2CECCBEC6114A3E3185C5C03320DB2B14581632BEDF247838103E675D13B3713", "2D0F574971EC3935DCB84C5F7C39763FF716E95E0A5DB8AD002F670020E3326E", "2FFAA17CE193A68550F9DD0D2CC3796647948BC829C6055DFDE457A57C0AAF0B", "3118493A71581AC954C4C2FEC569296F8E85DBAA3E998BAE5607C264EDCEDAC3", "31B52B6899B60AEEF3E2FDB88C6911775AAECF09577B42C5714529B9E50C6861", "329CDA9E58C902A7C1F7429749889B14096AF7DD7DA0AB56B5D6F5982CAEC2B7", "37C10C2D0E7D2BFB4BB1A32B884A646EE86AC573C6ABC320C9FB60A8F1A3ECB6", "394571BD39F2074280A68C601C33234E8644406333EEB27762BDBEDCBEDC5348", "3A0AF20F09C0B2979253C90E84B995F8CD1F83152C1ABF4731B75885693E258C", "3AEF7C294CD9882B8A329A8B26C75BDD30756EBE8FB042D58F333D26CF4BBB8D", "3C1A78B2884463FDD0373C1C8B938DC6B62E78494896694E30B6E9004C4B927F", "405FD0B855F82EAFB0C7E7BE720D7AFC7890F3B8C8A2D83A909290CC1BFDA1A1", "408C74D95484E93E05D0B99834A53E6E9E970957DE240B861F1293CA7C8A6A1C", "429FC4FA5EEB95C5495D7813A60D40A63DB4599EB3153E48A61C40D14067F43D", "474332812BDFF993CD8F019B6C6A272BFF19B5D5FF5F3D159C7C046722A74AF4", "4777AA656AFE2A7E99CB0D93F8BE73D4229AC1A8C767E59363E711B828FD7059", "47B6EB3A19D6D0DB86D59E18B1DBF1EFD57AAE9964D1B04E7876E23641E9EE75", "4842A84DBF0F5AFE24AA54FAF156B0DA36BA0ABD8F7EC41826F91C93ECDE9C49", "495F28ABD6CB63A1B70FAD5FC4E6750499086493E87969EEAE95A843A0AE5D28", "4B75A64A106BF738114A5DE60A0ECBE13653DF86F60F7A5D0635A0FA5D0FEDA6", "4C86B8395A615C191CCBC8EE216129A475EC6F0EC9C347C3B9B3755117EF4CBD", "4E89B826442329F84F608AEBC62A661FE54088D85110F141977090AA4AB8678E", "4F29CA11215A2F90E9FDDE62F2C0660CD088F4BCEFA24FE3E6EBF3BF031566D7", "4FC11A8A634572C3735D30FF28BFD2B8DA238EC06C8EB4CE92CAD8303345435B", "52D70CB06062F15D668F053C1F8E44D682C68BD8E9555E5DD80D2C6DE18685EC", "5373C123BD5452F3F195025B11A997E533EBB69D09485702AD149909222F566C", "5375862729855AF25B6969FFC5594391CA818023E3CA327F27D8636EE275EB30", "5785772A628413BE750308910FFEAA8AACC7C2703F2240DE96947A5EC9FB2289", "5952692D49B58BD246695C217C8F0489556BAB8A5670C5400570111E98BA4543", "5A520DE64A775810EE90EA2F10068EB9FD1A5E9AC6CDE1D230C4715606DE537E", "5AB7C5317E6E4D84174BB8C187F10FDCA16906834043D64981ED07D790312C85", "5AD5A28018AFE1C7EEED27348294C87054AC9399C243DBAD3FFCDE9C53307F2F", "5B334294B044C0ACACF432F81982EE7B36C316C5E4DACB843750BFD06F7F7764", "5C55844CADEBECD837AA331F971C7E964338AFF22322C4EDA224B5C2642A1A70", "61F7BAC5A49720C02743993A6B629FFE8F521D86A99141A5A92D3BA8D640C9D4", "622B16D924A8A80E02FD0194C374C01255C0BEAF35ACD2E093BFA46349B11E67", "629818E44ECBBC14327D01DD31BD162798FE2E718C78D969624EEE5130B4EFF8", "62EDA7D9B8598A36B53A456850CF47D89AEAC5F96FE4326959694E056B4DB6B7", "634B663E84EA2A77C8877A4C325B2AD73559A5C9A5649E55E34602DA49B5A783", "6386F8948DEE250045178259A022D70BD9E8E6003BDBD116F95FAADC25DB23C2", "64128CC088AD8A8A05FF056027ABAF3D3251C3C763F564F1A270BAF7DE97C6C1", "665B0ECAB5CC7E33D15535085C8792393244CED57AC1BFD027C479BEE7EDB3FC", "6831CB392A220A803B79605B2065BD8CF7F963F8CF85660C44B972F19891DFDF", "68F7F2AEEE8CE9C25FC795CC19BC1C2B3688AF19BF6FD0F38D6FB1B223ED5A15", "6EBB9A897B0F899A66D07CC7AA75B75D1668BF4E6936476721AC26D0EA42069E", "6F4E5F0514046C4DFF7589304AC388DE078407580FB80C083E9C6EEB1EF34EAA", "70EEDEF0FDCBE1631C5D527B442740FA203390D990D52E7C53F262CC8B8263F9", "720FFD587B98E297434100A5E59FD063FF0989312C276C749CA94B05459D58CD", "74767FAF408C31EF10FD36E87F8FF06644380251DEDF0B8DF0EAD56F9291B3E7", "75B047BBA3A3D86E57FF5ED11A58BF675D163D5E9120073AFEF4FD3E99030BEE", "7719A552468EC5C5961F2F53FB77EEBCB6C5D494A82BE578EB98595EEECF7B8A", "77749493A2DBD6936C13EAA63911F6136F55AE09D2D48DC2785E79841B40FED4", "783F8A0949145B896F8360351FC2BF7452A30B763EA89D9702C5E328E8421BE0", "78A698C4CF4ED7512CDC3542D745C570A2C31751FB3CD8B1F65E1C4ABB0FC834", "7982C52AF077A07BEAB1AD0AFD759C1371882F030BAA768E2647C18AF085104C", "7A53E045806377D0DF2549379624E563D5C8E0F408F19CDEB870A714153397FE", "7BE0A98AD382EA03C9DC8B3AD1823A088821E0C8A49DB5570B920A8EC6B59FBA", "7C1E27DB68B9CC41157CBB4046A0C89044DE0BBB287ADEFBE68C423CA365633D", "7C4B6FB72EEDDAA73870EA526178830E841CB976F691BA86301DF8577A709CF5", "7DB4AF9785ED60F9AB9DA6C11BA5460458126A5DF1240CFA27B0DC0D1CD8F786", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "8186146BBB7B9FACB40850ED50F0BC38876D965401F8CCD4466BB7203B9C8F8A", "8272C3C28C61C1E53D2F9385C1190611F387B7773B4464CDEBC68719D4A010B1", "86075B9E2A02E79CBD1F591858642BFE044654A853F3F5F3598C54C2E1802DAC", "86277132501DAD58BB2ACB4C64FD60B259D2C0AD43248122C43F0A9DA4CD1368", "872702CED8F809873181556FCDABD834505891905F84F9FD73AD4986528D55FF", "876A45B0C95A19B8C210BACAA62E013645F0C4AEDF7B013A2746AD8C919C1A1E", "87C4E9F599CCE799CC0B5D190615A09717BAF21E6D663F6A1871FA81353CF89F", "8C5187EDAE3F30F7A01C23E8A3AAEFAA66BC89E92713C66FE4606F1B1870BA63", "8E7237871A742825580B7203D4A90FA09D03933690AF2B1232B58632454A8EF5", "916385E416A757BD73E3CDE6A483117ED060F434AFC177A023624D5B1E8C6CE9", "91C2B88975760C09E6FF306FEBBACC31916618B9AD886FB44932558DBAC9C9BB", "91D7C6C9A5739FEE5F42D389A6790AF75591DE3F4B00792DEC9B2F9736C9AA92", "92F8956056EF6268D828C1C081F6A6051735CC82E17F4C1676ED7478BA3F90A0", "944B04BA6D5B8540C7473A1468EF6DB613A8012BB5B7E2CCABDE4E7B864B2332", "95EDF03DFFFCBE6E5B5B48F31F870183216CB4BE3DE22D8DF946A33591942DA7", "95FDD089C81D5EA831C0424BFC26A9A6037DC6EF8AB52F5EA588FA1E13CB38B9", "96FAFF3C7D07405C90F28D7AA8785DE391620CE306F0F728B816138795273CE1", "981047AE796E6E2C1D2E8348FFB54D84AD6D4267C34125227C0F76A0D8A0DF1E", "99D636505B9EA1BB4C8A94B1D2E0E91F89288A21948C0439AA480C523A5C8CB8", "9C8C9EB5A51A85A41CDF6C9082A3E9A1AE95DF7546CBF5A6D51B6CA362811B57", "9F58E7FFDA8D80A4FD56687BE4C1BE660093DD7C72AE18A03F5320F8B7E0C1F0", "A064F9998E7DBC4DF1CEAC199D5E65739A1D7D741C5C9EEB357116887D79BC02", "A09018951A0F9F0B9C85455ECAA1455C0E32A9D1AD52716AF4DC1D2F9A4B8983", "A24025E5E8DFBECD8F40E7C292D9FCC4C212B6C1F927A299C2FB44D85D74F70A", "A30E12F2B88961A3A2DDF78E8F637D42FABAD056F16A2A25EE7CD0751F6D5DF5", "A3E5257E7F3541000A43AE6316C70B1F11B68DCDD4E78F407AF38AAFBD1CB780", "A52A98EDDE1D6C0A6034F96CE62C30E3EEF3E309278235A82CB3223AEB327B9E", "A62622AACE3EDEE7C0685473486C2416A776458E05DC1E5DCDF6CAEDC18554F3", "A6A112C52CDAC99718BF9E5ED7E1CCFB273A24E89BEB3F4E10C47B550A16F536", "A6D737ADE03B032A42291D50B5DFC8276AA6AB0C24E9163A9958098D0E9747B6", "A8EC4F91E2F013791F540F670A3496CAD8D5C16347308AEC3639DD391A2968DD", "A9D23D6BF534301222123D9B10700AAE50EE9A370B9B48EBF9F771708759C2CE", "AD07FBFE41C71959BA164DC477AA5C9937143E243C7EA2C9CB72779238BB5E2B", "AD3C91C9E37A5C20144E0684A93E665E701EC4602A4275E6CB679E8ABF67832C", "AD6CCE2A1D5A9869BD583668A696E96D5711DC6790008CC35A1991D46E49ABE2", "AD95CA7C23870D3804DD52C9A6B346994AFF4FE894A7AB9E451D67947633D8B0", "AF27D927E033F9A05944EF734E31C26BDC37F05372B123BB70E9C78AFEEEC60D", "AF4B156A39D4CBF2B2DDA958D891B672B5585B4F7867D86B790D16DF7EF4B07C", "B0FB98D09F3AB63566DF3496E722777261EC73210A72EB2A2FAB701E3D4F7054", "B20267AD3E82E79F961AAB5D227CDE0F1B61822D3B12013F34C4B8E77C727A30", "B24254B21A4662C23CC07F893FB4BDD1CF177E0217FCEB9A8772DF857EB6CD6D", "B47E12F9B1159C7E12C18A61FA184BEA99E5D99C56221EB34EC436444551FDF1", "B4C0F2187DED4056461473842EE347054AB491FE249116F82B3ECABB516D4EF1", "B4F015CA1BC19318C8DA8FC04DEFFCC97044A5F3CECB6DC74CE9FF4140A82745", "B5260521EFDA5B0F9F73A78BD2E58D783A90882A6B4D2635A4A67BA60AFFB731", "B55C78ED054A04D7CF402F9C161B9C4DF1BB709929540DC002FF6E726FE16F65", "B595607445CC433A7E72300D02273FF610501CF691C3F7B21942D87B4B445A96", "B737A154F7C863B72C62E86E920DEDA62521A380DFA3489AD636FCBF39353BF0", "B76DC607E6D34377EEE262425D123BE37DE9976C1E8C0C2879E6953C356E7375", "B7D89EF8EC2706BE1F17B1F44E5AAB08C07976195FEB0B21B48B14BE0109ABE6", "B9051747F88831192F96587848768281C92A21A5454B834EF436587B70A065DE", "BC776F326A1AC46F633B7A25BFA7DD2B1842CE70C5093DCAD1C9052AD64A0590", "BE51B4D7BA3C4A79DE20E3F69DBE84BE8D31F54B22537E29FF188C8E94FD3552", "BF257B09066E1EFC961AB255C379F17613A25862B0CD2451B485CDBAFDD1C1CF", "C0276662C689772637EAF0F1EA697AAE7618A640211E05E14816B6C45314B710", "C059E6471C5CA981A5CB491F3D5A4861F2BA605A6C837BB0F27E344C67B16950", "C078ABAA6E4D80D641295C64101FDA8E9D886F6111077E1C84B7D25B9218FF32", "C197CFA48A392ED032551EAF7A52941BDFF0E637471A2CF6510D6AA764C7CB3F", "C38D6ABC79203A68FBEFD4AF0550B930A12344E61F2BA7EBD4A32B10F48FF4F4", "C459C0C1526630BE934C697B184718A100D861794FBE3E6446599F43A9FB92FD", "C5B21D20669BCF8004F64CC2889BAD78F2D08437003207B4E1F5904BE53FAF68", "C5F628240DB4B1EAE3DA0AE709FE38C5E457D2CF3B13A8612B5AB159E298A3B3", "C88F1D0F2E82F0BAF248BEFD6CE8600095CB7D8242F192906DA3D353C6731D59", "C9A62458FFCDA7D13068BA51A14F3364875030AD9E3379B54C1EB8EAA4DD8D49", "CA6E62CB32AA91296638D9DAB5072711CB69A35615F7FC69D8B55BD25BE71F67", "CC6EC6642F504040F49FD6C9B2F8ED7A7B6193435EC54E02906DCB6C0648A228", "CD5FECEC1FA365671DCCB18A7D34489E86A144048A22E2EF72AEB187E98A501B", "CDD93933A317B04B50C248F3EB04FC47F3F9FD68CCF07F6CAD56D189A531A84D", "CFCC2C58BF1AD2C952636D656CF06F0EFD78FE99D3B9906329BFD0F9AF6AB31D", "D08A02CEB5939252CB2D7B02500ED35BAFC647E281089A3149B7ED28FC8CE3F2", "D241D22EFC935B1DE05EFFD42F22EE5ACE1A676DBA4AE78F8E80922D7804F561", "D5669E8BD806DAFD5634A46DC91CB3F3DF803505AB2E560048173E1D18CE20EB", "D584A7431954784B3FEB83ACF1F23BA9FC46708E39503B152D181C82C0E962A8", "D6CB8BDB98C87151BEAD3D59146F78C97994CC0C6BF9888D5472B0BB9524DBB7", "D709D9AEFFEA65B5D2B3F250EAA35B7567EA2C85B722CBD20CA9AEC1783BC300", "D7223669F837AB80390958B899F52861611C307D6B8D138B8989B36879EA3A71", "D91605E64DFAEE8A32F73EC0EC9ED7EBC0261F11D34A19BC35970E6878F02001", "DD84D17011AD589730F271126164A68CD3BE3C8E20DAEA2773A45E6355B3E90D", "DE3422F091BEAF937A6AAF2F474509A669B7CE95027496E1A397C52DB56CA841", "E20535CF9A056DC817B60582190FBB4DDCB7E1BFAA691A8A3587856D26D28792", "E45D0FBD75AE08F9C00C2E2B6B98A6BE401B51A81F886C6E6A16C7F227ADFD84", "E5EA1ABA09C0B7BA9C99C3CA24CC6F67B4249EFAC33F9E2686685604DDE79CB6", "E7656AF9CD390F5923F2057D1E129C55B9278BD1872617B38D1DAA13A55E0AE0", "E8B622A20154C0D070D4BFC473B062648A8B30F2DC4928FABC794E27583489A8", "ECFAD8E6C02ED1FDC660B7F94B3208DFF757AAB82DA3254B7ACBC8A758CB95BF", "EE6A497E94604BB79DF6958408A4B3526A8046A68E01669E6E70BBCF080D8A50", "EF9079290B88737FC8A621793C98EB82287DB53AD77BEA20CCA44251326E2BB9", "EFF110BCB9EDCBDB618BE8EC7DF42715A87607794FE8143FE35FE864675727A5", "F1A3C1D97DA756217EC632D6907F150A84B75091EECA5C387606676B94FB2E66", "F22ED825C22AB58672C0ABFD2373B89350AF9AECC64349448F553F64D407408D", "F4CE45326C2C511AAF8B1B3310EED8A2012F75D8C6BF2B84AB88A5C9BE1FD5F9", "F68AB9809A9ED0BF2F7F7D45080968ACBD941A3E4FB54AE4EF30774448A70284", "F84D486AA810B46EE5EE6FC3DBA9BFFD8D5E302380DF519189BF06A5D4E97BA8", "F9E38C8AA79EB65D0AB6D29252A948C36A8EA4B704C656599FD30BCE57AFE766", "FA35B92A299B675BEA0342A01E6C1F59FDC7A8D103D38B27A3E27A0758B36DC2", "FA959A305942D2787EE3CC85907D22033D069840862DAABCDA48CD65E868084A", "FB43C322D859482E6F424163C13881EEC31212B103D2BE6DF6958A5644CEC6E6", "FDCB4E6C4277FDFD15E80FF634F47BE58F1BF450E5C755680F03A59B34CE72EB", "FE18831615541F372F1E403154D5BD9000BA370337591474437AE8CB8016D17F"]}, {"type": "ics", "idList": ["ICSA-23-075-01", "ICSA-23-080-07", "ICSA-23-166-12"]}, {"type": "kaspersky", "idList": ["KLA12516"]}, {"type": "mageia", "idList": ["MGASA-2022-0124", "MGASA-2022-0261", "MGASA-2022-0314"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:0A61417A438C7DDFAF7749BDD909CF11"]}, {"type": "mariadbunix", "idList": ["MARIA:CVE-2018-25032", "MARIA:USN-5739-1"]}, {"type": "nessus", "idList": ["AL2022_ALAS2022-2022-100.NASL", "AL2022_ALAS2022-2022-158.NASL", "AL2022_ALAS2022-2022-159.NASL", "AL2023_ALAS2023-2023-002.NASL", "AL2023_ALAS2023-2023-003.NASL", "AL2_ALAS-2022-002.NASL", "AL2_ALAS-2022-1772.NASL", "AL2_ALAS-2022-1778.NASL", "AL2_ALAS-2022-1790.NASL", "AL2_ALAS-2022-1791.NASL", "AL2_ALAS-2022-1835.NASL", "AL2_ALASCORRETTO8-2022-002.NASL", "AL2_ALASJAVA-OPENJDK11-2022-002.NASL", "ALA_ALAS-2022-1602.NASL", "ALA_ALAS-2022-1631.NASL", "ALA_ALAS-2022-1633.NASL", "ALA_ALAS-2022-1640.NASL", "ALMA_LINUX_ALSA-2022-1445.NASL", "ALMA_LINUX_ALSA-2022-1728.NASL", "ALMA_LINUX_ALSA-2022-1729.NASL", "ALMA_LINUX_ALSA-2022-2137.NASL", "ALMA_LINUX_ALSA-2022-4584.NASL", "ALMA_LINUX_ALSA-2022-4592.NASL", "ALMA_LINUX_ALSA-2022-7813.NASL", "ALMA_LINUX_ALSA-2022-8420.NASL", "AMAZON_CORRETTO_11_0_15_9_1.NASL", "AMAZON_CORRETTO_17_0_3_6_1.NASL", "AMAZON_CORRETTO_18_0_1_10_1.NASL", "AMAZON_CORRETTO_8_332_08_1.NASL", "CENTOS_RHSA-2022-1440.NASL", "CENTOS_RHSA-2022-1487.NASL", "CENTOS_RHSA-2022-2213.NASL", "DEBIAN_DLA-2968.NASL", "DEBIAN_DLA-2993.NASL", "DEBIAN_DLA-3006.NASL", "DEBIAN_DLA-3114.NASL", "DEBIAN_DSA-5111.NASL", "DEBIAN_DSA-5128.NASL", "DEBIAN_DSA-5131.NASL", "EULEROS_SA-2022-1777.NASL", "EULEROS_SA-2022-1894.NASL", "EULEROS_SA-2022-1913.NASL", "EULEROS_SA-2022-1920.NASL", "EULEROS_SA-2022-1932.NASL", "EULEROS_SA-2022-1956.NASL", "EULEROS_SA-2022-1986.NASL", "EULEROS_SA-2022-2016.NASL", "EULEROS_SA-2022-2105.NASL", "EULEROS_SA-2022-2125.NASL", "EULEROS_SA-2022-2150.NASL", "EULEROS_SA-2022-2175.NASL", "EULEROS_SA-2022-2224.NASL", "EULEROS_SA-2022-2272.NASL", "EULEROS_SA-2022-2371.NASL", "EULEROS_SA-2022-2407.NASL", "EULEROS_SA-2022-2534.NASL", "EULEROS_SA-2022-2543.NASL", "EULEROS_SA-2022-2598.NASL", "EULEROS_SA-2022-2616.NASL", "EULEROS_SA-2022-2617.NASL", "EULEROS_SA-2022-2659.NASL", "EULEROS_SA-2022-2691.NASL", "EULEROS_SA-2022-2723.NASL", "EULEROS_SA-2022-2736.NASL", "EULEROS_SA-2022-2758.NASL", "EULEROS_SA-2022-2771.NASL", "EULEROS_SA-2022-2816.NASL", "EULEROS_SA-2022-2841.NASL", "EULEROS_SA-2022-2911.NASL", "EULEROS_SA-2022-2937.NASL", "EULEROS_SA-2023-1094.NASL", "EULEROS_SA-2023-1111.NASL", "EULEROS_SA-2023-1118.NASL", "EULEROS_SA-2023-1135.NASL", "EULEROS_SA-2023-1187.NASL", "EULEROS_SA-2023-1197.NASL", "EULEROS_SA-2023-1217.NASL", "EULEROS_SA-2023-1227.NASL", "EULEROS_SA-2023-1305.NASL", "EULEROS_SA-2023-1349.NASL", "EULEROS_SA-2023-1370.NASL", "EULEROS_SA-2023-1377.NASL", "EULEROS_SA-2023-1398.NASL", "EULEROS_SA-2023-1405.NASL", "EULEROS_SA-2023-1416.NASL", "EULEROS_SA-2023-1420.NASL", "EULEROS_SA-2023-1431.NASL", "EULEROS_SA-2023-1620.NASL", "EULEROS_SA-2023-1629.NASL", "EULEROS_SA-2023-1654.NASL", "EULEROS_SA-2023-1663.NASL", "EULEROS_SA-2023-1729.NASL", "EULEROS_SA-2023-1741.NASL", "EULEROS_SA-2023-1884.NASL", "EULEROS_SA-2023-1915.NASL", "EULEROS_SA-2023-2048.NASL", "EULEROS_SA-2023-2054.NASL", "EULEROS_SA-2023-2099.NASL", "EULEROS_SA-2023-2106.NASL", "F5_BIGIP_SOL21548854.NASL", "FREEBSD_PKG_36D10AF7248D11ED856ED4C9EF517024.NASL", "FREEBSD_PKG_38F2E3A0B61E11EC9EBC1C697AA5A594.NASL", "FREEBSD_PKG_8E15060608C911ED856ED4C9EF517024.NASL", "GENTOO_GLSA-202210-42.NASL", "IBM_ASPERA_FASPEX_4_4_2_185316.NASL", "IBM_WEBSPHERE_XS_6598349.NASL", "MACOS_HT213255.NASL", "MACOS_HT213256.NASL", "MACOS_HT213257.NASL", "MARIADB_10_3_36.NASL", "MARIADB_10_4_26.NASL", "MARIADB_10_5_17.NASL", "MARIADB_10_6_9.NASL", "MARIADB_10_7_5.NASL", "MARIADB_10_8_4.NASL", "MARIADB_10_9_2.NASL", "MYSQL_5_7_39.NASL", "MYSQL_8_0_30.NASL", "NESSUS_TNS-2022-11.NASL", "NEWSTART_CGSL_NS-SA-2023-0002_ZLIB.NASL", "NEWSTART_CGSL_NS-SA-2023-0004_ZLIB.NASL", "NEWSTART_CGSL_NS-SA-2023-0006_RSYNC.NASL", "NEWSTART_CGSL_NS-SA-2023-0021_ZLIB.NASL", "NUTANIX_NXSA-AHV-20201105_2298.NASL", "NUTANIX_NXSA-AHV-20201105_30398.NASL", "NUTANIX_NXSA-AHV-20220304_10013.NASL", "NUTANIX_NXSA-AHV-20220304_242.NASL", "NUTANIX_NXSA-AHV-20230302_207.NASL", "NUTANIX_NXSA-AOS-5_20_4_5.NASL", "NUTANIX_NXSA-AOS-5_20_5.NASL", "NUTANIX_NXSA-AOS-6_1_1_5.NASL", "NUTANIX_NXSA-AOS-6_6.NASL", "OPENJDK_2022-04-19.NASL", "OPENSUSE-2022-10126-1.NASL", "OPENSUSE-2022-1061-1.NASL", "ORACLELINUX_ELSA-2022-1440.NASL", "ORACLELINUX_ELSA-2022-1442.NASL", "ORACLELINUX_ELSA-2022-1445.NASL", "ORACLELINUX_ELSA-2022-1487.NASL", "ORACLELINUX_ELSA-2022-1491.NASL", "ORACLELINUX_ELSA-2022-1642.NASL", "ORACLELINUX_ELSA-2022-1728.NASL", "ORACLELINUX_ELSA-2022-1729.NASL", "ORACLELINUX_ELSA-2022-2137.NASL", "ORACLELINUX_ELSA-2022-2201.NASL", "ORACLELINUX_ELSA-2022-2213.NASL", "ORACLELINUX_ELSA-2022-4584.NASL", "ORACLELINUX_ELSA-2022-4592.NASL", "ORACLELINUX_ELSA-2022-8420.NASL", "ORACLELINUX_ELSA-2022-9565.NASL", "ORACLE_HTTP_SERVER_CPU_JAN_2023.NASL", "ORACLE_JAVA_CPU_2022_APR.NASL", "ORACLE_JAVA_CPU_APR_2022.NASL", "ORACLE_JAVA_CPU_APR_2022_UNIX.NASL", "ORACLE_RDBMS_CPU_JAN_2023.NASL", "ORACLE_RDBMS_CPU_JAN_2023_WIN.NASL", "REDHAT-RHSA-2022-1440.NASL", "REDHAT-RHSA-2022-1441.NASL", "REDHAT-RHSA-2022-1442.NASL", "REDHAT-RHSA-2022-1443.NASL", "REDHAT-RHSA-2022-1444.NASL", "REDHAT-RHSA-2022-1445.NASL", "REDHAT-RHSA-2022-1487.NASL", "REDHAT-RHSA-2022-1488.NASL", "REDHAT-RHSA-2022-1489.NASL", "REDHAT-RHSA-2022-1490.NASL", "REDHAT-RHSA-2022-1491.NASL", "REDHAT-RHSA-2022-1591.NASL", "REDHAT-RHSA-2022-1642.NASL", "REDHAT-RHSA-2022-1661.NASL", "REDHAT-RHSA-2022-1728.NASL", "REDHAT-RHSA-2022-1729.NASL", "REDHAT-RHSA-2022-2137.NASL", "REDHAT-RHSA-2022-2192.NASL", "REDHAT-RHSA-2022-2197.NASL", "REDHAT-RHSA-2022-2198.NASL", "REDHAT-RHSA-2022-2201.NASL", "REDHAT-RHSA-2022-2213.NASL", "REDHAT-RHSA-2022-2214.NASL", "REDHAT-RHSA-2022-4584.NASL", "REDHAT-RHSA-2022-4592.NASL", "REDHAT-RHSA-2022-4845.NASL", "REDHAT-RHSA-2022-4896.NASL", "REDHAT-RHSA-2022-4957.NASL", "REDHAT-RHSA-2022-4959.NASL", "REDHAT-RHSA-2022-5439.NASL", "REDHAT-RHSA-2022-5837.NASL", "REDHAT-RHSA-2022-7813.NASL", "REDHAT-RHSA-2022-8420.NASL", "REDHAT-RHSA-2023-0943.NASL", "REDHAT-RHSA-2023-0975.NASL", "REDHAT-RHSA-2023-0976.NASL", "REDHAT-RHSA-2023-3136.NASL", "SLACKWARE_SSA_2022-087-01.NASL", "SLACKWARE_SSA_2022-228-01.NASL", "SL_20220420_JAVA_11_OPENJDK_ON_SL7_X.NASL", "SL_20220517_ZLIB_ON_SL7_X.NASL", "SUSE_SU-2022-1023-1.NASL", "SUSE_SU-2022-1043-1.NASL", "SUSE_SU-2022-1061-1.NASL", "SUSE_SU-2022-1062-1.NASL", "SUSE_SU-2022-1474-1.NASL", "SUSE_SU-2022-14929-1.NASL", "SUSE_SU-2022-1513-1.NASL", "SUSE_SU-2022-2530-1.NASL", "SUSE_SU-2022-2531-1.NASL", "SUSE_SU-2022-2539-1.NASL", "SUSE_SU-2022-2540-1.NASL", "SUSE_SU-2022-2650-1.NASL", "SUSE_SU-2022-3092-1.NASL", "SUSE_SU-2022-3225-1.NASL", "SUSE_SU-2023-1850-1.NASL", "TENABLE_OT_SIEMENS_CVE-2018-25032.NASL", "UBUNTU_USN-5355-1.NASL", "UBUNTU_USN-5355-2.NASL", "UBUNTU_USN-5359-1.NASL", "UBUNTU_USN-5359-2.NASL", "UBUNTU_USN-5388-1.NASL", "UBUNTU_USN-5388-2.NASL", "UBUNTU_USN-5546-1.NASL", "UBUNTU_USN-5546-2.NASL", "UBUNTU_USN-5739-1.NASL"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2022", "ORACLE:CPUAPR2023", "ORACLE:CPUJAN2023", "ORACLE:CPUJUL2022", "ORACLE:CPUJUL2023", "ORACLE:CPUOCT2022"]}, {"type": "oraclelinux", "idList": ["ELSA-2022-1440", "ELSA-2022-1442", "ELSA-2022-1445", "ELSA-2022-1487", "ELSA-2022-1491", "ELSA-2022-1642", "ELSA-2022-1728", "ELSA-2022-1729", "ELSA-2022-2137", "ELSA-2022-2201", "ELSA-2022-2213", "ELSA-2022-4584", "ELSA-2022-4592", "ELSA-2022-8420", "ELSA-2022-9565"]}, {"type": "osv", "idList": ["OSV:CVE-2018-25032", "OSV:DLA-2968-1", "OSV:DLA-2993-1", "OSV:DLA-3114-1", "OSV:DSA-5111-1", "OSV:GHSA-CQCC-MM6X-VMVW", "OSV:GHSA-JC36-42CF-VQWJ", "OSV:GHSA-V6GP-9MMM-C6P5"]}, {"type": "owncloud", "idList": ["OWNCLOUD:CVE-2018-25032"]}, {"type": "photon", "idList": ["PHSA-2022-0171", "PHSA-2022-0381", "PHSA-2022-3.0-0381", "PHSA-2022-4.0-0171", "PHSA-2023-3.0-0601", "PHSA-2023-3.0-0614", "PHSA-2023-5.0-0050"]}, {"type": "prion", "idList": ["PRION:CVE-2022-21426", "PRION:CVE-2022-21434", "PRION:CVE-2022-21443", "PRION:CVE-2022-21449", "PRION:CVE-2022-21476", "PRION:CVE-2022-21496"]}, {"type": "qt", "idList": ["QT:4450E23D85850EEC88DDB90DB16B99C2"]}, {"type": "redhat", "idList": ["RHSA-2022:1435", "RHSA-2022:1436", "RHSA-2022:1437", "RHSA-2022:1438", "RHSA-2022:1439", "RHSA-2022:1440", "RHSA-2022:1441", "RHSA-2022:1442", "RHSA-2022:1443", "RHSA-2022:1444", "RHSA-2022:1445", "RHSA-2022:1487", "RHSA-2022:1488", "RHSA-2022:1489", "RHSA-2022:1490", "RHSA-2022:1491", "RHSA-2022:1492", "RHSA-2022:1591", "RHSA-2022:1622", "RHSA-2022:1642", "RHSA-2022:1661", "RHSA-2022:1679", "RHSA-2022:1681", "RHSA-2022:1699", "RHSA-2022:1713", "RHSA-2022:1715", "RHSA-2022:1728", "RHSA-2022:1729", "RHSA-2022:1747", "RHSA-2022:2137", "RHSA-2022:2183", "RHSA-2022:2192", "RHSA-2022:2197", "RHSA-2022:2198", "RHSA-2022:2201", "RHSA-2022:2213", "RHSA-2022:2214", "RHSA-2022:2216", "RHSA-2022:2217", "RHSA-2022:2218", "RHSA-2022:2264", "RHSA-2022:2265", "RHSA-2022:2268", "RHSA-2022:2272", "RHSA-2022:2281", "RHSA-2022:2283", "RHSA-2022:4584", "RHSA-2022:4592", "RHSA-2022:4671", "RHSA-2022:4690", "RHSA-2022:4691", "RHSA-2022:4692", "RHSA-2022:4814", "RHSA-2022:4845", "RHSA-2022:4863", "RHSA-2022:4880", "RHSA-2022:4896", "RHSA-2022:4957", "RHSA-2022:4959", "RHSA-2022:4985", "RHSA-2022:5006", "RHSA-2022:5026", "RHSA-2022:5069", "RHSA-2022:5070", "RHSA-2022:5132", "RHSA-2022:5152", "RHSA-2022:5187", "RHSA-2022:5188", "RHSA-2022:5192", "RHSA-2022:5201", "RHSA-2022:5392", "RHSA-2022:5439", "RHSA-2022:5483", "RHSA-2022:5699", "RHSA-2022:5837", "RHSA-2022:5840", "RHSA-2022:5924", "RHSA-2022:6429", "RHSA-2022:6526", "RHSA-2022:6890", "RHSA-2022:7144", "RHSA-2022:7813", "RHSA-2022:8420", "RHSA-2023:0943", "RHSA-2023:0975", "RHSA-2023:0976", "RHSA-2023:3136", "RHSA-2023:3742"]}, {"type": "redhatcve", "idList": ["RH:CVE-2018-25032", "RH:CVE-2022-21426", "RH:CVE-2022-21434", "RH:CVE-2022-21443", "RH:CVE-2022-21449", "RH:CVE-2022-21476", "RH:CVE-2022-21496"]}, {"type": "redos", "idList": ["ROS-20220329-01"]}, {"type": "rocky", "idList": ["RLSA-2022:1442", "RLSA-2022:1445", "RLSA-2022:1491", "RLSA-2022:1642", "RLSA-2022:2201"]}, {"type": "rosalinux", "idList": ["ROSA-SA-2023-2136", "ROSA-SA-2023-2138", "ROSA-SA-2023-2139", "ROSA-SA-2023-2156", "ROSA-SA-2023-2230"]}, {"type": "rubygems", "idList": ["RUBY:NOKOGIRI-2018-25032"]}, {"type": "slackware", "idList": ["SSA-2022-087-01", "SSA-2022-228-01"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2022:10126-1", "OPENSUSE-SU-2022:1061-1", "SUSE-SU-2022:1513-1", "SUSE-SU-2022:2174-1", "SUSE-SU-2022:2530-1", "SUSE-SU-2022:2650-1", "SUSE-SU-2022:3092-1"]}, {"type": "thn", "idList": ["THN:310EB567B44B56BE468BF60195081DC7"]}, {"type": "trellix", "idList": ["TRELLIX:33C611A7064C89E309C4A45CAE585BD5"]}, {"type": "ubuntu", "idList": ["USN-5355-1", "USN-5355-2", "USN-5359-1", "USN-5359-2", "USN-5388-1", "USN-5388-2", "USN-5546-1", "USN-5546-2", "USN-5739-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2018-25032", "UB:CVE-2022-21426", "UB:CVE-2022-21434", "UB:CVE-2022-21443", "UB:CVE-2022-21449", "UB:CVE-2022-21476", "UB:CVE-2022-21496"]}, {"type": "veracode", "idList": ["VERACODE:34863", "VERACODE:35218", "VERACODE:35222", "VERACODE:35223", "VERACODE:35224", "VERACODE:35225", "VERACODE:35226"]}, {"type": "virtuozzo", "idList": ["VZA-2022-016", "VZA-2022-017"]}]}, "epss": [{"cve": "CVE-2018-25032", "epss": 0.00189, "percentile": 0.54931, "modified": "2023-05-02"}, {"cve": "CVE-2022-21426", "epss": 0.00059, "percentile": 0.22699, "modified": "2023-05-02"}, {"cve": "CVE-2022-21434", "epss": 0.00055, "percentile": 0.20895, "modified": "2023-05-02"}, {"cve": "CVE-2022-21443", "epss": 0.00059, "percentile": 0.22699, "modified": "2023-05-02"}, {"cve": "CVE-2022-21449", "epss": 0.00218, "percentile": 0.58267, "modified": "2023-05-02"}, {"cve": "CVE-2022-21476", "epss": 0.00065, "percentile": 0.26594, "modified": "2023-05-02"}, {"cve": "CVE-2022-21496", "epss": 0.00055, "percentile": 0.20895, "modified": "2023-05-02"}], "vulnersScore": 7.5}, "_state": {"score": 1698944088, "dependencies": 1698942479, "epss": 0}, "_internal": {"score_hash": "9a7a608949ad28b68e34e2d9a8ab36aa"}, "pluginID": "159902", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159902);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/01\");\n\n script_cve_id(\n \"CVE-2018-25032\",\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21449\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n\n script_name(english:\"Azul Zulu Java Multiple Vulnerabilities (2022-04-19)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Azul Zulu OpenJDK is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Azul Zulu installed on the remote host is prior to 6 < 6.47 / 7 < 7.53.0.16 / 8 < 8.61.0.18 / 11 <\n11.55.18 / 13 < 13.47.16 / 15 < 15.39.16 / 17 < 17.33.16 / 18 < 18.30.12. It is, therefore, affected by multiple\nvulnerabilities as referenced in the 2022-04-19 advisory.\n\n - zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many\n distant matches. (CVE-2018-25032)\n\n - xml/jaxp (CVE-2022-21426)\n\n - core-libs/java.lang (CVE-2022-21434)\n\n - security-libs/java.security (CVE-2022-21443, CVE-2022-21449, CVE-2022-21476)\n\n - core-libs/javax.naming (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.azul.com/core/zulu-openjdk/release-notes/april-2022\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the April 2022 Azul Zulu OpenJDK Patch Update advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/03/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:azul:zulu\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"zulu_java_nix_installed.nbin\", \"zulu_java_win_installed.nbin\");\n script_require_keys(\"installed_sw/Java\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_list = ['Azul Zulu Java'];\nvar app_info = vcf::java::get_app_info(app:app_list);\nvar package_type = app_info['Reported Code'];\n\nif ('NV' == package_type)\n{\n audit(AUDIT_PACKAGE_NOT_AFFECTED, package_type);\n}\nelse if ('SA' == package_type)\n{\n var constraints = [\n { 'min_version' : '6.0.0', 'fixed_version' : '6.47', 'fixed_display' : 'Upgrade to a version 6.47 (SA) and above' },\n { 'min_version' : '7.0.0', 'fixed_version' : '7.53.0.16', 'fixed_display' : 'Upgrade to a version 7.53.0.16 (SA) and above' },\n { 'min_version' : '8.0.0', 'fixed_version' : '8.61.0.18', 'fixed_display' : 'Upgrade to a version 8.61.0.18 (SA) and above' },\n { 'min_version' : '11.0.0', 'fixed_version' : '11.55.18', 'fixed_display' : 'Upgrade to a version 11.55.18 (SA) and above' },\n { 'min_version' : '13.0.0', 'fixed_version' : '13.47.16', 'fixed_display' : 'Upgrade to a version 13.47.16 (SA) and above' },\n { 'min_version' : '15.0.0', 'fixed_version' : '15.39.16', 'fixed_display' : 'Upgrade to a version 15.39.16 (SA) and above' },\n { 'min_version' : '17.0.0', 'fixed_version' : '17.33.16', 'fixed_display' : 'Upgrade to a version 17.33.16 (SA) and above' },\n { 'min_version' : '18.0.0', 'fixed_version' : '18.30.12', 'fixed_display' : 'Upgrade to a version 18.30.12 (SA) and above' }\n ];\n}\nelse if ('CA' == package_type)\n{\n var constraints = [\n { 'min_version' : '7.0.0', 'fixed_version' : '7.54.0.13', 'fixed_display' : 'Upgrade to a version 7.54.0.13 (CA) and above' },\n { 'min_version' : '8.0.0', 'fixed_version' : '8.62.0.19', 'fixed_display' : 'Upgrade to a version 8.62.0.19 (CA) and above' },\n { 'min_version' : '11.0.0', 'fixed_version' : '11.56.19', 'fixed_display' : 'Upgrade to a version 11.56.19 (CA) and above' },\n { 'min_version' : '13.0.0', 'fixed_version' : '13.48.19', 'fixed_display' : 'Upgrade to a version 13.48.19 (CA) and above' },\n { 'min_version' : '15.0.0', 'fixed_version' : '15.40.19', 'fixed_display' : 'Upgrade to a version 15.40.19 (CA) and above' },\n { 'min_version' : '17.0.0', 'fixed_version' : '17.34.19', 'fixed_display' : 'Upgrade to a version 17.34.19 (CA) and above' },\n { 'min_version' : '18.0.0', 'fixed_version' : '18.30.11', 'fixed_display' : 'Upgrade to a version 18.30.11 (CA) and above' }\n ];\n}\nelse\n{\n audit(AUDIT_HOST_NOT, 'an affected package type');\n}\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "naslFamily": "Misc.", "cpe": ["cpe:/a:azul:zulu"], "solution": "Apply the appropriate patch according to the April 2022 Azul Zulu OpenJDK Patch Update advisory.", "nessusSeverity": "Medium", "cvssScoreSource": "CVE-2022-21496", "vendor_cvss2": {"score": 5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "vendor_cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "vpr": {"risk factor": "Medium", "score": "5.1"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2022-04-19T00:00:00", "vulnerabilityPublicationDate": "2022-03-25T00:00:00", "exploitableWith": []}

{"nessus": [{"lastseen": "2023-08-15T16:02:02", "description": "This plugin has been deprecated and will be replaced by oracle_java_cpu_2022_apr.nasl. This will cover both windows and unix support for Java Oracle April 2022 CPU", "cvss3": {}, "published": "2022-04-20T00:00:00", "type": "nessus", "title": "Oracle Java SE Multiple Vulnerabilities (Unix April 2022 CPU) deprecated", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21449", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-05-17T00:00:00", "cpe": ["cpe:/a:oracle:jre", "cpe:/a:oracle:jdk"], "id": "ORACLE_JAVA_CPU_APR_2022_UNIX.NASL", "href": "https://www.tenable.com/plugins/nessus/159974", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n#\n# (C) Tenable, Inc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2022/05/04. Deprecated by oracle_java_cpu_2022_apr.nasl.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159974);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/17\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21449\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n script_xref(name:\"IAVA\", value:\"2022-A-0170\");\n\n script_name(english:\"Oracle Java SE Multiple Vulnerabilities (Unix April 2022 CPU) deprecated\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"This plugin has been deprecated.\");\n script_set_attribute(attribute:\"description\", value:\n\"This plugin has been deprecated and will be replaced by oracle_java_cpu_2022_apr.nasl. This will cover \nboth windows and unix support for Java Oracle April 2022 CPU\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/a/tech/docs/cpuapr2022cvrf.xml\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/security-alerts/cpuapr2022.html#AppendixJAVA\");\n script_set_attribute(attribute:\"solution\", value:\n\"n/a.\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jre\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jdk\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"sun_java_jre_installed_unix.nasl\");\n script_require_keys(\"Host/Java/JRE/Installed\");\n\n exit(0);\n}\n\nexit(0, 'This plugin has been deprecated. Use oracle_java_cpu_2022.nasl instead.');", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-04T15:19:55", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:1445 advisory.\n\n - OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)\n\n - OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)\n\n - OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n - OpenJDK: Improper ECDSA signature verification (Libraries, 8277233) (CVE-2022-21449)\n\n - OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n - OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-20T00:00:00", "type": "nessus", "title": "RHEL 8 : java-17-openjdk (RHSA-2022:1445)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21449", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2023-10-31T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:8", "cpe:/o:redhat:rhel_aus:8.6", "cpe:/o:redhat:rhel_e4s:8.6", "cpe:/o:redhat:rhel_eus:8.6", "cpe:/o:redhat:rhel_tus:8.6", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-demo", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-demo-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-demo-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-devel", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-devel-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-devel-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-headless", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-headless-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-headless-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-javadoc", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-javadoc-zip", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-jmods", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-jmods-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-jmods-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-src", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-src-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-src-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-static-libs", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-static-libs-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-static-libs-slowdebug"], "id": "REDHAT-RHSA-2022-1445.NASL", "href": "https://www.tenable.com/plugins/nessus/160022", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2022:1445. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160022);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/31\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21449\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n script_xref(name:\"RHSA\", value:\"2022:1445\");\n script_xref(name:\"IAVA\", value:\"2022-A-0170-S\");\n\n script_name(english:\"RHEL 8 : java-17-openjdk (RHSA-2022:1445)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2022:1445 advisory.\n\n - OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)\n (CVE-2022-21426)\n\n - OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)\n (CVE-2022-21434)\n\n - OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n - OpenJDK: Improper ECDSA signature verification (Libraries, 8277233) (CVE-2022-21449)\n\n - OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n - OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21426\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21434\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21443\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21449\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21476\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21496\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2022:1445\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075788\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075793\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075821\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075836\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075842\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075849\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20, 179, 191, 347, 400, 470, 770, 1173);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-demo-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-demo-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-devel-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-devel-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-headless-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-headless-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-javadoc-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-jmods\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-jmods-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-jmods-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-src-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-src-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-static-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-static-libs-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-static-libs-slowdebug\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/aus/rhel8/8.6/x86_64/appstream/debug',\n 'content/aus/rhel8/8.6/x86_64/appstream/os',\n 'content/aus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/aus/rhel8/8.6/x86_64/baseos/debug',\n 'content/aus/rhel8/8.6/x86_64/baseos/os',\n 'content/aus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/debug',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/os',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/debug',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/os',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/debug',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/os',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/os',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/sap/debug',\n 'content/e4s/rhel8/8.6/ppc64le/sap/os',\n 'content/e4s/rhel8/8.6/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/appstream/debug',\n 'content/e4s/rhel8/8.6/x86_64/appstream/os',\n 'content/e4s/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/baseos/debug',\n 'content/e4s/rhel8/8.6/x86_64/baseos/os',\n 'content/e4s/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/debug',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/os',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/debug',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/os',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/sap/debug',\n 'content/e4s/rhel8/8.6/x86_64/sap/os',\n 'content/e4s/rhel8/8.6/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/appstream/debug',\n 'content/eus/rhel8/8.6/aarch64/appstream/os',\n 'content/eus/rhel8/8.6/aarch64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/baseos/debug',\n 'content/eus/rhel8/8.6/aarch64/baseos/os',\n 'content/eus/rhel8/8.6/aarch64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/debug',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/os',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/highavailability/debug',\n 'content/eus/rhel8/8.6/aarch64/highavailability/os',\n 'content/eus/rhel8/8.6/aarch64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/supplementary/debug',\n 'content/eus/rhel8/8.6/aarch64/supplementary/os',\n 'content/eus/rhel8/8.6/aarch64/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/appstream/debug',\n 'content/eus/rhel8/8.6/ppc64le/appstream/os',\n 'content/eus/rhel8/8.6/ppc64le/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/baseos/debug',\n 'content/eus/rhel8/8.6/ppc64le/baseos/os',\n 'content/eus/rhel8/8.6/ppc64le/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/debug',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/os',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/debug',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/os',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/debug',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/os',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/debug',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/os',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/sap/debug',\n 'content/eus/rhel8/8.6/ppc64le/sap/os',\n 'content/eus/rhel8/8.6/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/debug',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/os',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/appstream/debug',\n 'content/eus/rhel8/8.6/x86_64/appstream/os',\n 'content/eus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/baseos/debug',\n 'content/eus/rhel8/8.6/x86_64/baseos/os',\n 'content/eus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/debug',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/os',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/highavailability/debug',\n 'content/eus/rhel8/8.6/x86_64/highavailability/os',\n 'content/eus/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/debug',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/os',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/debug',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/os',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/sap/debug',\n 'content/eus/rhel8/8.6/x86_64/sap/os',\n 'content/eus/rhel8/8.6/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/supplementary/debug',\n 'content/eus/rhel8/8.6/x86_64/supplementary/os',\n 'content/eus/rhel8/8.6/x86_64/supplementary/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/appstream/debug',\n 'content/tus/rhel8/8.6/x86_64/appstream/os',\n 'content/tus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/baseos/debug',\n 'content/tus/rhel8/8.6/x86_64/baseos/os',\n 'content/tus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/highavailability/debug',\n 'content/tus/rhel8/8.6/x86_64/highavailability/os',\n 'content/tus/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/rt/os',\n 'content/tus/rhel8/8.6/x86_64/rt/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'java-17-openjdk-17.0.3.0.6-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-17.0.3.0.6-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-fastdebug-17.0.3.0.6-2.el8_5', 'sp':'6', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-fastdebug-17.0.3.0.6-2.el8_5', 'sp':'6', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-fastdebug-17.0.3.0.6-2.el8_5', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-slowdebug-17.0.3.0.6-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-17.0.3.0.6-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-fastdebug-17.0.3.0.6-2.el8_5', 'sp':'6', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-fastdebug-17.0.3.0.6-2.el8_5', 'sp':'6', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-fastdebug-17.0.3.0.6-2.el8_5', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-slowdebug-17.0.3.0.6-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-fastdebug-17.0.3.0.6-2.el8_5', 'sp':'6', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-fastdebug-17.0.3.0.6-2.el8_5', 'sp':'6', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-fastdebug-17.0.3.0.6-2.el8_5', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-17.0.3.0.6-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-fastdebug-17.0.3.0.6-2.el8_5', 'sp':'6', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-fastdebug-17.0.3.0.6-2.el8_5', 'sp':'6', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-fastdebug-17.0.3.0.6-2.el8_5', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-slowdebug-17.0.3.0.6-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-javadoc-17.0.3.0.6-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-javadoc-zip-17.0.3.0.6-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-17.0.3.0.6-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-fastdebug-17.0.3.0.6-2.el8_5', 'sp':'6', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-fastdebug-17.0.3.0.6-2.el8_5', 'sp':'6', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-fastdebug-17.0.3.0.6-2.el8_5', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-slowdebug-17.0.3.0.6-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-slowdebug-17.0.3.0.6-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-17.0.3.0.6-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-fastdebug-17.0.3.0.6-2.el8_5', 'sp':'6', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-fastdebug-17.0.3.0.6-2.el8_5', 'sp':'6', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-fastdebug-17.0.3.0.6-2.el8_5', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-slowdebug-17.0.3.0.6-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-17.0.3.0.6-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-fastdebug-17.0.3.0.6-2.el8_5', 'sp':'6', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-fastdebug-17.0.3.0.6-2.el8_5', 'sp':'6', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-fastdebug-17.0.3.0.6-2.el8_5', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-slowdebug-17.0.3.0.6-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'}\n ]\n },\n {\n 'repo_relative_urls': [\n 'content/dist/rhel8/8/aarch64/appstream/debug',\n 'content/dist/rhel8/8/aarch64/appstream/os',\n 'content/dist/rhel8/8/aarch64/appstream/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/baseos/debug',\n 'content/dist/rhel8/8/aarch64/baseos/os',\n 'content/dist/rhel8/8/aarch64/baseos/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/codeready-builder/debug',\n 'content/dist/rhel8/8/aarch64/codeready-builder/os',\n 'content/dist/rhel8/8/aarch64/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/highavailability/debug',\n 'content/dist/rhel8/8/aarch64/highavailability/os',\n 'content/dist/rhel8/8/aarch64/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/supplementary/debug',\n 'content/dist/rhel8/8/aarch64/supplementary/os',\n 'content/dist/rhel8/8/aarch64/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/appstream/debug',\n 'content/dist/rhel8/8/ppc64le/appstream/os',\n 'content/dist/rhel8/8/ppc64le/appstream/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/baseos/debug',\n 'content/dist/rhel8/8/ppc64le/baseos/os',\n 'content/dist/rhel8/8/ppc64le/baseos/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/debug',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/os',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/highavailability/debug',\n 'content/dist/rhel8/8/ppc64le/highavailability/os',\n 'content/dist/rhel8/8/ppc64le/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/debug',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/os',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/debug',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/os',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/sap/debug',\n 'content/dist/rhel8/8/ppc64le/sap/os',\n 'content/dist/rhel8/8/ppc64le/sap/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/supplementary/debug',\n 'content/dist/rhel8/8/ppc64le/supplementary/os',\n 'content/dist/rhel8/8/ppc64le/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/appstream/debug',\n 'content/dist/rhel8/8/x86_64/appstream/os',\n 'content/dist/rhel8/8/x86_64/appstream/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/baseos/debug',\n 'content/dist/rhel8/8/x86_64/baseos/os',\n 'content/dist/rhel8/8/x86_64/baseos/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/codeready-builder/debug',\n 'content/dist/rhel8/8/x86_64/codeready-builder/os',\n 'content/dist/rhel8/8/x86_64/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/highavailability/debug',\n 'content/dist/rhel8/8/x86_64/highavailability/os',\n 'content/dist/rhel8/8/x86_64/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/nfv/debug',\n 'content/dist/rhel8/8/x86_64/nfv/os',\n 'content/dist/rhel8/8/x86_64/nfv/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/resilientstorage/debug',\n 'content/dist/rhel8/8/x86_64/resilientstorage/os',\n 'content/dist/rhel8/8/x86_64/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/rt/debug',\n 'content/dist/rhel8/8/x86_64/rt/os',\n 'content/dist/rhel8/8/x86_64/rt/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/sap-solutions/debug',\n 'content/dist/rhel8/8/x86_64/sap-solutions/os',\n 'content/dist/rhel8/8/x86_64/sap-solutions/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/sap/debug',\n 'content/dist/rhel8/8/x86_64/sap/os',\n 'content/dist/rhel8/8/x86_64/sap/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/supplementary/debug',\n 'content/dist/rhel8/8/x86_64/supplementary/os',\n 'content/dist/rhel8/8/x86_64/supplementary/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'java-17-openjdk-17.0.3.0.6-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-17.0.3.0.6-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-slowdebug-17.0.3.0.6-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-17.0.3.0.6-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-slowdebug-17.0.3.0.6-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-17.0.3.0.6-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-slowdebug-17.0.3.0.6-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-javadoc-17.0.3.0.6-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-javadoc-zip-17.0.3.0.6-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-17.0.3.0.6-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-slowdebug-17.0.3.0.6-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-slowdebug-17.0.3.0.6-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-17.0.3.0.6-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-slowdebug-17.0.3.0.6-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-17.0.3.0.6-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-slowdebug-17.0.3.0.6-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp']) && !enterprise_linux_flag) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-17-openjdk / java-17-openjdk-demo / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-05T08:23:27", "description": "The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2022:1445 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. (CVE-2022-21434)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. (CVE-2022-21443)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.2 and 18; Oracle GraalVM Enterprise Edition: 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. (CVE-2022-21449)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. (CVE-2022-21476)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.\n (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-08-07T00:00:00", "type": "nessus", "title": "AlmaLinux 8 : java-17-openjdk (ALSA-2022:1445)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21449", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2023-08-07T00:00:00", "cpe": ["p-cpe:/a:alma:linux:java-17-openjdk", "p-cpe:/a:alma:linux:java-17-openjdk-demo", "p-cpe:/a:alma:linux:java-17-openjdk-demo-fastdebug", "p-cpe:/a:alma:linux:java-17-openjdk-demo-slowdebug", "p-cpe:/a:alma:linux:java-17-openjdk-devel", "p-cpe:/a:alma:linux:java-17-openjdk-devel-fastdebug", "p-cpe:/a:alma:linux:java-17-openjdk-devel-slowdebug", "p-cpe:/a:alma:linux:java-17-openjdk-fastdebug", "p-cpe:/a:alma:linux:java-17-openjdk-headless", "p-cpe:/a:alma:linux:java-17-openjdk-headless-fastdebug", "p-cpe:/a:alma:linux:java-17-openjdk-headless-slowdebug", "p-cpe:/a:alma:linux:java-17-openjdk-javadoc", "p-cpe:/a:alma:linux:java-17-openjdk-javadoc-zip", "p-cpe:/a:alma:linux:java-17-openjdk-jmods", "p-cpe:/a:alma:linux:java-17-openjdk-jmods-fastdebug", "p-cpe:/a:alma:linux:java-17-openjdk-jmods-slowdebug", "p-cpe:/a:alma:linux:java-17-openjdk-slowdebug", "p-cpe:/a:alma:linux:java-17-openjdk-src", "p-cpe:/a:alma:linux:java-17-openjdk-src-fastdebug", "p-cpe:/a:alma:linux:java-17-openjdk-src-slowdebug", "p-cpe:/a:alma:linux:java-17-openjdk-static-libs", "p-cpe:/a:alma:linux:java-17-openjdk-static-libs-fastdebug", "p-cpe:/a:alma:linux:java-17-openjdk-static-libs-slowdebug", "cpe:/o:alma:linux:8", "cpe:/o:alma:linux:8::appstream", "cpe:/o:alma:linux:8::powertools"], "id": "ALMA_LINUX_ALSA-2022-1445.NASL", "href": "https://www.tenable.com/plugins/nessus/179418", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# AlmaLinux Security Advisory ALSA-2022:1445.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(179418);\n script_version(\"1.0\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/08/07\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21449\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n script_xref(name:\"ALSA\", value:\"2022:1445\");\n\n script_name(english:\"AlmaLinux 8 : java-17-openjdk (ALSA-2022:1445)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote AlmaLinux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nALSA-2022:1445 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise\n Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition\n accessible data. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. (CVE-2022-21434)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM\n Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. (CVE-2022-21443)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.2 and 18; Oracle\n GraalVM Enterprise Edition: 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated\n attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM\n Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion\n or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition\n accessible data. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. (CVE-2022-21449)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise\n Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients\n running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code\n (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability\n can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies\n data to the APIs. (CVE-2022-21476)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible\n data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.\n (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://errata.almalinux.org/8/ALSA-2022-1445.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(191, 20, 347, 400, 470, 770);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/08/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-demo-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-demo-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-devel-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-devel-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-headless-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-headless-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-javadoc-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-jmods\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-jmods-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-jmods-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-src-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-src-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-static-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-static-libs-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-static-libs-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:8::appstream\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:8::powertools\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Alma Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AlmaLinux/release\", \"Host/AlmaLinux/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/AlmaLinux/release');\nif (isnull(os_release) || 'AlmaLinux' >!< os_release) audit(AUDIT_OS_NOT, 'AlmaLinux');\nvar os_ver = pregmatch(pattern: \"AlmaLinux release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'AlmaLinux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'AlmaLinux 8.x', 'AlmaLinux ' + os_ver);\n\nif (!get_kb_item('Host/AlmaLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'AlmaLinux', cpu);\n\nvar pkgs = [\n {'reference':'java-17-openjdk-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-javadoc-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-javadoc-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-javadoc-zip-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-javadoc-zip-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = 'Alma-' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-17-openjdk / java-17-openjdk-demo / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-02T15:04:18", "description": "The version of Amazon Corretto installed on the remote host is prior to 17 < 17.0.3.6.1. It is, therefore, affected by multiple vulnerabilities as referenced in the corretto-17-2022-Apr-17 advisory.\n\n - zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. (CVE-2018-25032)\n\n - xml/jaxp (CVE-2022-21426)\n\n - core-libs/java.lang (CVE-2022-21434)\n\n - security-libs/java.security (CVE-2022-21443, CVE-2022-21449)\n\n - core-libs/javax.naming (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-19T00:00:00", "type": "nessus", "title": "Amazon Corretto Java 17.x < 17.0.3.6.1 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-25032", "CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21449", "CVE-2022-21496"], "modified": "2023-11-01T00:00:00", "cpe": ["cpe:/a:amazon:corretto"], "id": "AMAZON_CORRETTO_17_0_3_6_1.NASL", "href": "https://www.tenable.com/plugins/nessus/159900", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159900);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/01\");\n\n script_cve_id(\n \"CVE-2018-25032\",\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21449\",\n \"CVE-2022-21496\"\n );\n\n script_name(english:\"Amazon Corretto Java 17.x < 17.0.3.6.1 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Amazon Corretto is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Amazon Corretto installed on the remote host is prior to 17 < 17.0.3.6.1. It is, therefore, affected by\nmultiple vulnerabilities as referenced in the corretto-17-2022-Apr-17 advisory.\n\n - zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many\n distant matches. (CVE-2018-25032)\n\n - xml/jaxp (CVE-2022-21426)\n\n - core-libs/java.lang (CVE-2022-21434)\n\n - security-libs/java.security (CVE-2022-21443, CVE-2022-21449)\n\n - core-libs/javax.naming (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n # https://github.com/corretto/corretto-17/blob/develop/CHANGELOG.md#corretto-version-170361\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4e204005\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update to Amazon Corretto Java 17.0.3.6.1 or later\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21449\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/03/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:amazon:corretto\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"amazon_corretto_win_installed.nbin\", \"amazon_corretto_nix_installed.nbin\");\n script_require_keys(\"installed_sw/Java\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_list = ['Amazon Corretto Java'];\nvar app_info = vcf::java::get_app_info(app:app_list);\n\nvar constraints = [\n { 'min_version' : '17.0', 'fixed_version' : '17.0.3.6.1' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-02T15:04:20", "description": "The version of Amazon Corretto installed on the remote host is prior to 18 < 18.0.1.10.1. It is, therefore, affected by multiple vulnerabilities as referenced in the corretto-18-2022-Apr-19 advisory.\n\n - zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. (CVE-2018-25032)\n\n - xml/jaxp (CVE-2022-21426)\n\n - core-libs/java.lang (CVE-2022-21434)\n\n - security-libs/java.security (CVE-2022-21443, CVE-2022-21449)\n\n - core-libs/javax.naming (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-19T00:00:00", "type": "nessus", "title": "Amazon Corretto Java 18.x < 18.0.1.10.1 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-25032", "CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21449", "CVE-2022-21496"], "modified": "2023-11-01T00:00:00", "cpe": ["cpe:/a:amazon:corretto"], "id": "AMAZON_CORRETTO_18_0_1_10_1.NASL", "href": "https://www.tenable.com/plugins/nessus/159896", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159896);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/01\");\n\n script_cve_id(\n \"CVE-2018-25032\",\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21449\",\n \"CVE-2022-21496\"\n );\n\n script_name(english:\"Amazon Corretto Java 18.x < 18.0.1.10.1 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Amazon Corretto is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Amazon Corretto installed on the remote host is prior to 18 < 18.0.1.10.1. It is, therefore, affected by\nmultiple vulnerabilities as referenced in the corretto-18-2022-Apr-19 advisory.\n\n - zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many\n distant matches. (CVE-2018-25032)\n\n - xml/jaxp (CVE-2022-21426)\n\n - core-libs/java.lang (CVE-2022-21434)\n\n - security-libs/java.security (CVE-2022-21443, CVE-2022-21449)\n\n - core-libs/javax.naming (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n # https://github.com/corretto/corretto-18/blob/develop/CHANGELOG.md#corretto-version-1801101\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?72d07f4b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update to Amazon Corretto Java 18.0.1.10.1 or later\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21449\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/03/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:amazon:corretto\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"amazon_corretto_win_installed.nbin\", \"amazon_corretto_nix_installed.nbin\");\n script_require_keys(\"installed_sw/Java\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_list = ['Amazon Corretto Java'];\nvar app_info = vcf::java::get_app_info(app:app_list);\n\nvar constraints = [\n { 'min_version' : '18.0', 'fixed_version' : '18.0.1.10.1' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-18T14:48:20", "description": "The remote Ubuntu 20.04 LTS / 21.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5388-2 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2022-21434)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2022-21443)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.2 and 18; Oracle GraalVM Enterprise Edition: 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). (CVE-2022-21449)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2022-21476)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-26T00:00:00", "type": "nessus", "title": "Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS : OpenJDK vulnerabilities (USN-5388-2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21449", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2023-10-16T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "cpe:/o:canonical:ubuntu_linux:22.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:openjdk-17-demo", "p-cpe:/a:canonical:ubuntu_linux:openjdk-17-jdk", "p-cpe:/a:canonical:ubuntu_linux:openjdk-17-jdk-headless", "p-cpe:/a:canonical:ubuntu_linux:openjdk-17-jre", "p-cpe:/a:canonical:ubuntu_linux:openjdk-17-jre-headless", "p-cpe:/a:canonical:ubuntu_linux:openjdk-17-jre-zero", "p-cpe:/a:canonical:ubuntu_linux:openjdk-17-source"], "id": "UBUNTU_USN-5388-2.NASL", "href": "https://www.tenable.com/plugins/nessus/160205", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-5388-2. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160205);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/16\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21449\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n script_xref(name:\"USN\", value:\"5388-2\");\n\n script_name(english:\"Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS : OpenJDK vulnerabilities (USN-5388-2)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 20.04 LTS / 21.10 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the USN-5388-2 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise\n Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS\n 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition\n accessible data. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2022-21434)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM\n Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2022-21443)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.2 and 18; Oracle\n GraalVM Enterprise Edition: 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated\n attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM\n Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion\n or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition\n accessible data. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). (CVE-2022-21449)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise\n Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients\n running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code\n (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability\n can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies\n data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2022-21476)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible\n data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS\n 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-5388-2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:22.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-17-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-17-jdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-17-jdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-17-jre\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-17-jre-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-17-jre-zero\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-17-source\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2022-2023 Canonical, Inc. / NASL script (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nos_release = chomp(os_release);\nif (! ('18.04' >< os_release || '20.04' >< os_release || '22.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 18.04 / 20.04 / 22.04', 'Ubuntu ' + os_release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar pkgs = [\n {'osver': '18.04', 'pkgname': 'openjdk-17-demo', 'pkgver': '17.0.3+7-0ubuntu0.18.04.1'},\n {'osver': '18.04', 'pkgname': 'openjdk-17-jdk', 'pkgver': '17.0.3+7-0ubuntu0.18.04.1'},\n {'osver': '18.04', 'pkgname': 'openjdk-17-jdk-headless', 'pkgver': '17.0.3+7-0ubuntu0.18.04.1'},\n {'osver': '18.04', 'pkgname': 'openjdk-17-jre', 'pkgver': '17.0.3+7-0ubuntu0.18.04.1'},\n {'osver': '18.04', 'pkgname': 'openjdk-17-jre-headless', 'pkgver': '17.0.3+7-0ubuntu0.18.04.1'},\n {'osver': '18.04', 'pkgname': 'openjdk-17-jre-zero', 'pkgver': '17.0.3+7-0ubuntu0.18.04.1'},\n {'osver': '18.04', 'pkgname': 'openjdk-17-source', 'pkgver': '17.0.3+7-0ubuntu0.18.04.1'},\n {'osver': '20.04', 'pkgname': 'openjdk-17-demo', 'pkgver': '17.0.3+7-0ubuntu0.20.04.1'},\n {'osver': '20.04', 'pkgname': 'openjdk-17-jdk', 'pkgver': '17.0.3+7-0ubuntu0.20.04.1'},\n {'osver': '20.04', 'pkgname': 'openjdk-17-jdk-headless', 'pkgver': '17.0.3+7-0ubuntu0.20.04.1'},\n {'osver': '20.04', 'pkgname': 'openjdk-17-jre', 'pkgver': '17.0.3+7-0ubuntu0.20.04.1'},\n {'osver': '20.04', 'pkgname': 'openjdk-17-jre-headless', 'pkgver': '17.0.3+7-0ubuntu0.20.04.1'},\n {'osver': '20.04', 'pkgname': 'openjdk-17-jre-zero', 'pkgver': '17.0.3+7-0ubuntu0.20.04.1'},\n {'osver': '20.04', 'pkgname': 'openjdk-17-source', 'pkgver': '17.0.3+7-0ubuntu0.20.04.1'},\n {'osver': '22.04', 'pkgname': 'openjdk-17-demo', 'pkgver': '17.0.3+7-0ubuntu0.22.04.1'},\n {'osver': '22.04', 'pkgname': 'openjdk-17-jdk', 'pkgver': '17.0.3+7-0ubuntu0.22.04.1'},\n {'osver': '22.04', 'pkgname': 'openjdk-17-jdk-headless', 'pkgver': '17.0.3+7-0ubuntu0.22.04.1'},\n {'osver': '22.04', 'pkgname': 'openjdk-17-jre', 'pkgver': '17.0.3+7-0ubuntu0.22.04.1'},\n {'osver': '22.04', 'pkgname': 'openjdk-17-jre-headless', 'pkgver': '17.0.3+7-0ubuntu0.22.04.1'},\n {'osver': '22.04', 'pkgname': 'openjdk-17-jre-zero', 'pkgver': '17.0.3+7-0ubuntu0.22.04.1'},\n {'osver': '22.04', 'pkgname': 'openjdk-17-source', 'pkgver': '17.0.3+7-0ubuntu0.22.04.1'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var osver = NULL;\n var pkgname = NULL;\n var pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'openjdk-17-demo / openjdk-17-jdk / openjdk-17-jdk-headless / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-12T13:31:00", "description": "The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2022:1445 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. (CVE-2022-21434)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. (CVE-2022-21443)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.2 and 18; Oracle GraalVM Enterprise Edition: 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. (CVE-2022-21449)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. (CVE-2022-21476)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.\n (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-11-06T00:00:00", "type": "nessus", "title": "Rocky Linux 8 : java-17-openjdk (RLSA-2022:1445)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21449", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2023-11-06T00:00:00", "cpe": ["p-cpe:/a:rocky:linux:java-17-openjdk", "p-cpe:/a:rocky:linux:java-17-openjdk-debuginfo", "p-cpe:/a:rocky:linux:java-17-openjdk-debugsource", "p-cpe:/a:rocky:linux:java-17-openjdk-headless", "p-cpe:/a:rocky:linux:java-17-openjdk-headless-debuginfo", "p-cpe:/a:rocky:linux:java-17-openjdk-headless-fastdebug", "p-cpe:/a:rocky:linux:java-17-openjdk-headless-fastdebug-debuginfo", "p-cpe:/a:rocky:linux:java-17-openjdk-headless-slowdebug", "p-cpe:/a:rocky:linux:java-17-openjdk-headless-slowdebug-debuginfo", "p-cpe:/a:rocky:linux:java-17-openjdk-javadoc", "p-cpe:/a:rocky:linux:java-17-openjdk-javadoc-zip", "p-cpe:/a:rocky:linux:java-17-openjdk-jmods", "p-cpe:/a:rocky:linux:java-17-openjdk-jmods-fastdebug", "p-cpe:/a:rocky:linux:java-17-openjdk-jmods-slowdebug", "p-cpe:/a:rocky:linux:java-17-openjdk-slowdebug", "p-cpe:/a:rocky:linux:java-17-openjdk-slowdebug-debuginfo", "p-cpe:/a:rocky:linux:java-17-openjdk-src", "p-cpe:/a:rocky:linux:java-17-openjdk-src-fastdebug", "p-cpe:/a:rocky:linux:java-17-openjdk-src-slowdebug", "p-cpe:/a:rocky:linux:java-17-openjdk-static-libs", "p-cpe:/a:rocky:linux:java-17-openjdk-static-libs-fastdebug", "p-cpe:/a:rocky:linux:java-17-openjdk-static-libs-slowdebug", "cpe:/o:rocky:linux:8", "p-cpe:/a:rocky:linux:java-17-openjdk-demo", "p-cpe:/a:rocky:linux:java-17-openjdk-demo-fastdebug", "p-cpe:/a:rocky:linux:java-17-openjdk-demo-slowdebug", "p-cpe:/a:rocky:linux:java-17-openjdk-devel", "p-cpe:/a:rocky:linux:java-17-openjdk-devel-debuginfo", "p-cpe:/a:rocky:linux:java-17-openjdk-devel-fastdebug", "p-cpe:/a:rocky:linux:java-17-openjdk-devel-fastdebug-debuginfo", "p-cpe:/a:rocky:linux:java-17-openjdk-devel-slowdebug", "p-cpe:/a:rocky:linux:java-17-openjdk-devel-slowdebug-debuginfo", "p-cpe:/a:rocky:linux:java-17-openjdk-fastdebug", "p-cpe:/a:rocky:linux:java-17-openjdk-fastdebug-debuginfo"], "id": "ROCKY_LINUX_RLSA-2022-1445.NASL", "href": "https://www.tenable.com/plugins/nessus/184650", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# Rocky Linux Security Advisory RLSA-2022:1445.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(184650);\n script_version(\"1.0\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/06\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21449\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n script_xref(name:\"RLSA\", value:\"2022:1445\");\n\n script_name(english:\"Rocky Linux 8 : java-17-openjdk (RLSA-2022:1445)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Rocky Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nRLSA-2022:1445 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise\n Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition\n accessible data. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. (CVE-2022-21434)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM\n Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. (CVE-2022-21443)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.2 and 18; Oracle\n GraalVM Enterprise Edition: 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated\n attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM\n Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion\n or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition\n accessible data. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. (CVE-2022-21449)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise\n Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients\n running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code\n (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability\n can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies\n data to the APIs. (CVE-2022-21476)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible\n data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.\n (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://errata.rockylinux.org/RLSA-2022:1445\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=2018189\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=2055396\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=2075788\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=2075793\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=2075821\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=2075836\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=2075842\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=2075849\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/11/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-17-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-17-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-17-openjdk-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-17-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-17-openjdk-demo-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-17-openjdk-demo-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-17-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-17-openjdk-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-17-openjdk-devel-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-17-openjdk-devel-fastdebug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-17-openjdk-devel-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-17-openjdk-devel-slowdebug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-17-openjdk-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-17-openjdk-fastdebug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-17-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-17-openjdk-headless-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-17-openjdk-headless-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-17-openjdk-headless-fastdebug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-17-openjdk-headless-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-17-openjdk-headless-slowdebug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-17-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-17-openjdk-javadoc-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-17-openjdk-jmods\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-17-openjdk-jmods-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-17-openjdk-jmods-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-17-openjdk-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-17-openjdk-slowdebug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-17-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-17-openjdk-src-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-17-openjdk-src-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-17-openjdk-static-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-17-openjdk-static-libs-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-17-openjdk-static-libs-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:rocky:linux:8\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Rocky Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RockyLinux/release\", \"Host/RockyLinux/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RockyLinux/release');\nif (isnull(os_release) || 'Rocky Linux' >!< os_release) audit(AUDIT_OS_NOT, 'Rocky Linux');\nvar os_ver = pregmatch(pattern: \"Rocky(?: Linux)? release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Rocky Linux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Rocky Linux 8.x', 'Rocky Linux ' + os_ver);\n\nif (!get_kb_item('Host/RockyLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Rocky Linux', cpu);\n\nvar pkgs = [\n {'reference':'java-17-openjdk-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-debuginfo-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-debuginfo-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-debugsource-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-debugsource-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-debuginfo-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-debuginfo-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-fastdebug-debuginfo-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-fastdebug-debuginfo-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-slowdebug-debuginfo-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-slowdebug-debuginfo-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-fastdebug-debuginfo-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-fastdebug-debuginfo-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-debuginfo-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-debuginfo-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-fastdebug-debuginfo-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-fastdebug-debuginfo-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-slowdebug-debuginfo-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-slowdebug-debuginfo-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-javadoc-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-javadoc-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-javadoc-zip-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-javadoc-zip-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-slowdebug-debuginfo-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-slowdebug-debuginfo-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = 'Rocky-' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-17-openjdk / java-17-openjdk-debuginfo / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-28T15:05:28", "description": "The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is affected by multiple vulnerabilities as referenced in the April 2022 CPU advisory:\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Libraries). Supported versions that are affected are Oracle Java SE: 17.0.2 and 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note:\n This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. (CVE-2022-21449)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18;\n Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. (CVE-2022-21476)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. (CVE-2022-21426)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-05-17T00:00:00", "type": "nessus", "title": "Oracle Java SE Multiple Vulnerabilities (April 2022 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21449", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2023-10-27T00:00:00", "cpe": ["cpe:/a:oracle:jre", "cpe:/a:oracle:jdk"], "id": "ORACLE_JAVA_CPU_2022_APR.NASL", "href": "https://www.tenable.com/plugins/nessus/161241", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(161241);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/27\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21449\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n script_xref(name:\"IAVA\", value:\"2022-A-0170-S\");\n\n script_name(english:\"Oracle Java SE Multiple Vulnerabilities (April 2022 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is affected by multiple\nvulnerabilities as referenced in the April 2022 CPU advisory:\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Libraries). Supported versions that are affected are Oracle Java SE: 17.0.2 and 18; Oracle GraalVM\n Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows\n unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM\n Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or\n modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note:\n This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start\n applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and\n rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified\n Component, e.g., through a web service which supplies data to the APIs. (CVE-2022-21449)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18;\n Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows\n unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM\n Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or\n complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This\n vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed\n Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java\n sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component,\n e.g., through a web service which supplies data to the APIs. (CVE-2022-21476)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle\n GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated\n attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise\n Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial\n of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies\n to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java\n applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox\n for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through\n a web service which supplies data to the APIs. (CVE-2022-21426)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/a/tech/docs/cpuapr2022cvrf.xml\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/security-alerts/cpuapr2022.html#AppendixJAVA\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the April 2022 Oracle Critical Patch Update advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/05/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jre\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jdk\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"sun_java_jre_installed.nasl\", \"sun_java_jre_installed_unix.nasl\");\n script_require_keys(\"installed_sw/Java\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_list = ['Oracle Java'];\n\nvar app_info = vcf::java::get_app_info(app:app_list);\n\n# 7u331, 8u321, 11.0.14, 17.0.2, 18\nvar constraints = [\n { 'min_version' : '7.0.0', 'fixed_version' : '7.0.341', 'fixed_display' : 'Upgrade to version 7.0.341 or greater' },\n { 'min_version' : '8.0.0', 'fixed_version' : '8.0.331', 'fixed_display' : 'Upgrade to version 8.0.331 or greater' },\n { 'min_version' : '11.0.0', 'fixed_version' : '11.0.15', 'fixed_display' : 'Upgrade to version 11.0.15 or greater' },\n { 'min_version' : '17.0.0', 'fixed_version' : '17.0.3', 'fixed_display' : 'Upgrade to version 17.0.3 or greater' },\n { 'min_version' : '18.0.0', 'fixed_version' : '18.0.1', 'fixed_display' : 'Upgrade to version 18.0.1 or greater' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-15T16:04:32", "description": "This plugin has been deprecated and will be replaced by oracle_java_cpu_2022_apr.nasl. This will cover both windows and unix support for Java Oracle April 2022 CPU", "cvss3": {}, "published": "2022-04-20T00:00:00", "type": "nessus", "title": "Oracle Java SE Multiple Vulnerabilities (April 2022 CPU) deprecated", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21449", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-05-17T00:00:00", "cpe": ["cpe:/a:oracle:jre", "cpe:/a:oracle:jdk"], "id": "ORACLE_JAVA_CPU_APR_2022.NASL", "href": "https://www.tenable.com/plugins/nessus/159975", "sourceData": "##\n#\n# (C) Tenable, Inc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2022/05/04. Deprecated by oracle_java_cpu_2022_apr.nasl.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159975);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/17\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21449\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n script_xref(name:\"IAVA\", value:\"2022-A-0170\");\n\n script_name(english:\"Oracle Java SE Multiple Vulnerabilities (April 2022 CPU) deprecated\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"This plugin has been deprecated.\");\n script_set_attribute(attribute:\"description\", value:\n\"This plugin has been deprecated and will be replaced by oracle_java_cpu_2022_apr.nasl. This will cover \nboth windows and unix support for Java Oracle April 2022 CPU\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/a/tech/docs/cpuapr2022cvrf.xml\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/security-alerts/cpuapr2022.html#AppendixJAVA\");\n script_set_attribute(attribute:\"solution\", value:\n\"n/a.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jre\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jdk\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"sun_java_jre_installed.nasl\");\n script_require_keys(\"SMB/Java/JRE/Installed\");\n\n exit(0);\n}\n\nexit(0, 'This plugin has been deprecated. Use oracle_java_cpu_2022.nasl instead.');", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-01T15:20:05", "description": "The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-1445 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2022-21434)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2022-21476)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2022-21496)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2022-21443)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). (CVE-2022-21449)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-21T00:00:00", "type": "nessus", "title": "Oracle Linux 8 : java-17-openjdk (ELSA-2022-1445)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21449", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2023-10-31T00:00:00", "cpe": ["cpe:/o:oracle:linux:8", "p-cpe:/a:oracle:linux:java-17-openjdk", "p-cpe:/a:oracle:linux:java-17-openjdk-demo", "p-cpe:/a:oracle:linux:java-17-openjdk-demo-fastdebug", "p-cpe:/a:oracle:linux:java-17-openjdk-demo-slowdebug", "p-cpe:/a:oracle:linux:java-17-openjdk-devel", "p-cpe:/a:oracle:linux:java-17-openjdk-devel-fastdebug", "p-cpe:/a:oracle:linux:java-17-openjdk-devel-slowdebug", "p-cpe:/a:oracle:linux:java-17-openjdk-fastdebug", "p-cpe:/a:oracle:linux:java-17-openjdk-headless", "p-cpe:/a:oracle:linux:java-17-openjdk-headless-fastdebug", "p-cpe:/a:oracle:linux:java-17-openjdk-headless-slowdebug", "p-cpe:/a:oracle:linux:java-17-openjdk-javadoc", "p-cpe:/a:oracle:linux:java-17-openjdk-javadoc-zip", "p-cpe:/a:oracle:linux:java-17-openjdk-jmods", "p-cpe:/a:oracle:linux:java-17-openjdk-jmods-fastdebug", "p-cpe:/a:oracle:linux:java-17-openjdk-jmods-slowdebug", "p-cpe:/a:oracle:linux:java-17-openjdk-slowdebug", "p-cpe:/a:oracle:linux:java-17-openjdk-src", "p-cpe:/a:oracle:linux:java-17-openjdk-src-fastdebug", "p-cpe:/a:oracle:linux:java-17-openjdk-src-slowdebug", "p-cpe:/a:oracle:linux:java-17-openjdk-static-libs", "p-cpe:/a:oracle:linux:java-17-openjdk-static-libs-fastdebug", "p-cpe:/a:oracle:linux:java-17-openjdk-static-libs-slowdebug"], "id": "ORACLELINUX_ELSA-2022-1445.NASL", "href": "https://www.tenable.com/plugins/nessus/160051", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2022-1445.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160051);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/31\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21449\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n script_xref(name:\"IAVA\", value:\"2022-A-0170-S\");\n\n script_name(english:\"Oracle Linux 8 : java-17-openjdk (ELSA-2022-1445)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nELSA-2022-1445 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise\n Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS\n 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition\n accessible data. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2022-21434)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise\n Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients\n running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code\n (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability\n can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies\n data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2022-21476)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible\n data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS\n 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2022-21496)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM\n Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2022-21443)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle\n GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments,\n typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load\n and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for\n security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through\n a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). (CVE-2022-21449)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2022-1445.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-demo-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-demo-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-devel-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-devel-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-headless-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-headless-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-javadoc-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-jmods\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-jmods-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-jmods-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-src-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-src-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-static-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-static-libs-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-static-libs-slowdebug\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 8', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\n\nvar pkgs = [\n {'reference':'java-17-openjdk-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-javadoc-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-javadoc-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-javadoc-zip-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-javadoc-zip-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-fastdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-slowdebug-17.0.3.0.6-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release) {\n if (exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-17-openjdk / java-17-openjdk-demo / java-17-openjdk-demo-fastdebug / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-03T21:44:40", "description": "The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2022:1729 advisory.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-11-16T00:00:00", "type": "nessus", "title": "AlmaLinux 9 : java-17-openjdk (ALSA-2022:1729)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21449", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2023-10-03T00:00:00", "cpe": ["p-cpe:/a:alma:linux:java-17-openjdk", "p-cpe:/a:alma:linux:java-17-openjdk-demo", "p-cpe:/a:alma:linux:java-17-openjdk-demo-fastdebug", "p-cpe:/a:alma:linux:java-17-openjdk-demo-slowdebug", "p-cpe:/a:alma:linux:java-17-openjdk-devel", "p-cpe:/a:alma:linux:java-17-openjdk-devel-fastdebug", "p-cpe:/a:alma:linux:java-17-openjdk-devel-slowdebug", "p-cpe:/a:alma:linux:java-17-openjdk-fastdebug", "p-cpe:/a:alma:linux:java-17-openjdk-headless", "p-cpe:/a:alma:linux:java-17-openjdk-headless-fastdebug", "p-cpe:/a:alma:linux:java-17-openjdk-headless-slowdebug", "p-cpe:/a:alma:linux:java-17-openjdk-javadoc", "p-cpe:/a:alma:linux:java-17-openjdk-javadoc-zip", "p-cpe:/a:alma:linux:java-17-openjdk-jmods", "p-cpe:/a:alma:linux:java-17-openjdk-jmods-fastdebug", "p-cpe:/a:alma:linux:java-17-openjdk-jmods-slowdebug", "p-cpe:/a:alma:linux:java-17-openjdk-slowdebug", "p-cpe:/a:alma:linux:java-17-openjdk-src", "p-cpe:/a:alma:linux:java-17-openjdk-src-fastdebug", "p-cpe:/a:alma:linux:java-17-openjdk-src-slowdebug", "p-cpe:/a:alma:linux:java-17-openjdk-static-libs", "p-cpe:/a:alma:linux:java-17-openjdk-static-libs-fastdebug", "p-cpe:/a:alma:linux:java-17-openjdk-static-libs-slowdebug", "cpe:/o:alma:linux:9", "cpe:/o:alma:linux:9::appstream", "cpe:/o:alma:linux:9::crb"], "id": "ALMA_LINUX_ALSA-2022-1729.NASL", "href": "https://www.tenable.com/plugins/nessus/167685", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# AlmaLinux Security Advisory ALSA-2022:1729.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(167685);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/03\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21449\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n script_xref(name:\"ALSA\", value:\"2022:1729\");\n\n script_name(english:\"AlmaLinux 9 : java-17-openjdk (ALSA-2022:1729)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote AlmaLinux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nALSA-2022:1729 advisory.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://errata.almalinux.org/9/ALSA-2022-1729.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20, 191, 347, 400, 470, 770);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/05/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/05/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/11/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-demo-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-demo-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-devel-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-devel-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-headless-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-headless-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-javadoc-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-jmods\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-jmods-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-jmods-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-src-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-src-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-static-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-static-libs-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-17-openjdk-static-libs-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:9::appstream\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:9::crb\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Alma Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AlmaLinux/release\", \"Host/AlmaLinux/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/AlmaLinux/release');\nif (isnull(os_release) || 'AlmaLinux' >!< os_release) audit(AUDIT_OS_NOT, 'AlmaLinux');\nvar os_ver = pregmatch(pattern: \"AlmaLinux release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'AlmaLinux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^9([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'AlmaLinux 9.x', 'AlmaLinux ' + os_ver);\n\nif (!get_kb_item('Host/AlmaLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'AlmaLinux', cpu);\n\nvar pkgs = [\n {'reference':'java-17-openjdk-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-slowdebug-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-slowdebug-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-slowdebug-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-slowdebug-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-slowdebug-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-slowdebug-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-javadoc-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-javadoc-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-javadoc-zip-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-javadoc-zip-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-slowdebug-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-slowdebug-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-slowdebug-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-slowdebug-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-slowdebug-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-slowdebug-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-slowdebug-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-slowdebug-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = 'Alma-' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-17-openjdk / java-17-openjdk-demo / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-21T16:07:06", "description": "The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-1729 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2022-21434)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2022-21476)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2022-21496)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2022-21443)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.2 and 18; Oracle GraalVM Enterprise Edition: 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). (CVE-2022-21449)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-07-07T00:00:00", "type": "nessus", "title": "Oracle Linux 9 : java-17-openjdk (ELSA-2022-1729)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21449", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2023-10-19T00:00:00", "cpe": ["cpe:/o:oracle:linux:9", "p-cpe:/a:oracle:linux:java-17-openjdk", "p-cpe:/a:oracle:linux:java-17-openjdk-demo", "p-cpe:/a:oracle:linux:java-17-openjdk-demo-fastdebug", "p-cpe:/a:oracle:linux:java-17-openjdk-demo-slowdebug", "p-cpe:/a:oracle:linux:java-17-openjdk-devel", "p-cpe:/a:oracle:linux:java-17-openjdk-devel-fastdebug", "p-cpe:/a:oracle:linux:java-17-openjdk-devel-slowdebug", "p-cpe:/a:oracle:linux:java-17-openjdk-fastdebug", "p-cpe:/a:oracle:linux:java-17-openjdk-headless", "p-cpe:/a:oracle:linux:java-17-openjdk-headless-fastdebug", "p-cpe:/a:oracle:linux:java-17-openjdk-headless-slowdebug", "p-cpe:/a:oracle:linux:java-17-openjdk-javadoc", "p-cpe:/a:oracle:linux:java-17-openjdk-javadoc-zip", "p-cpe:/a:oracle:linux:java-17-openjdk-jmods", "p-cpe:/a:oracle:linux:java-17-openjdk-jmods-fastdebug", "p-cpe:/a:oracle:linux:java-17-openjdk-jmods-slowdebug", "p-cpe:/a:oracle:linux:java-17-openjdk-slowdebug", "p-cpe:/a:oracle:linux:java-17-openjdk-src", "p-cpe:/a:oracle:linux:java-17-openjdk-src-fastdebug", "p-cpe:/a:oracle:linux:java-17-openjdk-src-slowdebug", "p-cpe:/a:oracle:linux:java-17-openjdk-static-libs", "p-cpe:/a:oracle:linux:java-17-openjdk-static-libs-fastdebug", "p-cpe:/a:oracle:linux:java-17-openjdk-static-libs-slowdebug"], "id": "ORACLELINUX_ELSA-2022-1729.NASL", "href": "https://www.tenable.com/plugins/nessus/162798", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2022-1729.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(162798);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/19\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21449\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n\n script_name(english:\"Oracle Linux 9 : java-17-openjdk (ELSA-2022-1729)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nELSA-2022-1729 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise\n Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS\n 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition\n accessible data. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2022-21434)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise\n Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients\n running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code\n (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability\n can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies\n data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2022-21476)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible\n data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS\n 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2022-21496)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM\n Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2022-21443)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.2 and 18; Oracle\n GraalVM Enterprise Edition: 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated\n attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM\n Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion\n or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition\n accessible data. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). (CVE-2022-21449)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2022-1729.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/06/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:9\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-demo-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-demo-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-devel-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-devel-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-headless-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-headless-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-javadoc-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-jmods\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-jmods-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-jmods-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-src-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-src-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-static-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-static-libs-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-17-openjdk-static-libs-slowdebug\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^9([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 9', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\n\nvar pkgs = [\n {'reference':'java-17-openjdk-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-slowdebug-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-slowdebug-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-slowdebug-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-slowdebug-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-slowdebug-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-slowdebug-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-javadoc-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-javadoc-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-javadoc-zip-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-javadoc-zip-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-slowdebug-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-slowdebug-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-slowdebug-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-slowdebug-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-slowdebug-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-slowdebug-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-slowdebug-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-slowdebug-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release) {\n if (exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-17-openjdk / java-17-openjdk-demo / java-17-openjdk-demo-fastdebug / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-01T15:24:22", "description": "The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5128 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2022-21434)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2022-21443)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.2 and 18; Oracle GraalVM Enterprise Edition: 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). (CVE-2022-21449)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2022-21476)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-05-05T00:00:00", "type": "nessus", "title": "Debian DSA-5128-1 : openjdk-17 - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21449", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2023-10-31T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:openjdk-17-dbg", "p-cpe:/a:debian:debian_linux:openjdk-17-demo", "p-cpe:/a:debian:debian_linux:openjdk-17-doc", "p-cpe:/a:debian:debian_linux:openjdk-17-jdk", "p-cpe:/a:debian:debian_linux:openjdk-17-jdk-headless", "p-cpe:/a:debian:debian_linux:openjdk-17-jre", "p-cpe:/a:debian:debian_linux:openjdk-17-jre-headless", "p-cpe:/a:debian:debian_linux:openjdk-17-jre-zero", "p-cpe:/a:debian:debian_linux:openjdk-17-source", "cpe:/o:debian:debian_linux:11.0"], "id": "DEBIAN_DSA-5128.NASL", "href": "https://www.tenable.com/plugins/nessus/160525", "sourceData": "#\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory dsa-5128. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160525);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/31\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21449\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n script_xref(name:\"IAVA\", value:\"2022-A-0170-S\");\n\n script_name(english:\"Debian DSA-5128-1 : openjdk-17 - security update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Debian host is missing one or more security-related updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the\ndsa-5128 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise\n Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS\n 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition\n accessible data. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2022-21434)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM\n Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2022-21443)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.2 and 18; Oracle\n GraalVM Enterprise Edition: 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated\n attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM\n Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion\n or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition\n accessible data. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). (CVE-2022-21449)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise\n Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients\n running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code\n (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability\n can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies\n data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2022-21476)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible\n data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS\n 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/source-package/openjdk-17\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.debian.org/security/2022/dsa-5128\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2022-21426\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2022-21434\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2022-21443\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2022-21449\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2022-21476\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2022-21496\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/bullseye/openjdk-17\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the openjdk-17 packages.\n\nFor the stable distribution (bullseye), these problems have been fixed in version 17.0.3+7-1~deb11u1.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/05/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/05/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openjdk-17-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openjdk-17-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openjdk-17-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openjdk-17-jdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openjdk-17-jdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openjdk-17-jre\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openjdk-17-jre-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openjdk-17-jre-zero\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openjdk-17-source\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:11.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Debian Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar release = get_kb_item('Host/Debian/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Debian');\nvar release = chomp(release);\nif (! preg(pattern:\"^(11)\\.[0-9]+\", string:release)) audit(AUDIT_OS_NOT, 'Debian 11.0', 'Debian ' + release);\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);\n\nvar pkgs = [\n {'release': '11.0', 'prefix': 'openjdk-17-dbg', 'reference': '17.0.3+7-1~deb11u1'},\n {'release': '11.0', 'prefix': 'openjdk-17-demo', 'reference': '17.0.3+7-1~deb11u1'},\n {'release': '11.0', 'prefix': 'openjdk-17-doc', 'reference': '17.0.3+7-1~deb11u1'},\n {'release': '11.0', 'prefix': 'openjdk-17-jdk', 'reference': '17.0.3+7-1~deb11u1'},\n {'release': '11.0', 'prefix': 'openjdk-17-jdk-headless', 'reference': '17.0.3+7-1~deb11u1'},\n {'release': '11.0', 'prefix': 'openjdk-17-jre', 'reference': '17.0.3+7-1~deb11u1'},\n {'release': '11.0', 'prefix': 'openjdk-17-jre-headless', 'reference': '17.0.3+7-1~deb11u1'},\n {'release': '11.0', 'prefix': 'openjdk-17-jre-zero', 'reference': '17.0.3+7-1~deb11u1'},\n {'release': '11.0', 'prefix': 'openjdk-17-source', 'reference': '17.0.3+7-1~deb11u1'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var release = NULL;\n var prefix = NULL;\n var reference = NULL;\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (release && prefix && reference) {\n if (deb_check(release:release, prefix:prefix, reference:reference)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : deb_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = deb_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'openjdk-17-dbg / openjdk-17-demo / openjdk-17-doc / openjdk-17-jdk / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-15T15:06:12", "description": "The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:1729 advisory.\n\n - OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)\n\n - OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)\n\n - OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n - OpenJDK: Improper ECDSA signature verification (Libraries, 8277233) (CVE-2022-21449)\n\n - OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n - OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-09-08T00:00:00", "type": "nessus", "title": "RHEL 9 : java-17-openjdk (RHSA-2022:1729)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21449", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2023-10-12T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:9", "cpe:/o:redhat:rhel_e4s:9.0", "cpe:/o:redhat:rhel_eus:9.0", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-demo", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-demo-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-demo-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-devel", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-devel-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-devel-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-headless", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-headless-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-headless-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-javadoc", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-javadoc-zip", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-jmods", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-jmods-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-jmods-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-src", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-src-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-src-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-static-libs", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-static-libs-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-static-libs-slowdebug"], "id": "REDHAT-RHSA-2022-1729.NASL", "href": "https://www.tenable.com/plugins/nessus/164866", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2022:1729. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164866);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/12\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21449\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n script_xref(name:\"RHSA\", value:\"2022:1729\");\n\n script_name(english:\"RHEL 9 : java-17-openjdk (RHSA-2022:1729)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2022:1729 advisory.\n\n - OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)\n (CVE-2022-21426)\n\n - OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)\n (CVE-2022-21434)\n\n - OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n - OpenJDK: Improper ECDSA signature verification (Libraries, 8277233) (CVE-2022-21449)\n\n - OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n - OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21426\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21434\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21443\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21449\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21476\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21496\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2022:1729\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075788\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075793\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075821\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075836\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075842\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075849\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20, 179, 191, 347, 400, 470, 770, 1173);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/05/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:9.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:9.0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-demo-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-demo-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-devel-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-devel-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-headless-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-headless-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-javadoc-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-jmods\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-jmods-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-jmods-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-src-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-src-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-static-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-static-libs-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-17-openjdk-static-libs-slowdebug\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '9')) audit(AUDIT_OS_NOT, 'Red Hat 9.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/dist/rhel9/9/aarch64/appstream/debug',\n 'content/dist/rhel9/9/aarch64/appstream/os',\n 'content/dist/rhel9/9/aarch64/appstream/source/SRPMS',\n 'content/dist/rhel9/9/aarch64/baseos/debug',\n 'content/dist/rhel9/9/aarch64/baseos/os',\n 'content/dist/rhel9/9/aarch64/baseos/source/SRPMS',\n 'content/dist/rhel9/9/aarch64/codeready-builder/debug',\n 'content/dist/rhel9/9/aarch64/codeready-builder/os',\n 'content/dist/rhel9/9/aarch64/codeready-builder/source/SRPMS',\n 'content/dist/rhel9/9/aarch64/highavailability/debug',\n 'content/dist/rhel9/9/aarch64/highavailability/os',\n 'content/dist/rhel9/9/aarch64/highavailability/source/SRPMS',\n 'content/dist/rhel9/9/aarch64/supplementary/debug',\n 'content/dist/rhel9/9/aarch64/supplementary/os',\n 'content/dist/rhel9/9/aarch64/supplementary/source/SRPMS',\n 'content/dist/rhel9/9/ppc64le/appstream/debug',\n 'content/dist/rhel9/9/ppc64le/appstream/os',\n 'content/dist/rhel9/9/ppc64le/appstream/source/SRPMS',\n 'content/dist/rhel9/9/ppc64le/baseos/debug',\n 'content/dist/rhel9/9/ppc64le/baseos/os',\n 'content/dist/rhel9/9/ppc64le/baseos/source/SRPMS',\n 'content/dist/rhel9/9/ppc64le/codeready-builder/debug',\n 'content/dist/rhel9/9/ppc64le/codeready-builder/os',\n 'content/dist/rhel9/9/ppc64le/codeready-builder/source/SRPMS',\n 'content/dist/rhel9/9/ppc64le/highavailability/debug',\n 'content/dist/rhel9/9/ppc64le/highavailability/os',\n 'content/dist/rhel9/9/ppc64le/highavailability/source/SRPMS',\n 'content/dist/rhel9/9/ppc64le/resilientstorage/debug',\n 'content/dist/rhel9/9/ppc64le/resilientstorage/os',\n 'content/dist/rhel9/9/ppc64le/resilientstorage/source/SRPMS',\n 'content/dist/rhel9/9/ppc64le/sap-solutions/debug',\n 'content/dist/rhel9/9/ppc64le/sap-solutions/os',\n 'content/dist/rhel9/9/ppc64le/sap-solutions/source/SRPMS',\n 'content/dist/rhel9/9/ppc64le/sap/debug',\n 'content/dist/rhel9/9/ppc64le/sap/os',\n 'content/dist/rhel9/9/ppc64le/sap/source/SRPMS',\n 'content/dist/rhel9/9/ppc64le/supplementary/debug',\n 'content/dist/rhel9/9/ppc64le/supplementary/os',\n 'content/dist/rhel9/9/ppc64le/supplementary/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/appstream/debug',\n 'content/dist/rhel9/9/x86_64/appstream/os',\n 'content/dist/rhel9/9/x86_64/appstream/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/baseos/debug',\n 'content/dist/rhel9/9/x86_64/baseos/os',\n 'content/dist/rhel9/9/x86_64/baseos/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/codeready-builder/debug',\n 'content/dist/rhel9/9/x86_64/codeready-builder/os',\n 'content/dist/rhel9/9/x86_64/codeready-builder/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/highavailability/debug',\n 'content/dist/rhel9/9/x86_64/highavailability/os',\n 'content/dist/rhel9/9/x86_64/highavailability/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/nfv/debug',\n 'content/dist/rhel9/9/x86_64/nfv/os',\n 'content/dist/rhel9/9/x86_64/nfv/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/resilientstorage/debug',\n 'content/dist/rhel9/9/x86_64/resilientstorage/os',\n 'content/dist/rhel9/9/x86_64/resilientstorage/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/rt/debug',\n 'content/dist/rhel9/9/x86_64/rt/os',\n 'content/dist/rhel9/9/x86_64/rt/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/sap-solutions/debug',\n 'content/dist/rhel9/9/x86_64/sap-solutions/os',\n 'content/dist/rhel9/9/x86_64/sap-solutions/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/sap/debug',\n 'content/dist/rhel9/9/x86_64/sap/os',\n 'content/dist/rhel9/9/x86_64/sap/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/supplementary/debug',\n 'content/dist/rhel9/9/x86_64/supplementary/os',\n 'content/dist/rhel9/9/x86_64/supplementary/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'java-17-openjdk-17.0.3.0.7-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-17.0.3.0.7-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-slowdebug-17.0.3.0.7-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-17.0.3.0.7-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-slowdebug-17.0.3.0.7-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-17.0.3.0.7-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-slowdebug-17.0.3.0.7-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-javadoc-17.0.3.0.7-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-javadoc-zip-17.0.3.0.7-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-17.0.3.0.7-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-slowdebug-17.0.3.0.7-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-slowdebug-17.0.3.0.7-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-17.0.3.0.7-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-slowdebug-17.0.3.0.7-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-17.0.3.0.7-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-fastdebug-17.0.3.0.7-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-slowdebug-17.0.3.0.7-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'}\n ]\n },\n {\n 'repo_relative_urls': [\n 'content/e4s/rhel9/9.0/aarch64/appstream/debug',\n 'content/e4s/rhel9/9.0/aarch64/appstream/os',\n 'content/e4s/rhel9/9.0/aarch64/appstream/source/SRPMS',\n 'content/e4s/rhel9/9.0/aarch64/baseos/debug',\n 'content/e4s/rhel9/9.0/aarch64/baseos/os',\n 'content/e4s/rhel9/9.0/aarch64/baseos/source/SRPMS',\n 'content/e4s/rhel9/9.0/aarch64/highavailability/debug',\n 'content/e4s/rhel9/9.0/aarch64/highavailability/os',\n 'content/e4s/rhel9/9.0/aarch64/highavailability/source/SRPMS',\n 'content/e4s/rhel9/9.0/ppc64le/appstream/debug',\n 'content/e4s/rhel9/9.0/ppc64le/appstream/os',\n 'content/e4s/rhel9/9.0/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel9/9.0/ppc64le/baseos/debug',\n 'content/e4s/rhel9/9.0/ppc64le/baseos/os',\n 'content/e4s/rhel9/9.0/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel9/9.0/ppc64le/highavailability/debug',\n 'content/e4s/rhel9/9.0/ppc64le/highavailability/os',\n 'content/e4s/rhel9/9.0/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel9/9.0/ppc64le/resilientstorage/debug',\n 'content/e4s/rhel9/9.0/ppc64le/resilientstorage/os',\n 'content/e4s/rhel9/9.0/ppc64le/resilientstorage/source/SRPMS',\n 'content/e4s/rhel9/9.0/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel9/9.0/ppc64le/sap-solutions/os',\n 'content/e4s/rhel9/9.0/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel9/9.0/ppc64le/sap/debug',\n 'content/e4s/rhel9/9.0/ppc64le/sap/os',\n 'content/e4s/rhel9/9.0/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel9/9.0/x86_64/appstream/debug',\n 'content/e4s/rhel9/9.0/x86_64/appstream/os',\n 'content/e4s/rhel9/9.0/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel9/9.0/x86_64/baseos/debug',\n 'content/e4s/rhel9/9.0/x86_64/baseos/os',\n 'content/e4s/rhel9/9.0/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel9/9.0/x86_64/highavailability/debug',\n 'content/e4s/rhel9/9.0/x86_64/highavailability/os',\n 'content/e4s/rhel9/9.0/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel9/9.0/x86_64/nfv/debug',\n 'content/e4s/rhel9/9.0/x86_64/nfv/os',\n 'content/e4s/rhel9/9.0/x86_64/nfv/source/SRPMS',\n 'content/e4s/rhel9/9.0/x86_64/resilientstorage/debug',\n 'content/e4s/rhel9/9.0/x86_64/resilientstorage/os',\n 'content/e4s/rhel9/9.0/x86_64/resilientstorage/source/SRPMS',\n 'content/e4s/rhel9/9.0/x86_64/rt/debug',\n 'content/e4s/rhel9/9.0/x86_64/rt/os',\n 'content/e4s/rhel9/9.0/x86_64/rt/source/SRPMS',\n 'content/e4s/rhel9/9.0/x86_64/sap-solutions/debug',\n 'content/e4s/rhel9/9.0/x86_64/sap-solutions/os',\n 'content/e4s/rhel9/9.0/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel9/9.0/x86_64/sap/debug',\n 'content/e4s/rhel9/9.0/x86_64/sap/os',\n 'content/e4s/rhel9/9.0/x86_64/sap/source/SRPMS',\n 'content/eus/rhel9/9.0/aarch64/appstream/debug',\n 'content/eus/rhel9/9.0/aarch64/appstream/os',\n 'content/eus/rhel9/9.0/aarch64/appstream/source/SRPMS',\n 'content/eus/rhel9/9.0/aarch64/baseos/debug',\n 'content/eus/rhel9/9.0/aarch64/baseos/os',\n 'content/eus/rhel9/9.0/aarch64/baseos/source/SRPMS',\n 'content/eus/rhel9/9.0/aarch64/codeready-builder/debug',\n 'content/eus/rhel9/9.0/aarch64/codeready-builder/os',\n 'content/eus/rhel9/9.0/aarch64/codeready-builder/source/SRPMS',\n 'content/eus/rhel9/9.0/aarch64/highavailability/debug',\n 'content/eus/rhel9/9.0/aarch64/highavailability/os',\n 'content/eus/rhel9/9.0/aarch64/highavailability/source/SRPMS',\n 'content/eus/rhel9/9.0/aarch64/supplementary/debug',\n 'content/eus/rhel9/9.0/aarch64/supplementary/os',\n 'content/eus/rhel9/9.0/aarch64/supplementary/source/SRPMS',\n 'content/eus/rhel9/9.0/ppc64le/appstream/debug',\n 'content/eus/rhel9/9.0/ppc64le/appstream/os',\n 'content/eus/rhel9/9.0/ppc64le/appstream/source/SRPMS',\n 'content/eus/rhel9/9.0/ppc64le/baseos/debug',\n 'content/eus/rhel9/9.0/ppc64le/baseos/os',\n 'content/eus/rhel9/9.0/ppc64le/baseos/source/SRPMS',\n 'content/eus/rhel9/9.0/ppc64le/codeready-builder/debug',\n 'content/eus/rhel9/9.0/ppc64le/codeready-builder/os',\n 'content/eus/rhel9/9.0/ppc64le/codeready-builder/source/SRPMS',\n 'content/eus/rhel9/9.0/ppc64le/highavailability/debug',\n 'content/eus/rhel9/9.0/ppc64le/highavailability/os',\n 'content/eus/rhel9/9.0/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel9/9.0/ppc64le/resilientstorage/debug',\n 'content/eus/rhel9/9.0/ppc64le/resilientstorage/os',\n 'content/eus/rhel9/9.0/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel9/9.0/ppc64le/sap-solutions/debug',\n 'content/eus/rhel9/9.0/ppc64le/sap-solutions/os',\n 'content/eus/rhel9/9.0/ppc64le/sap-solutions/source/SRPMS',\n 'content/eus/rhel9/9.0/ppc64le/sap/debug',\n 'content/eus/rhel9/9.0/ppc64le/sap/os',\n 'content/eus/rhel9/9.0/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel9/9.0/ppc64le/supplementary/debug',\n 'content/eus/rhel9/9.0/ppc64le/supplementary/os',\n 'content/eus/rhel9/9.0/ppc64le/supplementary/source/SRPMS',\n 'content/eus/rhel9/9.0/x86_64/appstream/debug',\n 'content/eus/rhel9/9.0/x86_64/appstream/os',\n 'content/eus/rhel9/9.0/x86_64/appstream/source/SRPMS',\n 'content/eus/rhel9/9.0/x86_64/baseos/debug',\n 'content/eus/rhel9/9.0/x86_64/baseos/os',\n 'content/eus/rhel9/9.0/x86_64/baseos/source/SRPMS',\n 'content/eus/rhel9/9.0/x86_64/codeready-builder/debug',\n 'content/eus/rhel9/9.0/x86_64/codeready-builder/os',\n 'content/eus/rhel9/9.0/x86_64/codeready-builder/source/SRPMS',\n 'content/eus/rhel9/9.0/x86_64/highavailability/debug',\n 'content/eus/rhel9/9.0/x86_64/highavailability/os',\n 'content/eus/rhel9/9.0/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel9/9.0/x86_64/resilientstorage/debug',\n 'content/eus/rhel9/9.0/x86_64/resilientstorage/os',\n 'content/eus/rhel9/9.0/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel9/9.0/x86_64/sap-solutions/debug',\n 'content/eus/rhel9/9.0/x86_64/sap-solutions/os',\n 'content/eus/rhel9/9.0/x86_64/sap-solutions/source/SRPMS',\n 'content/eus/rhel9/9.0/x86_64/sap/debug',\n 'content/eus/rhel9/9.0/x86_64/sap/os',\n 'content/eus/rhel9/9.0/x86_64/sap/source/SRPMS',\n 'content/eus/rhel9/9.0/x86_64/supplementary/debug',\n 'content/eus/rhel9/9.0/x86_64/supplementary/os',\n 'content/eus/rhel9/9.0/x86_64/supplementary/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'java-17-openjdk-17.0.3.0.7-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-17.0.3.0.7-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-fastdebug-17.0.3.0.7-1.el9_0', 'sp':'0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-fastdebug-17.0.3.0.7-1.el9_0', 'sp':'0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-fastdebug-17.0.3.0.7-1.el9_0', 'sp':'0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-demo-slowdebug-17.0.3.0.7-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-17.0.3.0.7-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-fastdebug-17.0.3.0.7-1.el9_0', 'sp':'0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-fastdebug-17.0.3.0.7-1.el9_0', 'sp':'0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-fastdebug-17.0.3.0.7-1.el9_0', 'sp':'0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-devel-slowdebug-17.0.3.0.7-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-fastdebug-17.0.3.0.7-1.el9_0', 'sp':'0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-fastdebug-17.0.3.0.7-1.el9_0', 'sp':'0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-fastdebug-17.0.3.0.7-1.el9_0', 'sp':'0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-17.0.3.0.7-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-fastdebug-17.0.3.0.7-1.el9_0', 'sp':'0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-fastdebug-17.0.3.0.7-1.el9_0', 'sp':'0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-fastdebug-17.0.3.0.7-1.el9_0', 'sp':'0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-headless-slowdebug-17.0.3.0.7-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-javadoc-17.0.3.0.7-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-javadoc-zip-17.0.3.0.7-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-17.0.3.0.7-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-fastdebug-17.0.3.0.7-1.el9_0', 'sp':'0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-fastdebug-17.0.3.0.7-1.el9_0', 'sp':'0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-fastdebug-17.0.3.0.7-1.el9_0', 'sp':'0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-jmods-slowdebug-17.0.3.0.7-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-slowdebug-17.0.3.0.7-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-17.0.3.0.7-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-fastdebug-17.0.3.0.7-1.el9_0', 'sp':'0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-fastdebug-17.0.3.0.7-1.el9_0', 'sp':'0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-fastdebug-17.0.3.0.7-1.el9_0', 'sp':'0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-src-slowdebug-17.0.3.0.7-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-17.0.3.0.7-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-fastdebug-17.0.3.0.7-1.el9_0', 'sp':'0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-fastdebug-17.0.3.0.7-1.el9_0', 'sp':'0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-fastdebug-17.0.3.0.7-1.el9_0', 'sp':'0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-17-openjdk-static-libs-slowdebug-17.0.3.0.7-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp']) && !enterprise_linux_flag) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-17-openjdk / java-17-openjdk-demo / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-02T15:05:00", "description": "The version of OpenJDK installed on the remote host is prior to 7 <= 7u331 / 8 <= 8u322 / 11.0.0 <= 11.0.14 / 13.0.0 <= 13.0.10 / 15.0.0 <= 15.0.6 / 17.0.0 <= 17.0.2 / 18.0.0 <= 18.0.0. It is, therefore, affected by multiple vulnerabilities as referenced in the 2022-04-19 advisory.\n\nPlease Note: Java CVEs do not always include OpenJDK versions, but are confirmed separately by Tenable using the patch versions from the referenced OpenJDK security advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2022-21476)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 15.0.6, 17.0.2 and 18;\n Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). (CVE-2022-21449)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2022-21496)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2022-21434)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2022-21443)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-20T00:00:00", "type": "nessus", "title": "OpenJDK 7 <= 7u331 / 8 <= 8u322 / 11.0.0 <= 11.0.14 / 13.0.0 <= 13.0.10 / 15.0.0 <= 15.0.6 / 17.0.0 <= 17.0.2 / 18.0.0 <= 18.0.0 Multiple Vulnerabilities (2022-04-19)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21449", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2023-11-01T00:00:00", "cpe": ["cpe:/a:oracle:openjdk"], "id": "OPENJDK_2022-04-19.NASL", "href": "https://www.tenable.com/plugins/nessus/159948", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159948);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/01\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21449\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n\n script_name(english:\"OpenJDK 7 <= 7u331 / 8 <= 8u322 / 11.0.0 <= 11.0.14 / 13.0.0 <= 13.0.10 / 15.0.0 <= 15.0.6 / 17.0.0 <= 17.0.2 / 18.0.0 <= 18.0.0 Multiple Vulnerabilities (2022-04-19)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"OpenJDK is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of OpenJDK installed on the remote host is prior to 7 <= 7u331 / 8 <= 8u322 / 11.0.0 <= 11.0.14 / 13.0.0 <=\n13.0.10 / 15.0.0 <= 15.0.6 / 17.0.0 <= 17.0.2 / 18.0.0 <= 18.0.0. It is, therefore, affected by multiple vulnerabilities\nas referenced in the 2022-04-19 advisory.\n\nPlease Note: Java CVEs do not always include OpenJDK versions, but are confirmed separately by Tenable using the patch\nversions from the referenced OpenJDK security advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise\n Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients\n running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code\n (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability\n can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies\n data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2022-21476)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 15.0.6, 17.0.2 and 18;\n Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle\n GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments,\n typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load\n and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for\n security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through\n a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). (CVE-2022-21449)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible\n data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS\n 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2022-21496)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition\n accessible data. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2022-21434)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise\n Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS\n 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM\n Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2022-21443)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://openjdk.java.net/groups/vulnerability/advisories/2022-04-19\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to an OpenJDK version greater than 7u331 / 8u322 / 11.0.14 / 13.0.10 / 15.0.6 / 17.0.2 / 18.0.0\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:openjdk\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"adoptopenjdk_nix_installed.nbin\", \"adoptopenjdk_win_installed.nbin\", \"openjdk_win_installed.nbin\", \"openjdk_nix_installed.nbin\");\n script_require_keys(\"installed_sw/Java\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_list = [\n 'OpenJDK Java',\n 'AdoptOpenJDK'\n];\n\nvar app_info = vcf::java::get_app_info(app:app_list);\n\nvar constraints = [\n { 'min_version' : '7.0.0', 'max_version' : '7.0.331', 'fixed_display' : 'Upgrade to a version greater than 7u331' },\n { 'min_version' : '8.0.0', 'max_version' : '8.0.322', 'fixed_display' : 'Upgrade to a version greater than 8u322' },\n { 'min_version' : '11.0.0', 'max_version' : '11.0.14', 'fixed_display' : 'Upgrade to a version greater than 11.0.14' },\n { 'min_version' : '13.0.0', 'max_version' : '13.0.10', 'fixed_display' : 'Upgrade to a version greater than 13.0.10' },\n { 'min_version' : '15.0.0', 'max_version' : '15.0.6', 'fixed_display' : 'Upgrade to a version greater than 15.0.6' },\n { 'min_version' : '17.0.0', 'max_version' : '17.0.2', 'fixed_display' : 'Upgrade to a version greater than 17.0.2' },\n { 'min_version' : '18.0.0', 'max_version' : '18.0.0', 'fixed_display' : 'Upgrade to a version greater than 18.0.0' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-01T15:22:55", "description": "The remote Debian 10 / 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5131 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2022-21434)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2022-21443)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.2 and 18; Oracle GraalVM Enterprise Edition: 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). (CVE-2022-21449)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2022-21476)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-05-05T00:00:00", "type": "nessus", "title": "Debian DSA-5131-1 : openjdk-11 - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21449", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2023-10-30T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:openjdk-11-dbg", "p-cpe:/a:debian:debian_linux:openjdk-11-demo", "p-cpe:/a:debian:debian_linux:openjdk-11-doc", "p-cpe:/a:debian:debian_linux:openjdk-11-jdk", "p-cpe:/a:debian:debian_linux:openjdk-11-jdk-headless", "p-cpe:/a:debian:debian_linux:openjdk-11-jre", "p-cpe:/a:debian:debian_linux:openjdk-11-jre-headless", "p-cpe:/a:debian:debian_linux:openjdk-11-jre-zero", "p-cpe:/a:debian:debian_linux:openjdk-11-source", "cpe:/o:debian:debian_linux:10.0", "cpe:/o:debian:debian_linux:11.0"], "id": "DEBIAN_DSA-5131.NASL", "href": "https://www.tenable.com/plugins/nessus/160628", "sourceData": "#\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory dsa-5131. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160628);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/30\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21449\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n script_xref(name:\"IAVA\", value:\"2022-A-0170-S\");\n\n script_name(english:\"Debian DSA-5131-1 : openjdk-11 - security update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Debian host is missing one or more security-related updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Debian 10 / 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the\ndsa-5131 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise\n Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS\n 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition\n accessible data. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2022-21434)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM\n Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2022-21443)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.2 and 18; Oracle\n GraalVM Enterprise Edition: 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated\n attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM\n Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion\n or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition\n accessible data. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). (CVE-2022-21449)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise\n Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients\n running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code\n (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability\n can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies\n data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2022-21476)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible\n data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS\n 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/source-package/openjdk-11\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.debian.org/security/2022/dsa-5131\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2022-21426\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2022-21434\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2022-21443\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2022-21449\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2022-21476\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2022-21496\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/buster/openjdk-11\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/bullseye/openjdk-11\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the openjdk-11 packages.\n\nFor the stable distribution (bullseye), this problem has been fixed in version 11.0.15+10-1~deb11u1.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/05/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/05/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openjdk-11-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openjdk-11-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openjdk-11-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openjdk-11-jdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openjdk-11-jdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openjdk-11-jre\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openjdk-11-jre-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openjdk-11-jre-zero\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openjdk-11-source\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:11.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Debian Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar release = get_kb_item('Host/Debian/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Debian');\nvar release = chomp(release);\nif (! preg(pattern:\"^(10)\\.[0-9]+|^(11)\\.[0-9]+\", string:release)) audit(AUDIT_OS_NOT, 'Debian 10.0 / 11.0', 'Debian ' + release);\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);\n\nvar pkgs = [\n {'release': '10.0', 'prefix': 'openjdk-11-dbg', 'reference': '11.0.15+10-1~deb10u1'},\n {'release': '10.0', 'prefix': 'openjdk-11-demo', 'reference': '11.0.15+10-1~deb10u1'},\n {'release': '10.0', 'prefix': 'openjdk-11-doc', 'reference': '11.0.15+10-1~deb10u1'},\n {'release': '10.0', 'prefix': 'openjdk-11-jdk', 'reference': '11.0.15+10-1~deb10u1'},\n {'release': '10.0', 'prefix': 'openjdk-11-jdk-headless', 'reference': '11.0.15+10-1~deb10u1'},\n {'release': '10.0', 'prefix': 'openjdk-11-jre', 'reference': '11.0.15+10-1~deb10u1'},\n {'release': '10.0', 'prefix': 'openjdk-11-jre-headless', 'reference': '11.0.15+10-1~deb10u1'},\n {'release': '10.0', 'prefix': 'openjdk-11-jre-zero', 'reference': '11.0.15+10-1~deb10u1'},\n {'release': '10.0', 'prefix': 'openjdk-11-source', 'reference': '11.0.15+10-1~deb10u1'},\n {'release': '11.0', 'prefix': 'openjdk-11-dbg', 'reference': '11.0.15+10-1~deb11u1'},\n {'release': '11.0', 'prefix': 'openjdk-11-demo', 'reference': '11.0.15+10-1~deb11u1'},\n {'release': '11.0', 'prefix': 'openjdk-11-doc', 'reference': '11.0.15+10-1~deb11u1'},\n {'release': '11.0', 'prefix': 'openjdk-11-jdk', 'reference': '11.0.15+10-1~deb11u1'},\n {'release': '11.0', 'prefix': 'openjdk-11-jdk-headless', 'reference': '11.0.15+10-1~deb11u1'},\n {'release': '11.0', 'prefix': 'openjdk-11-jre', 'reference': '11.0.15+10-1~deb11u1'},\n {'release': '11.0', 'prefix': 'openjdk-11-jre-headless', 'reference': '11.0.15+10-1~deb11u1'},\n {'release': '11.0', 'prefix': 'openjdk-11-jre-zero', 'reference': '11.0.15+10-1~deb11u1'},\n {'release': '11.0', 'prefix': 'openjdk-11-source', 'reference': '11.0.15+10-1~deb11u1'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var release = NULL;\n var prefix = NULL;\n var reference = NULL;\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (release && prefix && reference) {\n if (deb_check(release:release, prefix:prefix, reference:reference)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : deb_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = deb_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'openjdk-11-dbg / openjdk-11-demo / openjdk-11-doc / openjdk-11-jdk / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-02T15:05:28", "description": "The version of Amazon Corretto installed on the remote host is prior to 8 < 8.332.08.1. It is, therefore, affected by multiple vulnerabilities as referenced in the corretto-8-2022-Apr-19 advisory.\n\n - zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. (CVE-2018-25032)\n\n - xml/jaxp (CVE-2022-21426)\n\n - core-libs/java.lang (CVE-2022-21434)\n\n - security-libs/java.security (CVE-2022-21443, CVE-2022-21476)\n\n - core-libs/javax.naming (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-19T00:00:00", "type": "nessus", "title": "Amazon Corretto Java 8.x < 8.332.08.1 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-25032", "CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2023-11-01T00:00:00", "cpe": ["cpe:/a:amazon:corretto"], "id": "AMAZON_CORRETTO_8_332_08_1.NASL", "href": "https://www.tenable.com/plugins/nessus/159899", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159899);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/01\");\n\n script_cve_id(\n \"CVE-2018-25032\",\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n\n script_name(english:\"Amazon Corretto Java 8.x < 8.332.08.1 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Amazon Corretto is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Amazon Corretto installed on the remote host is prior to 8 < 8.332.08.1. It is, therefore, affected by\nmultiple vulnerabilities as referenced in the corretto-8-2022-Apr-19 advisory.\n\n - zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many\n distant matches. (CVE-2018-25032)\n\n - xml/jaxp (CVE-2022-21426)\n\n - core-libs/java.lang (CVE-2022-21434)\n\n - security-libs/java.security (CVE-2022-21443, CVE-2022-21476)\n\n - core-libs/javax.naming (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n # https://github.com/corretto/corretto-8/blob/develop/CHANGELOG.md#corretto-version-8332081\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?cc5e0452\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update to Amazon Corretto Java 8.332.08.1 or later\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/03/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:amazon:corretto\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"amazon_corretto_win_installed.nbin\", \"amazon_corretto_nix_installed.nbin\");\n script_require_keys(\"installed_sw/Java\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_list = ['Amazon Corretto Java'];\nvar app_info = vcf::java::get_app_info(app:app_list);\n\nvar constraints = [\n { 'min_version' : '8.0', 'fixed_version' : '8.332.08.1' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:36:14", "description": "The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2022:2137 advisory.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-11-16T00:00:00", "type": "nessus", "title": "AlmaLinux 9 : java-1.8.0-openjdk (ALSA-2022:2137)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-11-17T00:00:00", "cpe": ["p-cpe:/a:alma:linux:java-1.8.0-openjdk", "p-cpe:/a:alma:linux:java-1.8.0-openjdk-demo", "p-cpe:/a:alma:linux:java-1.8.0-openjdk-demo-fastdebug", "p-cpe:/a:alma:linux:java-1.8.0-openjdk-demo-slowdebug", "p-cpe:/a:alma:linux:java-1.8.0-openjdk-devel", "p-cpe:/a:alma:linux:java-1.8.0-openjdk-devel-fastdebug", "p-cpe:/a:alma:linux:java-1.8.0-openjdk-devel-slowdebug", "p-cpe:/a:alma:linux:java-1.8.0-openjdk-fastdebug", "p-cpe:/a:alma:linux:java-1.8.0-openjdk-headless", "p-cpe:/a:alma:linux:java-1.8.0-openjdk-headless-fastdebug", "p-cpe:/a:alma:linux:java-1.8.0-openjdk-headless-slowdebug", "p-cpe:/a:alma:linux:java-1.8.0-openjdk-javadoc", "p-cpe:/a:alma:linux:java-1.8.0-openjdk-javadoc-zip", "p-cpe:/a:alma:linux:java-1.8.0-openjdk-slowdebug", "p-cpe:/a:alma:linux:java-1.8.0-openjdk-src", "p-cpe:/a:alma:linux:java-1.8.0-openjdk-src-fastdebug", "p-cpe:/a:alma:linux:java-1.8.0-openjdk-src-slowdebug", "cpe:/o:alma:linux:9", "cpe:/o:alma:linux:9::appstream", "cpe:/o:alma:linux:9::crb"], "id": "ALMA_LINUX_ALSA-2022-2137.NASL", "href": "https://www.tenable.com/plugins/nessus/167673", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# AlmaLinux Security Advisory ALSA-2022:2137.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(167673);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/11/17\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n script_xref(name:\"ALSA\", value:\"2022:2137\");\n\n script_name(english:\"AlmaLinux 9 : java-1.8.0-openjdk (ALSA-2022:2137)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote AlmaLinux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nALSA-2022:2137 advisory.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://errata.almalinux.org/9/ALSA-2022-2137.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 191, 400, 470, 770);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/05/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/05/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/11/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-1.8.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-1.8.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-1.8.0-openjdk-demo-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-1.8.0-openjdk-demo-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-1.8.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-1.8.0-openjdk-devel-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-1.8.0-openjdk-devel-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-1.8.0-openjdk-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-1.8.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-1.8.0-openjdk-headless-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-1.8.0-openjdk-headless-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-1.8.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-1.8.0-openjdk-javadoc-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-1.8.0-openjdk-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-1.8.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-1.8.0-openjdk-src-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-1.8.0-openjdk-src-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:9::appstream\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:9::crb\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Alma Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AlmaLinux/release\", \"Host/AlmaLinux/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/AlmaLinux/release');\nif (isnull(os_release) || 'AlmaLinux' >!< os_release) audit(AUDIT_OS_NOT, 'AlmaLinux');\nvar os_ver = pregmatch(pattern: \"AlmaLinux release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'AlmaLinux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^9([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'AlmaLinux 9.x', 'AlmaLinux ' + os_ver);\n\nif (!get_kb_item('Host/AlmaLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'AlmaLinux', cpu);\n\nvar pkgs = [\n {'reference':'java-1.8.0-openjdk-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-demo-fastdebug-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-demo-fastdebug-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-demo-slowdebug-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-demo-slowdebug-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-devel-fastdebug-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-devel-fastdebug-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-devel-slowdebug-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-devel-slowdebug-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-fastdebug-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-fastdebug-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-headless-fastdebug-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-headless-fastdebug-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-headless-slowdebug-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-headless-slowdebug-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-slowdebug-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-slowdebug-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-src-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-src-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-src-fastdebug-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-src-fastdebug-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-src-slowdebug-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-src-slowdebug-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = 'Alma-' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-1.8.0-openjdk / java-1.8.0-openjdk-demo / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:43:45", "description": "The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-1442 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2022-21434)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2022-21476)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2022-21496)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2022-21443)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-21T00:00:00", "type": "nessus", "title": "Oracle Linux 8 : java-11-openjdk (ELSA-2022-1442)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-08-09T00:00:00", "cpe": ["cpe:/o:oracle:linux:8", "p-cpe:/a:oracle:linux:java-11-openjdk", "p-cpe:/a:oracle:linux:java-11-openjdk-demo", "p-cpe:/a:oracle:linux:java-11-openjdk-demo-fastdebug", "p-cpe:/a:oracle:linux:java-11-openjdk-demo-slowdebug", "p-cpe:/a:oracle:linux:java-11-openjdk-devel", "p-cpe:/a:oracle:linux:java-11-openjdk-devel-fastdebug", "p-cpe:/a:oracle:linux:java-11-openjdk-devel-slowdebug", "p-cpe:/a:oracle:linux:java-11-openjdk-fastdebug", "p-cpe:/a:oracle:linux:java-11-openjdk-headless", "p-cpe:/a:oracle:linux:java-11-openjdk-headless-fastdebug", "p-cpe:/a:oracle:linux:java-11-openjdk-headless-slowdebug", "p-cpe:/a:oracle:linux:java-11-openjdk-javadoc", "p-cpe:/a:oracle:linux:java-11-openjdk-javadoc-zip", "p-cpe:/a:oracle:linux:java-11-openjdk-jmods", "p-cpe:/a:oracle:linux:java-11-openjdk-jmods-fastdebug", "p-cpe:/a:oracle:linux:java-11-openjdk-jmods-slowdebug", "p-cpe:/a:oracle:linux:java-11-openjdk-slowdebug", "p-cpe:/a:oracle:linux:java-11-openjdk-src", "p-cpe:/a:oracle:linux:java-11-openjdk-src-fastdebug", "p-cpe:/a:oracle:linux:java-11-openjdk-src-slowdebug", "p-cpe:/a:oracle:linux:java-11-openjdk-static-libs", "p-cpe:/a:oracle:linux:java-11-openjdk-static-libs-fastdebug", "p-cpe:/a:oracle:linux:java-11-openjdk-static-libs-slowdebug"], "id": "ORACLELINUX_ELSA-2022-1442.NASL", "href": "https://www.tenable.com/plugins/nessus/160052", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2022-1442.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160052);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/08/09\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n script_xref(name:\"IAVA\", value:\"2022-A-0170-S\");\n\n script_name(english:\"Oracle Linux 8 : java-11-openjdk (ELSA-2022-1442)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nELSA-2022-1442 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise\n Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS\n 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition\n accessible data. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2022-21434)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise\n Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients\n running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code\n (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability\n can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies\n data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2022-21476)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible\n data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS\n 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2022-21496)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM\n Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2022-21443)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2022-1442.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-demo-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-demo-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-devel-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-devel-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-headless-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-headless-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-javadoc-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-jmods\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-jmods-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-jmods-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-src-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-src-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-static-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-static-libs-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-static-libs-slowdebug\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 8', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\n\nvar pkgs = [\n {'reference':'java-11-openjdk-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-slowdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-slowdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-slowdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-slowdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-slowdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-slowdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-javadoc-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-javadoc-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-javadoc-zip-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-javadoc-zip-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-slowdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-slowdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-slowdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-slowdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-slowdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-slowdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-slowdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-slowdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release) {\n if (exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-11-openjdk / java-11-openjdk-demo / java-11-openjdk-demo-fastdebug / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:44:09", "description": "The version of java-11-amazon-corretto installed on the remote host is prior to 11.0.15+9-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2022-1790 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2022-21434)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2022-21443)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2022-21476)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-27T00:00:00", "type": "nessus", "title": "Amazon Linux 2 : java-11-amazon-corretto (ALAS-2022-1790)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-08-09T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:java-11-amazon-corretto", "p-cpe:/a:amazon:linux:java-11-amazon-corretto-headless", "p-cpe:/a:amazon:linux:java-11-amazon-corretto-javadoc", "cpe:/o:amazon:linux:2"], "id": "AL2_ALAS-2022-1790.NASL", "href": "https://www.tenable.com/plugins/nessus/160266", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALAS-2022-1790.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160266);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/08/09\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n script_xref(name:\"IAVA\", value:\"2022-A-0170-S\");\n script_xref(name:\"ALAS\", value:\"2022-1790\");\n\n script_name(english:\"Amazon Linux 2 : java-11-amazon-corretto (ALAS-2022-1790)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux 2 host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of java-11-amazon-corretto installed on the remote host is prior to 11.0.15+9-1. It is, therefore, affected\nby multiple vulnerabilities as referenced in the ALAS2-2022-1790 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise\n Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS\n 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition\n accessible data. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2022-21434)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM\n Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2022-21443)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise\n Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients\n running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code\n (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability\n can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies\n data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2022-21476)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible\n data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS\n 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/AL2/ALAS-2022-1790.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-21426.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-21434.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-21443.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-21476.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-21496.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update java-11-amazon-corretto' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-11-amazon-corretto\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-11-amazon-corretto-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-11-amazon-corretto-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nvar os_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nvar os_ver = os_ver[1];\nif (os_ver != \"2\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar pkgs = [\n {'reference':'java-11-amazon-corretto-11.0.15+9-1.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-amazon-corretto-11.0.15+9-1.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-amazon-corretto-headless-11.0.15+9-1.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-amazon-corretto-headless-11.0.15+9-1.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-amazon-corretto-javadoc-11.0.15+9-1.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-amazon-corretto-javadoc-11.0.15+9-1.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-11-amazon-corretto / java-11-amazon-corretto-headless / java-11-amazon-corretto-javadoc\");\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-19T14:51:37", "description": "The remote Ubuntu 20.04 LTS / 21.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5388-1 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2022-21434)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2022-21443)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2022-21476)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-26T00:00:00", "type": "nessus", "title": "Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS : OpenJDK vulnerabilities (USN-5388-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2023-10-16T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "cpe:/o:canonical:ubuntu_linux:22.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:openjdk-11-demo", "p-cpe:/a:canonical:ubuntu_linux:openjdk-11-jdk", "p-cpe:/a:canonical:ubuntu_linux:openjdk-11-jdk-headless", "p-cpe:/a:canonical:ubuntu_linux:openjdk-11-jre", "p-cpe:/a:canonical:ubuntu_linux:openjdk-11-jre-headless", "p-cpe:/a:canonical:ubuntu_linux:openjdk-11-jre-zero", "p-cpe:/a:canonical:ubuntu_linux:openjdk-11-source"], "id": "UBUNTU_USN-5388-1.NASL", "href": "https://www.tenable.com/plugins/nessus/160206", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-5388-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160206);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/16\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n script_xref(name:\"USN\", value:\"5388-1\");\n\n script_name(english:\"Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS : OpenJDK vulnerabilities (USN-5388-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 20.04 LTS / 21.10 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the USN-5388-1 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise\n Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS\n 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition\n accessible data. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2022-21434)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM\n Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2022-21443)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise\n Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients\n running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code\n (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability\n can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies\n data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2022-21476)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible\n data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS\n 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-5388-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:22.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-11-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-11-jdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-11-jdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-11-jre\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-11-jre-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-11-jre-zero\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-11-source\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2022-2023 Canonical, Inc. / NASL script (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nos_release = chomp(os_release);\nif (! ('18.04' >< os_release || '20.04' >< os_release || '22.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 18.04 / 20.04 / 22.04', 'Ubuntu ' + os_release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar pkgs = [\n {'osver': '18.04', 'pkgname': 'openjdk-11-demo', 'pkgver': '11.0.15+10-0ubuntu0.18.04.1'},\n {'osver': '18.04', 'pkgname': 'openjdk-11-jdk', 'pkgver': '11.0.15+10-0ubuntu0.18.04.1'},\n {'osver': '18.04', 'pkgname': 'openjdk-11-jdk-headless', 'pkgver': '11.0.15+10-0ubuntu0.18.04.1'},\n {'osver': '18.04', 'pkgname': 'openjdk-11-jre', 'pkgver': '11.0.15+10-0ubuntu0.18.04.1'},\n {'osver': '18.04', 'pkgname': 'openjdk-11-jre-headless', 'pkgver': '11.0.15+10-0ubuntu0.18.04.1'},\n {'osver': '18.04', 'pkgname': 'openjdk-11-jre-zero', 'pkgver': '11.0.15+10-0ubuntu0.18.04.1'},\n {'osver': '18.04', 'pkgname': 'openjdk-11-source', 'pkgver': '11.0.15+10-0ubuntu0.18.04.1'},\n {'osver': '20.04', 'pkgname': 'openjdk-11-demo', 'pkgver': '11.0.15+10-0ubuntu0.20.04.1'},\n {'osver': '20.04', 'pkgname': 'openjdk-11-jdk', 'pkgver': '11.0.15+10-0ubuntu0.20.04.1'},\n {'osver': '20.04', 'pkgname': 'openjdk-11-jdk-headless', 'pkgver': '11.0.15+10-0ubuntu0.20.04.1'},\n {'osver': '20.04', 'pkgname': 'openjdk-11-jre', 'pkgver': '11.0.15+10-0ubuntu0.20.04.1'},\n {'osver': '20.04', 'pkgname': 'openjdk-11-jre-headless', 'pkgver': '11.0.15+10-0ubuntu0.20.04.1'},\n {'osver': '20.04', 'pkgname': 'openjdk-11-jre-zero', 'pkgver': '11.0.15+10-0ubuntu0.20.04.1'},\n {'osver': '20.04', 'pkgname': 'openjdk-11-source', 'pkgver': '11.0.15+10-0ubuntu0.20.04.1'},\n {'osver': '22.04', 'pkgname': 'openjdk-11-demo', 'pkgver': '11.0.15+10-0ubuntu0.22.04.1'},\n {'osver': '22.04', 'pkgname': 'openjdk-11-jdk', 'pkgver': '11.0.15+10-0ubuntu0.22.04.1'},\n {'osver': '22.04', 'pkgname': 'openjdk-11-jdk-headless', 'pkgver': '11.0.15+10-0ubuntu0.22.04.1'},\n {'osver': '22.04', 'pkgname': 'openjdk-11-jre', 'pkgver': '11.0.15+10-0ubuntu0.22.04.1'},\n {'osver': '22.04', 'pkgname': 'openjdk-11-jre-headless', 'pkgver': '11.0.15+10-0ubuntu0.22.04.1'},\n {'osver': '22.04', 'pkgname': 'openjdk-11-jre-zero', 'pkgver': '11.0.15+10-0ubuntu0.22.04.1'},\n {'osver': '22.04', 'pkgname': 'openjdk-11-source', 'pkgver': '11.0.15+10-0ubuntu0.22.04.1'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var osver = NULL;\n var pkgname = NULL;\n var pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'openjdk-11-demo / openjdk-11-jdk / openjdk-11-jdk-headless / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-26T14:40:21", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:1442 advisory.\n\n - OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)\n\n - OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)\n\n - OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n - OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n - OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-21T00:00:00", "type": "nessus", "title": "RHEL 8 : java-11-openjdk (RHSA-2022:1442)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2023-05-25T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:8", "cpe:/o:redhat:rhel_aus:8.6", "cpe:/o:redhat:rhel_e4s:8.6", "cpe:/o:redhat:rhel_eus:8.6", "cpe:/o:redhat:rhel_tus:8.6", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-demo", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-demo-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-demo-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-devel", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-devel-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-devel-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-headless", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-headless-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-headless-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-javadoc", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-javadoc-zip", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-jmods", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-jmods-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-jmods-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-src", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-src-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-src-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-static-libs", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-static-libs-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-static-libs-slowdebug"], "id": "REDHAT-RHSA-2022-1442.NASL", "href": "https://www.tenable.com/plugins/nessus/160023", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2022:1442. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160023);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/25\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n script_xref(name:\"RHSA\", value:\"2022:1442\");\n script_xref(name:\"IAVA\", value:\"2022-A-0170-S\");\n\n script_name(english:\"RHEL 8 : java-11-openjdk (RHSA-2022:1442)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2022:1442 advisory.\n\n - OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)\n (CVE-2022-21426)\n\n - OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)\n (CVE-2022-21434)\n\n - OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n - OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n - OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21426\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21434\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21443\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21476\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21496\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2022:1442\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075788\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075793\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075836\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075842\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075849\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 179, 191, 400, 470, 770, 1173);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-demo-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-demo-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-devel-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-devel-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-headless-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-headless-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-javadoc-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-jmods\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-jmods-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-jmods-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-src-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-src-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-static-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-static-libs-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-static-libs-slowdebug\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/aus/rhel8/8.6/x86_64/appstream/debug',\n 'content/aus/rhel8/8.6/x86_64/appstream/os',\n 'content/aus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/aus/rhel8/8.6/x86_64/baseos/debug',\n 'content/aus/rhel8/8.6/x86_64/baseos/os',\n 'content/aus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/debug',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/os',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/debug',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/os',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/debug',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/os',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/os',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/sap/debug',\n 'content/e4s/rhel8/8.6/ppc64le/sap/os',\n 'content/e4s/rhel8/8.6/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/appstream/debug',\n 'content/e4s/rhel8/8.6/x86_64/appstream/os',\n 'content/e4s/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/baseos/debug',\n 'content/e4s/rhel8/8.6/x86_64/baseos/os',\n 'content/e4s/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/debug',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/os',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/debug',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/os',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/sap/debug',\n 'content/e4s/rhel8/8.6/x86_64/sap/os',\n 'content/e4s/rhel8/8.6/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/appstream/debug',\n 'content/eus/rhel8/8.6/aarch64/appstream/os',\n 'content/eus/rhel8/8.6/aarch64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/baseos/debug',\n 'content/eus/rhel8/8.6/aarch64/baseos/os',\n 'content/eus/rhel8/8.6/aarch64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/debug',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/os',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/highavailability/debug',\n 'content/eus/rhel8/8.6/aarch64/highavailability/os',\n 'content/eus/rhel8/8.6/aarch64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/supplementary/debug',\n 'content/eus/rhel8/8.6/aarch64/supplementary/os',\n 'content/eus/rhel8/8.6/aarch64/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/appstream/debug',\n 'content/eus/rhel8/8.6/ppc64le/appstream/os',\n 'content/eus/rhel8/8.6/ppc64le/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/baseos/debug',\n 'content/eus/rhel8/8.6/ppc64le/baseos/os',\n 'content/eus/rhel8/8.6/ppc64le/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/debug',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/os',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/debug',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/os',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/debug',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/os',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/debug',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/os',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/sap/debug',\n 'content/eus/rhel8/8.6/ppc64le/sap/os',\n 'content/eus/rhel8/8.6/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/debug',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/os',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/appstream/debug',\n 'content/eus/rhel8/8.6/x86_64/appstream/os',\n 'content/eus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/baseos/debug',\n 'content/eus/rhel8/8.6/x86_64/baseos/os',\n 'content/eus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/debug',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/os',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/highavailability/debug',\n 'content/eus/rhel8/8.6/x86_64/highavailability/os',\n 'content/eus/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/debug',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/os',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/debug',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/os',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/sap/debug',\n 'content/eus/rhel8/8.6/x86_64/sap/os',\n 'content/eus/rhel8/8.6/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/supplementary/debug',\n 'content/eus/rhel8/8.6/x86_64/supplementary/os',\n 'content/eus/rhel8/8.6/x86_64/supplementary/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/appstream/debug',\n 'content/tus/rhel8/8.6/x86_64/appstream/os',\n 'content/tus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/baseos/debug',\n 'content/tus/rhel8/8.6/x86_64/baseos/os',\n 'content/tus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/highavailability/debug',\n 'content/tus/rhel8/8.6/x86_64/highavailability/os',\n 'content/tus/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/rt/os',\n 'content/tus/rhel8/8.6/x86_64/rt/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'java-11-openjdk-11.0.15.0.9-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-11.0.15.0.9-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-slowdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-11.0.15.0.9-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-slowdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-11.0.15.0.9-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-slowdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-javadoc-11.0.15.0.9-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-javadoc-zip-11.0.15.0.9-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-11.0.15.0.9-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-slowdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-slowdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-11.0.15.0.9-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-slowdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-11.0.15.0.9-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-slowdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'}\n ]\n },\n {\n 'repo_relative_urls': [\n 'content/dist/rhel8/8/aarch64/appstream/debug',\n 'content/dist/rhel8/8/aarch64/appstream/os',\n 'content/dist/rhel8/8/aarch64/appstream/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/baseos/debug',\n 'content/dist/rhel8/8/aarch64/baseos/os',\n 'content/dist/rhel8/8/aarch64/baseos/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/codeready-builder/debug',\n 'content/dist/rhel8/8/aarch64/codeready-builder/os',\n 'content/dist/rhel8/8/aarch64/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/highavailability/debug',\n 'content/dist/rhel8/8/aarch64/highavailability/os',\n 'content/dist/rhel8/8/aarch64/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/supplementary/debug',\n 'content/dist/rhel8/8/aarch64/supplementary/os',\n 'content/dist/rhel8/8/aarch64/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/appstream/debug',\n 'content/dist/rhel8/8/ppc64le/appstream/os',\n 'content/dist/rhel8/8/ppc64le/appstream/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/baseos/debug',\n 'content/dist/rhel8/8/ppc64le/baseos/os',\n 'content/dist/rhel8/8/ppc64le/baseos/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/debug',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/os',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/highavailability/debug',\n 'content/dist/rhel8/8/ppc64le/highavailability/os',\n 'content/dist/rhel8/8/ppc64le/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/debug',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/os',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/debug',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/os',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/sap/debug',\n 'content/dist/rhel8/8/ppc64le/sap/os',\n 'content/dist/rhel8/8/ppc64le/sap/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/supplementary/debug',\n 'content/dist/rhel8/8/ppc64le/supplementary/os',\n 'content/dist/rhel8/8/ppc64le/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/appstream/debug',\n 'content/dist/rhel8/8/x86_64/appstream/os',\n 'content/dist/rhel8/8/x86_64/appstream/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/baseos/debug',\n 'content/dist/rhel8/8/x86_64/baseos/os',\n 'content/dist/rhel8/8/x86_64/baseos/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/codeready-builder/debug',\n 'content/dist/rhel8/8/x86_64/codeready-builder/os',\n 'content/dist/rhel8/8/x86_64/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/highavailability/debug',\n 'content/dist/rhel8/8/x86_64/highavailability/os',\n 'content/dist/rhel8/8/x86_64/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/nfv/debug',\n 'content/dist/rhel8/8/x86_64/nfv/os',\n 'content/dist/rhel8/8/x86_64/nfv/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/resilientstorage/debug',\n 'content/dist/rhel8/8/x86_64/resilientstorage/os',\n 'content/dist/rhel8/8/x86_64/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/rt/debug',\n 'content/dist/rhel8/8/x86_64/rt/os',\n 'content/dist/rhel8/8/x86_64/rt/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/sap-solutions/debug',\n 'content/dist/rhel8/8/x86_64/sap-solutions/os',\n 'content/dist/rhel8/8/x86_64/sap-solutions/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/sap/debug',\n 'content/dist/rhel8/8/x86_64/sap/os',\n 'content/dist/rhel8/8/x86_64/sap/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/supplementary/debug',\n 'content/dist/rhel8/8/x86_64/supplementary/os',\n 'content/dist/rhel8/8/x86_64/supplementary/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'java-11-openjdk-11.0.15.0.9-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-11.0.15.0.9-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-slowdebug-11.0.15.0.9-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-11.0.15.0.9-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-slowdebug-11.0.15.0.9-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-11.0.15.0.9-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-slowdebug-11.0.15.0.9-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-javadoc-11.0.15.0.9-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-javadoc-zip-11.0.15.0.9-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-11.0.15.0.9-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-slowdebug-11.0.15.0.9-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-slowdebug-11.0.15.0.9-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-11.0.15.0.9-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-slowdebug-11.0.15.0.9-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-11.0.15.0.9-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-slowdebug-11.0.15.0.9-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp']) && !enterprise_linux_flag) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-11-openjdk / java-11-openjdk-demo / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-26T14:39:54", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:1488 advisory.\n\n - OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)\n\n - OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)\n\n - OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n - OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n - OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-26T00:00:00", "type": "nessus", "title": "RHEL 8 : java-1.8.0-openjdk (RHSA-2022:1488)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2023-05-25T00:00:00", "cpe": ["cpe:/o:redhat:rhel_e4s:8.1", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-accessibility", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-devel", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-headless", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc-zip", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-src"], "id": "REDHAT-RHSA-2022-1488.NASL", "href": "https://www.tenable.com/plugins/nessus/160210", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2022:1488. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160210);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/25\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n script_xref(name:\"RHSA\", value:\"2022:1488\");\n\n script_name(english:\"RHEL 8 : java-1.8.0-openjdk (RHSA-2022:1488)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2022:1488 advisory.\n\n - OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)\n (CVE-2022-21426)\n\n - OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)\n (CVE-2022-21434)\n\n - OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n - OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n - OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21426\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21434\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21443\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21476\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21496\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2022:1488\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075788\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075793\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075836\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075842\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075849\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 179, 191, 400, 470, 770, 1173);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-src\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'eq', os_version: os_ver, rhel_version: '8.1')) audit(AUDIT_OS_NOT, 'Red Hat 8.1', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/e4s/rhel8/8.1/ppc64le/appstream/debug',\n 'content/e4s/rhel8/8.1/ppc64le/appstream/os',\n 'content/e4s/rhel8/8.1/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.1/ppc64le/baseos/debug',\n 'content/e4s/rhel8/8.1/ppc64le/baseos/os',\n 'content/e4s/rhel8/8.1/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.1/ppc64le/highavailability/debug',\n 'content/e4s/rhel8/8.1/ppc64le/highavailability/os',\n 'content/e4s/rhel8/8.1/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.1/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel8/8.1/ppc64le/sap-solutions/os',\n 'content/e4s/rhel8/8.1/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.1/ppc64le/sap/debug',\n 'content/e4s/rhel8/8.1/ppc64le/sap/os',\n 'content/e4s/rhel8/8.1/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel8/8.1/x86_64/appstream/debug',\n 'content/e4s/rhel8/8.1/x86_64/appstream/os',\n 'content/e4s/rhel8/8.1/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.1/x86_64/baseos/debug',\n 'content/e4s/rhel8/8.1/x86_64/baseos/os',\n 'content/e4s/rhel8/8.1/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.1/x86_64/highavailability/debug',\n 'content/e4s/rhel8/8.1/x86_64/highavailability/os',\n 'content/e4s/rhel8/8.1/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.1/x86_64/sap-solutions/debug',\n 'content/e4s/rhel8/8.1/x86_64/sap-solutions/os',\n 'content/e4s/rhel8/8.1/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.1/x86_64/sap/debug',\n 'content/e4s/rhel8/8.1/x86_64/sap/os',\n 'content/e4s/rhel8/8.1/x86_64/sap/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'java-1.8.0-openjdk-1.8.0.332.b09-1.el8_1', 'sp':'1', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-1.8.0.332.b09-1.el8_1', 'sp':'1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_1', 'sp':'1', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_1', 'sp':'1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_1', 'sp':'1', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_1', 'sp':'1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_1', 'sp':'1', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_1', 'sp':'1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_1', 'sp':'1', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_1', 'sp':'1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el8_1', 'sp':'1', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el8_1', 'sp':'1', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_1', 'sp':'1', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_1', 'sp':'1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var subscription_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in the Red Hat Enterprise Linux\\n' +\n 'Update Services for SAP Solutions repository.\\n' +\n 'Access to this repository requires a paid RHEL subscription.\\n';\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = subscription_caveat + rpm_report_get() + redhat_report_repo_caveat();\n else extra = subscription_caveat + rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-1.8.0-openjdk / java-1.8.0-openjdk-accessibility / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-25T20:31:35", "description": "The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:1728 advisory.\n\n - OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)\n\n - OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)\n\n - OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n - OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n - OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-09-08T00:00:00", "type": "nessus", "title": "RHEL 9 : java-11-openjdk (RHSA-2022:1728)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2023-05-25T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:9", "cpe:/o:redhat:rhel_e4s:9.0", "cpe:/o:redhat:rhel_eus:9.0", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-devel-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-headless", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-headless-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-headless-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-javadoc", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-javadoc-zip", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-jmods", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-jmods-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-jmods-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-demo", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-demo-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-demo-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-devel", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-devel-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-src", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-src-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-src-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-static-libs", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-static-libs-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-static-libs-slowdebug"], "id": "REDHAT-RHSA-2022-1728.NASL", "href": "https://www.tenable.com/plugins/nessus/164869", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2022:1728. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164869);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/25\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n script_xref(name:\"RHSA\", value:\"2022:1728\");\n\n script_name(english:\"RHEL 9 : java-11-openjdk (RHSA-2022:1728)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2022:1728 advisory.\n\n - OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)\n (CVE-2022-21426)\n\n - OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)\n (CVE-2022-21434)\n\n - OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n - OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n - OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21426\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21434\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21443\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21476\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21496\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2022:1728\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075788\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075793\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075836\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075842\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075849\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 179, 191, 400, 470, 770, 1173);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/05/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:9.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:9.0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-demo-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-demo-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-devel-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-devel-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-headless-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-headless-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-javadoc-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-jmods\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-jmods-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-jmods-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-src-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-src-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-static-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-static-libs-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-static-libs-slowdebug\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '9')) audit(AUDIT_OS_NOT, 'Red Hat 9.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/dist/rhel9/9/aarch64/appstream/debug',\n 'content/dist/rhel9/9/aarch64/appstream/os',\n 'content/dist/rhel9/9/aarch64/appstream/source/SRPMS',\n 'content/dist/rhel9/9/aarch64/baseos/debug',\n 'content/dist/rhel9/9/aarch64/baseos/os',\n 'content/dist/rhel9/9/aarch64/baseos/source/SRPMS',\n 'content/dist/rhel9/9/aarch64/codeready-builder/debug',\n 'content/dist/rhel9/9/aarch64/codeready-builder/os',\n 'content/dist/rhel9/9/aarch64/codeready-builder/source/SRPMS',\n 'content/dist/rhel9/9/aarch64/highavailability/debug',\n 'content/dist/rhel9/9/aarch64/highavailability/os',\n 'content/dist/rhel9/9/aarch64/highavailability/source/SRPMS',\n 'content/dist/rhel9/9/aarch64/supplementary/debug',\n 'content/dist/rhel9/9/aarch64/supplementary/os',\n 'content/dist/rhel9/9/aarch64/supplementary/source/SRPMS',\n 'content/dist/rhel9/9/ppc64le/appstream/debug',\n 'content/dist/rhel9/9/ppc64le/appstream/os',\n 'content/dist/rhel9/9/ppc64le/appstream/source/SRPMS',\n 'content/dist/rhel9/9/ppc64le/baseos/debug',\n 'content/dist/rhel9/9/ppc64le/baseos/os',\n 'content/dist/rhel9/9/ppc64le/baseos/source/SRPMS',\n 'content/dist/rhel9/9/ppc64le/codeready-builder/debug',\n 'content/dist/rhel9/9/ppc64le/codeready-builder/os',\n 'content/dist/rhel9/9/ppc64le/codeready-builder/source/SRPMS',\n 'content/dist/rhel9/9/ppc64le/highavailability/debug',\n 'content/dist/rhel9/9/ppc64le/highavailability/os',\n 'content/dist/rhel9/9/ppc64le/highavailability/source/SRPMS',\n 'content/dist/rhel9/9/ppc64le/resilientstorage/debug',\n 'content/dist/rhel9/9/ppc64le/resilientstorage/os',\n 'content/dist/rhel9/9/ppc64le/resilientstorage/source/SRPMS',\n 'content/dist/rhel9/9/ppc64le/sap-solutions/debug',\n 'content/dist/rhel9/9/ppc64le/sap-solutions/os',\n 'content/dist/rhel9/9/ppc64le/sap-solutions/source/SRPMS',\n 'content/dist/rhel9/9/ppc64le/sap/debug',\n 'content/dist/rhel9/9/ppc64le/sap/os',\n 'content/dist/rhel9/9/ppc64le/sap/source/SRPMS',\n 'content/dist/rhel9/9/ppc64le/supplementary/debug',\n 'content/dist/rhel9/9/ppc64le/supplementary/os',\n 'content/dist/rhel9/9/ppc64le/supplementary/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/appstream/debug',\n 'content/dist/rhel9/9/x86_64/appstream/os',\n 'content/dist/rhel9/9/x86_64/appstream/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/baseos/debug',\n 'content/dist/rhel9/9/x86_64/baseos/os',\n 'content/dist/rhel9/9/x86_64/baseos/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/codeready-builder/debug',\n 'content/dist/rhel9/9/x86_64/codeready-builder/os',\n 'content/dist/rhel9/9/x86_64/codeready-builder/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/highavailability/debug',\n 'content/dist/rhel9/9/x86_64/highavailability/os',\n 'content/dist/rhel9/9/x86_64/highavailability/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/nfv/debug',\n 'content/dist/rhel9/9/x86_64/nfv/os',\n 'content/dist/rhel9/9/x86_64/nfv/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/resilientstorage/debug',\n 'content/dist/rhel9/9/x86_64/resilientstorage/os',\n 'content/dist/rhel9/9/x86_64/resilientstorage/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/rt/debug',\n 'content/dist/rhel9/9/x86_64/rt/os',\n 'content/dist/rhel9/9/x86_64/rt/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/sap-solutions/debug',\n 'content/dist/rhel9/9/x86_64/sap-solutions/os',\n 'content/dist/rhel9/9/x86_64/sap-solutions/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/sap/debug',\n 'content/dist/rhel9/9/x86_64/sap/os',\n 'content/dist/rhel9/9/x86_64/sap/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/supplementary/debug',\n 'content/dist/rhel9/9/x86_64/supplementary/os',\n 'content/dist/rhel9/9/x86_64/supplementary/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'java-11-openjdk-11.0.15.0.10-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-11.0.15.0.10-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-slowdebug-11.0.15.0.10-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-11.0.15.0.10-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-slowdebug-11.0.15.0.10-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-11.0.15.0.10-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-slowdebug-11.0.15.0.10-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-javadoc-11.0.15.0.10-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-javadoc-zip-11.0.15.0.10-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-11.0.15.0.10-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-slowdebug-11.0.15.0.10-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-slowdebug-11.0.15.0.10-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-11.0.15.0.10-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-slowdebug-11.0.15.0.10-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-11.0.15.0.10-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-slowdebug-11.0.15.0.10-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'}\n ]\n },\n {\n 'repo_relative_urls': [\n 'content/e4s/rhel9/9.0/aarch64/appstream/debug',\n 'content/e4s/rhel9/9.0/aarch64/appstream/os',\n 'content/e4s/rhel9/9.0/aarch64/appstream/source/SRPMS',\n 'content/e4s/rhel9/9.0/aarch64/baseos/debug',\n 'content/e4s/rhel9/9.0/aarch64/baseos/os',\n 'content/e4s/rhel9/9.0/aarch64/baseos/source/SRPMS',\n 'content/e4s/rhel9/9.0/aarch64/highavailability/debug',\n 'content/e4s/rhel9/9.0/aarch64/highavailability/os',\n 'content/e4s/rhel9/9.0/aarch64/highavailability/source/SRPMS',\n 'content/e4s/rhel9/9.0/ppc64le/appstream/debug',\n 'content/e4s/rhel9/9.0/ppc64le/appstream/os',\n 'content/e4s/rhel9/9.0/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel9/9.0/ppc64le/baseos/debug',\n 'content/e4s/rhel9/9.0/ppc64le/baseos/os',\n 'content/e4s/rhel9/9.0/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel9/9.0/ppc64le/highavailability/debug',\n 'content/e4s/rhel9/9.0/ppc64le/highavailability/os',\n 'content/e4s/rhel9/9.0/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel9/9.0/ppc64le/resilientstorage/debug',\n 'content/e4s/rhel9/9.0/ppc64le/resilientstorage/os',\n 'content/e4s/rhel9/9.0/ppc64le/resilientstorage/source/SRPMS',\n 'content/e4s/rhel9/9.0/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel9/9.0/ppc64le/sap-solutions/os',\n 'content/e4s/rhel9/9.0/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel9/9.0/ppc64le/sap/debug',\n 'content/e4s/rhel9/9.0/ppc64le/sap/os',\n 'content/e4s/rhel9/9.0/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel9/9.0/x86_64/appstream/debug',\n 'content/e4s/rhel9/9.0/x86_64/appstream/os',\n 'content/e4s/rhel9/9.0/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel9/9.0/x86_64/baseos/debug',\n 'content/e4s/rhel9/9.0/x86_64/baseos/os',\n 'content/e4s/rhel9/9.0/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel9/9.0/x86_64/highavailability/debug',\n 'content/e4s/rhel9/9.0/x86_64/highavailability/os',\n 'content/e4s/rhel9/9.0/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel9/9.0/x86_64/nfv/debug',\n 'content/e4s/rhel9/9.0/x86_64/nfv/os',\n 'content/e4s/rhel9/9.0/x86_64/nfv/source/SRPMS',\n 'content/e4s/rhel9/9.0/x86_64/resilientstorage/debug',\n 'content/e4s/rhel9/9.0/x86_64/resilientstorage/os',\n 'content/e4s/rhel9/9.0/x86_64/resilientstorage/source/SRPMS',\n 'content/e4s/rhel9/9.0/x86_64/rt/debug',\n 'content/e4s/rhel9/9.0/x86_64/rt/os',\n 'content/e4s/rhel9/9.0/x86_64/rt/source/SRPMS',\n 'content/e4s/rhel9/9.0/x86_64/sap-solutions/debug',\n 'content/e4s/rhel9/9.0/x86_64/sap-solutions/os',\n 'content/e4s/rhel9/9.0/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel9/9.0/x86_64/sap/debug',\n 'content/e4s/rhel9/9.0/x86_64/sap/os',\n 'content/e4s/rhel9/9.0/x86_64/sap/source/SRPMS',\n 'content/eus/rhel9/9.0/aarch64/appstream/debug',\n 'content/eus/rhel9/9.0/aarch64/appstream/os',\n 'content/eus/rhel9/9.0/aarch64/appstream/source/SRPMS',\n 'content/eus/rhel9/9.0/aarch64/baseos/debug',\n 'content/eus/rhel9/9.0/aarch64/baseos/os',\n 'content/eus/rhel9/9.0/aarch64/baseos/source/SRPMS',\n 'content/eus/rhel9/9.0/aarch64/codeready-builder/debug',\n 'content/eus/rhel9/9.0/aarch64/codeready-builder/os',\n 'content/eus/rhel9/9.0/aarch64/codeready-builder/source/SRPMS',\n 'content/eus/rhel9/9.0/aarch64/highavailability/debug',\n 'content/eus/rhel9/9.0/aarch64/highavailability/os',\n 'content/eus/rhel9/9.0/aarch64/highavailability/source/SRPMS',\n 'content/eus/rhel9/9.0/aarch64/supplementary/debug',\n 'content/eus/rhel9/9.0/aarch64/supplementary/os',\n 'content/eus/rhel9/9.0/aarch64/supplementary/source/SRPMS',\n 'content/eus/rhel9/9.0/ppc64le/appstream/debug',\n 'content/eus/rhel9/9.0/ppc64le/appstream/os',\n 'content/eus/rhel9/9.0/ppc64le/appstream/source/SRPMS',\n 'content/eus/rhel9/9.0/ppc64le/baseos/debug',\n 'content/eus/rhel9/9.0/ppc64le/baseos/os',\n 'content/eus/rhel9/9.0/ppc64le/baseos/source/SRPMS',\n 'content/eus/rhel9/9.0/ppc64le/codeready-builder/debug',\n 'content/eus/rhel9/9.0/ppc64le/codeready-builder/os',\n 'content/eus/rhel9/9.0/ppc64le/codeready-builder/source/SRPMS',\n 'content/eus/rhel9/9.0/ppc64le/highavailability/debug',\n 'content/eus/rhel9/9.0/ppc64le/highavailability/os',\n 'content/eus/rhel9/9.0/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel9/9.0/ppc64le/resilientstorage/debug',\n 'content/eus/rhel9/9.0/ppc64le/resilientstorage/os',\n 'content/eus/rhel9/9.0/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel9/9.0/ppc64le/sap-solutions/debug',\n 'content/eus/rhel9/9.0/ppc64le/sap-solutions/os',\n 'content/eus/rhel9/9.0/ppc64le/sap-solutions/source/SRPMS',\n 'content/eus/rhel9/9.0/ppc64le/sap/debug',\n 'content/eus/rhel9/9.0/ppc64le/sap/os',\n 'content/eus/rhel9/9.0/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel9/9.0/ppc64le/supplementary/debug',\n 'content/eus/rhel9/9.0/ppc64le/supplementary/os',\n 'content/eus/rhel9/9.0/ppc64le/supplementary/source/SRPMS',\n 'content/eus/rhel9/9.0/x86_64/appstream/debug',\n 'content/eus/rhel9/9.0/x86_64/appstream/os',\n 'content/eus/rhel9/9.0/x86_64/appstream/source/SRPMS',\n 'content/eus/rhel9/9.0/x86_64/baseos/debug',\n 'content/eus/rhel9/9.0/x86_64/baseos/os',\n 'content/eus/rhel9/9.0/x86_64/baseos/source/SRPMS',\n 'content/eus/rhel9/9.0/x86_64/codeready-builder/debug',\n 'content/eus/rhel9/9.0/x86_64/codeready-builder/os',\n 'content/eus/rhel9/9.0/x86_64/codeready-builder/source/SRPMS',\n 'content/eus/rhel9/9.0/x86_64/highavailability/debug',\n 'content/eus/rhel9/9.0/x86_64/highavailability/os',\n 'content/eus/rhel9/9.0/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel9/9.0/x86_64/resilientstorage/debug',\n 'content/eus/rhel9/9.0/x86_64/resilientstorage/os',\n 'content/eus/rhel9/9.0/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel9/9.0/x86_64/sap-solutions/debug',\n 'content/eus/rhel9/9.0/x86_64/sap-solutions/os',\n 'content/eus/rhel9/9.0/x86_64/sap-solutions/source/SRPMS',\n 'content/eus/rhel9/9.0/x86_64/sap/debug',\n 'content/eus/rhel9/9.0/x86_64/sap/os',\n 'content/eus/rhel9/9.0/x86_64/sap/source/SRPMS',\n 'content/eus/rhel9/9.0/x86_64/supplementary/debug',\n 'content/eus/rhel9/9.0/x86_64/supplementary/os',\n 'content/eus/rhel9/9.0/x86_64/supplementary/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'java-11-openjdk-11.0.15.0.10-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-11.0.15.0.10-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-slowdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-11.0.15.0.10-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-slowdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-11.0.15.0.10-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-slowdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-javadoc-11.0.15.0.10-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-javadoc-zip-11.0.15.0.10-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-11.0.15.0.10-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-slowdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-slowdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-11.0.15.0.10-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-slowdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-11.0.15.0.10-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-slowdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp']) && !enterprise_linux_flag) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-11-openjdk / java-11-openjdk-demo / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:44:34", "description": "The remote Scientific Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the SLSA-2022:1440-1 advisory.\n\n - OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n - OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)\n\n - OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)\n\n - OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n - OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-21T00:00:00", "type": "nessus", "title": "Scientific Linux Security Update : java-11-openjdk on SL7.x i686/x86_64 (2022:1440)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-05-06T00:00:00", "cpe": ["cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:java-11-openjdk", "p-cpe:/a:fermilab:scientific_linux:java-11-openjdk-debuginfo", "p-cpe:/a:fermilab:scientific_linux:java-11-openjdk-demo", "p-cpe:/a:fermilab:scientific_linux:java-11-openjdk-devel", "p-cpe:/a:fermilab:scientific_linux:java-11-openjdk-headless", "p-cpe:/a:fermilab:scientific_linux:java-11-openjdk-javadoc", "p-cpe:/a:fermilab:scientific_linux:java-11-openjdk-javadoc-zip", "p-cpe:/a:fermilab:scientific_linux:java-11-openjdk-jmods", "p-cpe:/a:fermilab:scientific_linux:java-11-openjdk-src", "p-cpe:/a:fermilab:scientific_linux:java-11-openjdk-static-libs"], "id": "SL_20220420_JAVA_11_OPENJDK_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/160059", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160059);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/06\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n script_xref(name:\"RHSA\", value:\"RHSA-2022:1440\");\n\n script_name(english:\"Scientific Linux Security Update : java-11-openjdk on SL7.x i686/x86_64 (2022:1440)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Scientific Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Scientific Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe SLSA-2022:1440-1 advisory.\n\n - OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n - OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)\n (CVE-2022-21426)\n\n - OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)\n (CVE-2022-21434)\n\n - OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n - OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.scientificlinux.org/category/sl-errata/slsa-20221440-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fermilab:scientific_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-11-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-11-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-11-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-11-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-11-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-11-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-11-openjdk-javadoc-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-11-openjdk-jmods\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-11-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-11-openjdk-static-libs\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Scientific Linux' >!< release) audit(AUDIT_OS_NOT, 'Scientific Linux');\nvar os_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Scientific Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Scientific Linux 7.x', 'Scientific Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Scientific Linux', cpu);\n\nvar pkgs = [\n {'reference':'java-11-openjdk-11.0.15.0.9-2.el7_9', 'cpu':'i686', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-11.0.15.0.9-2.el7_9', 'cpu':'x86_64', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-debuginfo-11.0.15.0.9-2.el7_9', 'cpu':'i686', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-debuginfo-11.0.15.0.9-2.el7_9', 'cpu':'x86_64', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-demo-11.0.15.0.9-2.el7_9', 'cpu':'i686', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-demo-11.0.15.0.9-2.el7_9', 'cpu':'x86_64', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-devel-11.0.15.0.9-2.el7_9', 'cpu':'i686', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-devel-11.0.15.0.9-2.el7_9', 'cpu':'x86_64', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-headless-11.0.15.0.9-2.el7_9', 'cpu':'i686', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-headless-11.0.15.0.9-2.el7_9', 'cpu':'x86_64', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-javadoc-11.0.15.0.9-2.el7_9', 'cpu':'i686', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-javadoc-11.0.15.0.9-2.el7_9', 'cpu':'x86_64', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-javadoc-zip-11.0.15.0.9-2.el7_9', 'cpu':'i686', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-javadoc-zip-11.0.15.0.9-2.el7_9', 'cpu':'x86_64', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-jmods-11.0.15.0.9-2.el7_9', 'cpu':'i686', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-jmods-11.0.15.0.9-2.el7_9', 'cpu':'x86_64', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-src-11.0.15.0.9-2.el7_9', 'cpu':'i686', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-src-11.0.15.0.9-2.el7_9', 'cpu':'x86_64', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-static-libs-11.0.15.0.9-2.el7_9', 'cpu':'i686', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-static-libs-11.0.15.0.9-2.el7_9', 'cpu':'x86_64', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-11-openjdk / java-11-openjdk-debuginfo / java-11-openjdk-demo / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-26T14:40:21", "description": "The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:1440 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.\n (CVE-2022-21426)\n\n - OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)\n\n - OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n - OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n - OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-20T00:00:00", "type": "nessus", "title": "RHEL 7 : java-11-openjdk (RHSA-2022:1440)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2023-05-25T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-demo", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-devel", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-headless", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-javadoc", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-javadoc-zip", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-jmods", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-src", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-static-libs"], "id": "REDHAT-RHSA-2022-1440.NASL", "href": "https://www.tenable.com/plugins/nessus/160015", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2022:1440. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160015);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/25\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n script_xref(name:\"RHSA\", value:\"2022:1440\");\n script_xref(name:\"IAVA\", value:\"2022-A-0170-S\");\n\n script_name(english:\"RHEL 7 : java-11-openjdk (RHSA-2022:1440)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2022:1440 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise\n Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.\n (CVE-2022-21426)\n\n - OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)\n (CVE-2022-21434)\n\n - OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n - OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n - OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21426\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21434\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21443\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21476\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21496\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2022:1440\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075793\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075836\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075842\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075849\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(179, 191, 400, 470, 770, 1173);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-javadoc-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-jmods\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-static-libs\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '7')) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/dist/rhel-alt/server/7/7Server/armv8-a/aarch64/debug',\n 'content/dist/rhel-alt/server/7/7Server/armv8-a/aarch64/optional/debug',\n 'content/dist/rhel-alt/server/7/7Server/armv8-a/aarch64/optional/os',\n 'content/dist/rhel-alt/server/7/7Server/armv8-a/aarch64/optional/source/SRPMS',\n 'content/dist/rhel-alt/server/7/7Server/armv8-a/aarch64/os',\n 'content/dist/rhel-alt/server/7/7Server/armv8-a/aarch64/source/SRPMS',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/debug',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/optional/debug',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/optional/os',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/optional/source/SRPMS',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/os',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/source/SRPMS',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/supplementary/debug',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/supplementary/source/SRPMS',\n 'content/dist/rhel-alt/server/7/7Server/system-z-a/s390x/debug',\n 'content/dist/rhel-alt/server/7/7Server/system-z-a/s390x/optional/debug',\n 'content/dist/rhel-alt/server/7/7Server/system-z-a/s390x/optional/os',\n 'content/dist/rhel-alt/server/7/7Server/system-z-a/s390x/optional/source/SRPMS',\n 'content/dist/rhel-alt/server/7/7Server/system-z-a/s390x/os',\n 'content/dist/rhel-alt/server/7/7Server/system-z-a/s390x/source/SRPMS',\n 'content/dist/rhel/client/7/7Client/x86_64/debug',\n 'content/dist/rhel/client/7/7Client/x86_64/optional/debug',\n 'content/dist/rhel/client/7/7Client/x86_64/optional/os',\n 'content/dist/rhel/client/7/7Client/x86_64/optional/source/SRPMS',\n 'content/dist/rhel/client/7/7Client/x86_64/oracle-java-rm/os',\n 'content/dist/rhel/client/7/7Client/x86_64/os',\n 'content/dist/rhel/client/7/7Client/x86_64/source/SRPMS',\n 'content/dist/rhel/client/7/7Client/x86_64/supplementary/debug',\n 'content/dist/rhel/client/7/7Client/x86_64/supplementary/os',\n 'content/dist/rhel/client/7/7Client/x86_64/supplementary/source/SRPMS',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/debug',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/optional/debug',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/optional/os',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/optional/source/SRPMS',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/oracle-java-rm/os',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/os',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/source/SRPMS',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/supplementary/debug',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/supplementary/os',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/supplementary/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/highavailability/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/highavailability/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/highavailability/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/optional/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/optional/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/optional/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/resilientstorage/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/resilientstorage/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/resilientstorage/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/sap-hana/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/sap-hana/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/sap-hana/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/sap/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/sap/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/sap/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/supplementary/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/supplementary/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/supplementary/source/SRPMS',\n 'content/dist/rhel/power/7/7Server/ppc64/debug',\n 'content/dist/rhel/power/7/7Server/ppc64/optional/debug',\n 'content/dist/rhel/power/7/7Server/ppc64/optional/os',\n 'content/dist/rhel/power/7/7Server/ppc64/optional/source/SRPMS',\n 'content/dist/rhel/power/7/7Server/ppc64/os',\n 'content/dist/rhel/power/7/7Server/ppc64/sap/debug',\n 'content/dist/rhel/power/7/7Server/ppc64/sap/os',\n 'content/dist/rhel/power/7/7Server/ppc64/sap/source/SRPMS',\n 'content/dist/rhel/power/7/7Server/ppc64/source/SRPMS',\n 'content/dist/rhel/power/7/7Server/ppc64/supplementary/debug',\n 'content/dist/rhel/power/7/7Server/ppc64/supplementary/os',\n 'content/dist/rhel/power/7/7Server/ppc64/supplementary/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/highavailability/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/highavailability/os',\n 'content/dist/rhel/server/7/7Server/x86_64/highavailability/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/nfv/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/nfv/os',\n 'content/dist/rhel/server/7/7Server/x86_64/nfv/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/optional/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/optional/os',\n 'content/dist/rhel/server/7/7Server/x86_64/optional/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/oracle-java-rm/os',\n 'content/dist/rhel/server/7/7Server/x86_64/os',\n 'content/dist/rhel/server/7/7Server/x86_64/resilientstorage/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/resilientstorage/os',\n 'content/dist/rhel/server/7/7Server/x86_64/resilientstorage/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rt/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rt/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rt/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/sap-hana/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/sap-hana/os',\n 'content/dist/rhel/server/7/7Server/x86_64/sap-hana/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/sap/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/sap/os',\n 'content/dist/rhel/server/7/7Server/x86_64/sap/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/supplementary/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/supplementary/os',\n 'content/dist/rhel/server/7/7Server/x86_64/supplementary/source/SRPMS',\n 'content/dist/rhel/system-z/7/7Server/s390x/debug',\n 'content/dist/rhel/system-z/7/7Server/s390x/highavailability/debug',\n 'content/dist/rhel/system-z/7/7Server/s390x/highavailability/os',\n 'content/dist/rhel/system-z/7/7Server/s390x/highavailability/source/SRPMS',\n 'content/dist/rhel/system-z/7/7Server/s390x/optional/debug',\n 'content/dist/rhel/system-z/7/7Server/s390x/optional/os',\n 'content/dist/rhel/system-z/7/7Server/s390x/optional/source/SRPMS',\n 'content/dist/rhel/system-z/7/7Server/s390x/os',\n 'content/dist/rhel/system-z/7/7Server/s390x/resilientstorage/debug',\n 'content/dist/rhel/system-z/7/7Server/s390x/resilientstorage/os',\n 'content/dist/rhel/system-z/7/7Server/s390x/resilientstorage/source/SRPMS',\n 'content/dist/rhel/system-z/7/7Server/s390x/sap/debug',\n 'content/dist/rhel/system-z/7/7Server/s390x/sap/os',\n 'content/dist/rhel/system-z/7/7Server/s390x/sap/source/SRPMS',\n 'content/dist/rhel/system-z/7/7Server/s390x/source/SRPMS',\n 'content/dist/rhel/system-z/7/7Server/s390x/supplementary/debug',\n 'content/dist/rhel/system-z/7/7Server/s390x/supplementary/os',\n 'content/dist/rhel/system-z/7/7Server/s390x/supplementary/source/SRPMS',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/debug',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/optional/debug',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/optional/os',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/optional/source/SRPMS',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/oracle-java-rm/os',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/os',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/source/SRPMS',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/supplementary/debug',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/supplementary/os',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/supplementary/source/SRPMS',\n 'content/fastrack/rhel/client/7/x86_64/debug',\n 'content/fastrack/rhel/client/7/x86_64/optional/debug',\n 'content/fastrack/rhel/client/7/x86_64/optional/os',\n 'content/fastrack/rhel/client/7/x86_64/optional/source/SRPMS',\n 'content/fastrack/rhel/client/7/x86_64/os',\n 'content/fastrack/rhel/client/7/x86_64/source/SRPMS',\n 'content/fastrack/rhel/computenode/7/x86_64/debug',\n 'content/fastrack/rhel/computenode/7/x86_64/optional/debug',\n 'content/fastrack/rhel/computenode/7/x86_64/optional/os',\n 'content/fastrack/rhel/computenode/7/x86_64/optional/source/SRPMS',\n 'content/fastrack/rhel/computenode/7/x86_64/os',\n 'content/fastrack/rhel/computenode/7/x86_64/source/SRPMS',\n 'content/fastrack/rhel/power/7/ppc64/debug',\n 'content/fastrack/rhel/power/7/ppc64/optional/debug',\n 'content/fastrack/rhel/power/7/ppc64/optional/os',\n 'content/fastrack/rhel/power/7/ppc64/optional/source/SRPMS',\n 'content/fastrack/rhel/power/7/ppc64/os',\n 'content/fastrack/rhel/power/7/ppc64/source/SRPMS',\n 'content/fastrack/rhel/server/7/x86_64/debug',\n 'content/fastrack/rhel/server/7/x86_64/highavailability/debug',\n 'content/fastrack/rhel/server/7/x86_64/highavailability/os',\n 'content/fastrack/rhel/server/7/x86_64/highavailability/source/SRPMS',\n 'content/fastrack/rhel/server/7/x86_64/optional/debug',\n 'content/fastrack/rhel/server/7/x86_64/optional/os',\n 'content/fastrack/rhel/server/7/x86_64/optional/source/SRPMS',\n 'content/fastrack/rhel/server/7/x86_64/os',\n 'content/fastrack/rhel/server/7/x86_64/resilientstorage/debug',\n 'content/fastrack/rhel/server/7/x86_64/resilientstorage/os',\n 'content/fastrack/rhel/server/7/x86_64/resilientstorage/source/SRPMS',\n 'content/fastrack/rhel/server/7/x86_64/source/SRPMS',\n 'content/fastrack/rhel/system-z/7/s390x/debug',\n 'content/fastrack/rhel/system-z/7/s390x/optional/debug',\n 'content/fastrack/rhel/system-z/7/s390x/optional/os',\n 'content/fastrack/rhel/system-z/7/s390x/optional/source/SRPMS',\n 'content/fastrack/rhel/system-z/7/s390x/os',\n 'content/fastrack/rhel/system-z/7/s390x/source/SRPMS',\n 'content/fastrack/rhel/workstation/7/x86_64/debug',\n 'content/fastrack/rhel/workstation/7/x86_64/optional/debug',\n 'content/fastrack/rhel/workstation/7/x86_64/optional/os',\n 'content/fastrack/rhel/workstation/7/x86_64/optional/source/SRPMS',\n 'content/fastrack/rhel/workstation/7/x86_64/os',\n 'content/fastrack/rhel/workstation/7/x86_64/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'java-11-openjdk-11.0.15.0.9-2.el7_9', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-11.0.15.0.9-2.el7_9', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-11.0.15.0.9-2.el7_9', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-11.0.15.0.9-2.el7_9', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-javadoc-11.0.15.0.9-2.el7_9', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-javadoc-zip-11.0.15.0.9-2.el7_9', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-11.0.15.0.9-2.el7_9', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-11.0.15.0.9-2.el7_9', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-11.0.15.0.9-2.el7_9', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-11-openjdk / java-11-openjdk-demo / java-11-openjdk-devel / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-26T14:40:22", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:1489 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.\n (CVE-2022-21426)\n\n - OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)\n\n - OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n - OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n - OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-25T00:00:00", "type": "nessus", "title": "RHEL 8 : java-1.8.0-openjdk (RHSA-2022:1489)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2023-05-25T00:00:00", "cpe": ["cpe:/o:redhat:rhel_aus:8.2", "cpe:/o:redhat:rhel_e4s:8.2", "cpe:/o:redhat:rhel_eus:8.2", "cpe:/o:redhat:rhel_tus:8.2", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-accessibility", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-devel", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-headless", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc-zip", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-src"], "id": "REDHAT-RHSA-2022-1489.NASL", "href": "https://www.tenable.com/plugins/nessus/160187", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2022:1489. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160187);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/25\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n script_xref(name:\"RHSA\", value:\"2022:1489\");\n\n script_name(english:\"RHEL 8 : java-1.8.0-openjdk (RHSA-2022:1489)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2022:1489 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise\n Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.\n (CVE-2022-21426)\n\n - OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)\n (CVE-2022-21434)\n\n - OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n - OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n - OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21426\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21434\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21443\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21476\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21496\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2022:1489\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075793\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075836\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075842\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075849\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(179, 191, 400, 470, 770, 1173);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-src\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'eq', os_version: os_ver, rhel_version: '8.2')) audit(AUDIT_OS_NOT, 'Red Hat 8.2', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/aus/rhel8/8.2/x86_64/appstream/debug',\n 'content/aus/rhel8/8.2/x86_64/appstream/os',\n 'content/aus/rhel8/8.2/x86_64/appstream/source/SRPMS',\n 'content/aus/rhel8/8.2/x86_64/baseos/debug',\n 'content/aus/rhel8/8.2/x86_64/baseos/os',\n 'content/aus/rhel8/8.2/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/appstream/debug',\n 'content/e4s/rhel8/8.2/ppc64le/appstream/os',\n 'content/e4s/rhel8/8.2/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/baseos/debug',\n 'content/e4s/rhel8/8.2/ppc64le/baseos/os',\n 'content/e4s/rhel8/8.2/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/highavailability/debug',\n 'content/e4s/rhel8/8.2/ppc64le/highavailability/os',\n 'content/e4s/rhel8/8.2/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel8/8.2/ppc64le/sap-solutions/os',\n 'content/e4s/rhel8/8.2/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/sap/debug',\n 'content/e4s/rhel8/8.2/ppc64le/sap/os',\n 'content/e4s/rhel8/8.2/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/appstream/debug',\n 'content/e4s/rhel8/8.2/x86_64/appstream/os',\n 'content/e4s/rhel8/8.2/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/baseos/debug',\n 'content/e4s/rhel8/8.2/x86_64/baseos/os',\n 'content/e4s/rhel8/8.2/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/highavailability/debug',\n 'content/e4s/rhel8/8.2/x86_64/highavailability/os',\n 'content/e4s/rhel8/8.2/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/sap-solutions/debug',\n 'content/e4s/rhel8/8.2/x86_64/sap-solutions/os',\n 'content/e4s/rhel8/8.2/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/sap/debug',\n 'content/e4s/rhel8/8.2/x86_64/sap/os',\n 'content/e4s/rhel8/8.2/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/appstream/debug',\n 'content/eus/rhel8/8.2/aarch64/appstream/os',\n 'content/eus/rhel8/8.2/aarch64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/baseos/debug',\n 'content/eus/rhel8/8.2/aarch64/baseos/os',\n 'content/eus/rhel8/8.2/aarch64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/codeready-builder/debug',\n 'content/eus/rhel8/8.2/aarch64/codeready-builder/os',\n 'content/eus/rhel8/8.2/aarch64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/highavailability/debug',\n 'content/eus/rhel8/8.2/aarch64/highavailability/os',\n 'content/eus/rhel8/8.2/aarch64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/supplementary/debug',\n 'content/eus/rhel8/8.2/aarch64/supplementary/os',\n 'content/eus/rhel8/8.2/aarch64/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/appstream/debug',\n 'content/eus/rhel8/8.2/ppc64le/appstream/os',\n 'content/eus/rhel8/8.2/ppc64le/appstream/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/baseos/debug',\n 'content/eus/rhel8/8.2/ppc64le/baseos/os',\n 'content/eus/rhel8/8.2/ppc64le/baseos/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/codeready-builder/debug',\n 'content/eus/rhel8/8.2/ppc64le/codeready-builder/os',\n 'content/eus/rhel8/8.2/ppc64le/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/highavailability/debug',\n 'content/eus/rhel8/8.2/ppc64le/highavailability/os',\n 'content/eus/rhel8/8.2/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/resilientstorage/debug',\n 'content/eus/rhel8/8.2/ppc64le/resilientstorage/os',\n 'content/eus/rhel8/8.2/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/sap-solutions/debug',\n 'content/eus/rhel8/8.2/ppc64le/sap-solutions/os',\n 'content/eus/rhel8/8.2/ppc64le/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/sap/debug',\n 'content/eus/rhel8/8.2/ppc64le/sap/os',\n 'content/eus/rhel8/8.2/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/supplementary/debug',\n 'content/eus/rhel8/8.2/ppc64le/supplementary/os',\n 'content/eus/rhel8/8.2/ppc64le/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/appstream/debug',\n 'content/eus/rhel8/8.2/s390x/appstream/os',\n 'content/eus/rhel8/8.2/s390x/appstream/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/baseos/debug',\n 'content/eus/rhel8/8.2/s390x/baseos/os',\n 'content/eus/rhel8/8.2/s390x/baseos/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/codeready-builder/debug',\n 'content/eus/rhel8/8.2/s390x/codeready-builder/os',\n 'content/eus/rhel8/8.2/s390x/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/highavailability/debug',\n 'content/eus/rhel8/8.2/s390x/highavailability/os',\n 'content/eus/rhel8/8.2/s390x/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/resilientstorage/debug',\n 'content/eus/rhel8/8.2/s390x/resilientstorage/os',\n 'content/eus/rhel8/8.2/s390x/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/sap/debug',\n 'content/eus/rhel8/8.2/s390x/sap/os',\n 'content/eus/rhel8/8.2/s390x/sap/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/supplementary/debug',\n 'content/eus/rhel8/8.2/s390x/supplementary/os',\n 'content/eus/rhel8/8.2/s390x/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/appstream/debug',\n 'content/eus/rhel8/8.2/x86_64/appstream/os',\n 'content/eus/rhel8/8.2/x86_64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/baseos/debug',\n 'content/eus/rhel8/8.2/x86_64/baseos/os',\n 'content/eus/rhel8/8.2/x86_64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/codeready-builder/debug',\n 'content/eus/rhel8/8.2/x86_64/codeready-builder/os',\n 'content/eus/rhel8/8.2/x86_64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/highavailability/debug',\n 'content/eus/rhel8/8.2/x86_64/highavailability/os',\n 'content/eus/rhel8/8.2/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/resilientstorage/debug',\n 'content/eus/rhel8/8.2/x86_64/resilientstorage/os',\n 'content/eus/rhel8/8.2/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/sap-solutions/debug',\n 'content/eus/rhel8/8.2/x86_64/sap-solutions/os',\n 'content/eus/rhel8/8.2/x86_64/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/sap/debug',\n 'content/eus/rhel8/8.2/x86_64/sap/os',\n 'content/eus/rhel8/8.2/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/supplementary/debug',\n 'content/eus/rhel8/8.2/x86_64/supplementary/os',\n 'content/eus/rhel8/8.2/x86_64/supplementary/source/SRPMS',\n 'content/tus/rhel8/8.2/x86_64/appstream/debug',\n 'content/tus/rhel8/8.2/x86_64/appstream/os',\n 'content/tus/rhel8/8.2/x86_64/appstream/source/SRPMS',\n 'content/tus/rhel8/8.2/x86_64/baseos/debug',\n 'content/tus/rhel8/8.2/x86_64/baseos/os',\n 'content/tus/rhel8/8.2/x86_64/baseos/source/SRPMS',\n 'content/tus/rhel8/8.2/x86_64/highavailability/debug',\n 'content/tus/rhel8/8.2/x86_64/highavailability/os',\n 'content/tus/rhel8/8.2/x86_64/highavailability/source/SRPMS',\n 'content/tus/rhel8/8.2/x86_64/nfv/debug',\n 'content/tus/rhel8/8.2/x86_64/nfv/os',\n 'content/tus/rhel8/8.2/x86_64/nfv/source/SRPMS',\n 'content/tus/rhel8/8.2/x86_64/rt/debug',\n 'content/tus/rhel8/8.2/x86_64/rt/os',\n 'content/tus/rhel8/8.2/x86_64/rt/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'java-1.8.0-openjdk-1.8.0.332.b09-1.el8_2', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_2', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_2', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_2', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_2', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el8_2', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el8_2', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_2', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var subscription_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in the Red Hat Enterprise Linux\\n' +\n 'Advanced Update Support, Extended Update Support, Telco Extended Update Support or Update Services for SAP Solutions repositories.\\n' +\n 'Access to these repositories requires a paid RHEL subscription.\\n';\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = subscription_caveat + rpm_report_get() + redhat_report_repo_caveat();\n else extra = subscription_caveat + rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-1.8.0-openjdk / java-1.8.0-openjdk-accessibility / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:31:55", "description": "The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-2137 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2022-21434)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2022-21476)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2022-21496)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2022-21443)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-07-07T00:00:00", "type": "nessus", "title": "Oracle Linux 9 : java-1.8.0-openjdk (ELSA-2022-2137)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-07-07T00:00:00", "cpe": ["cpe:/o:oracle:linux:9", "p-cpe:/a:oracle:linux:java-1.8.0-openjdk", "p-cpe:/a:oracle:linux:java-1.8.0-openjdk-demo", "p-cpe:/a:oracle:linux:java-1.8.0-openjdk-demo-fastdebug", "p-cpe:/a:oracle:linux:java-1.8.0-openjdk-demo-slowdebug", "p-cpe:/a:oracle:linux:java-1.8.0-openjdk-devel", "p-cpe:/a:oracle:linux:java-1.8.0-openjdk-devel-fastdebug", "p-cpe:/a:oracle:linux:java-1.8.0-openjdk-devel-slowdebug", "p-cpe:/a:oracle:linux:java-1.8.0-openjdk-fastdebug", "p-cpe:/a:oracle:linux:java-1.8.0-openjdk-headless", "p-cpe:/a:oracle:linux:java-1.8.0-openjdk-headless-fastdebug", "p-cpe:/a:oracle:linux:java-1.8.0-openjdk-headless-slowdebug", "p-cpe:/a:oracle:linux:java-1.8.0-openjdk-javadoc", "p-cpe:/a:oracle:linux:java-1.8.0-openjdk-javadoc-zip", "p-cpe:/a:oracle:linux:java-1.8.0-openjdk-slowdebug", "p-cpe:/a:oracle:linux:java-1.8.0-openjdk-src", "p-cpe:/a:oracle:linux:java-1.8.0-openjdk-src-fastdebug", "p-cpe:/a:oracle:linux:java-1.8.0-openjdk-src-slowdebug"], "id": "ORACLELINUX_ELSA-2022-2137.NASL", "href": "https://www.tenable.com/plugins/nessus/162797", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2022-2137.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(162797);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/07/07\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n\n script_name(english:\"Oracle Linux 9 : java-1.8.0-openjdk (ELSA-2022-2137)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nELSA-2022-2137 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise\n Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS\n 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition\n accessible data. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2022-21434)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise\n Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients\n running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code\n (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability\n can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies\n data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2022-21476)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible\n data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS\n 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2022-21496)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM\n Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2022-21443)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2022-2137.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/06/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:9\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-demo-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-demo-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-devel-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-devel-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-headless-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-headless-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-javadoc-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-src-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-src-slowdebug\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^9([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 9', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\n\nvar pkgs = [\n {'reference':'java-1.8.0-openjdk-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-demo-fastdebug-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-demo-fastdebug-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-demo-slowdebug-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-demo-slowdebug-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-devel-fastdebug-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-devel-fastdebug-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-devel-slowdebug-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-devel-slowdebug-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-fastdebug-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-fastdebug-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-headless-fastdebug-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-headless-fastdebug-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-headless-slowdebug-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-headless-slowdebug-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-slowdebug-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-slowdebug-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-src-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-src-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-src-fastdebug-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-src-fastdebug-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-src-slowdebug-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-src-slowdebug-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release) {\n if (exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-1.8.0-openjdk / java-1.8.0-openjdk-demo / java-1.8.0-openjdk-demo-fastdebug / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:45:31", "description": "The version of java-1.8.0-amazon-corretto installed on the remote host is prior to 1.8.0_332.b08-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2CORRETTO8-2022-002 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2022-21434)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2022-21443)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2022-21476)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-05-02T00:00:00", "type": "nessus", "title": "Amazon Linux 2 : java-1.8.0-amazon-corretto (ALASCORRETTO8-2022-002)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-08-09T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:java-1.8.0-amazon-corretto", "p-cpe:/a:amazon:linux:java-1.8.0-amazon-corretto-devel", "cpe:/o:amazon:linux:2"], "id": "AL2_ALASCORRETTO8-2022-002.NASL", "href": "https://www.tenable.com/plugins/nessus/160405", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALASCORRETTO8-2022-002.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160405);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/08/09\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n script_xref(name:\"IAVA\", value:\"2022-A-0170-S\");\n\n script_name(english:\"Amazon Linux 2 : java-1.8.0-amazon-corretto (ALASCORRETTO8-2022-002)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux 2 host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of java-1.8.0-amazon-corretto installed on the remote host is prior to 1.8.0_332.b08-1. It is, therefore,\naffected by multiple vulnerabilities as referenced in the ALAS2CORRETTO8-2022-002 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise\n Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS\n 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition\n accessible data. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2022-21434)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM\n Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2022-21443)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise\n Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients\n running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code\n (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability\n can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies\n data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2022-21476)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible\n data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS\n 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/AL2/ALASCORRETTO8-2022-002.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-21426.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-21434.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-21443.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-21476.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-21496.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update java-1.8.0-amazon-corretto' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/05/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.8.0-amazon-corretto\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.8.0-amazon-corretto-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nvar os_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nvar os_ver = os_ver[1];\nif (os_ver != \"2\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar pkgs = [\n {'reference':'java-1.8.0-amazon-corretto-1.8.0_332.b08-1.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-1.8.0-amazon-corretto-1.8.0_332.b08-1.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-1.8.0-amazon-corretto-devel-1.8.0_332.b08-1.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-1.8.0-amazon-corretto-devel-1.8.0_332.b08-1.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.8.0-amazon-corretto / java-1.8.0-amazon-corretto-devel\");\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-02T15:05:25", "description": "The version of java-17-amazon-corretto installed on the remote host is prior to 17.0.3+6-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2022-1791 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2022-21434)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2022-21443)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.2 and 18; Oracle GraalVM Enterprise Edition: 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). (CVE-2022-21449)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-27T00:00:00", "type": "nessus", "title": "Amazon Linux 2 : java-17-amazon-corretto (ALAS-2022-1791)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21449", "CVE-2022-21496"], "modified": "2023-10-31T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:java-17-amazon-corretto", "p-cpe:/a:amazon:linux:java-17-amazon-corretto-devel", "p-cpe:/a:amazon:linux:java-17-amazon-corretto-headless", "p-cpe:/a:amazon:linux:java-17-amazon-corretto-javadoc", "p-cpe:/a:amazon:linux:java-17-amazon-corretto-jmods", "cpe:/o:amazon:linux:2"], "id": "AL2_ALAS-2022-1791.NASL", "href": "https://www.tenable.com/plugins/nessus/160269", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALAS-2022-1791.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160269);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/31\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21449\",\n \"CVE-2022-21496\"\n );\n script_xref(name:\"IAVA\", value:\"2022-A-0170-S\");\n script_xref(name:\"ALAS\", value:\"2022-1791\");\n\n script_name(english:\"Amazon Linux 2 : java-17-amazon-corretto (ALAS-2022-1791)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux 2 host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of java-17-amazon-corretto installed on the remote host is prior to 17.0.3+6-1. It is, therefore, affected\nby multiple vulnerabilities as referenced in the ALAS2-2022-1791 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise\n Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS\n 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition\n accessible data. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2022-21434)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM\n Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2022-21443)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.2 and 18; Oracle\n GraalVM Enterprise Edition: 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated\n attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM\n Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion\n or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition\n accessible data. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). (CVE-2022-21449)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible\n data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS\n 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/AL2/ALAS-2022-1791.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-21426.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-21434.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-21443.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-21449.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-21496.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update java-17-amazon-corretto' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21449\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-17-amazon-corretto\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-17-amazon-corretto-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-17-amazon-corretto-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-17-amazon-corretto-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-17-amazon-corretto-jmods\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nvar os_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nvar os_ver = os_ver[1];\nif (os_ver != \"2\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar pkgs = [\n {'reference':'java-17-amazon-corretto-17.0.3+6-1.amzn2.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-17-amazon-corretto-17.0.3+6-1.amzn2.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-17-amazon-corretto-devel-17.0.3+6-1.amzn2.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-17-amazon-corretto-devel-17.0.3+6-1.amzn2.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-17-amazon-corretto-headless-17.0.3+6-1.amzn2.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-17-amazon-corretto-headless-17.0.3+6-1.amzn2.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-17-amazon-corretto-javadoc-17.0.3+6-1.amzn2.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-17-amazon-corretto-javadoc-17.0.3+6-1.amzn2.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-17-amazon-corretto-jmods-17.0.3+6-1.amzn2.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-17-amazon-corretto-jmods-17.0.3+6-1.amzn2.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-17-amazon-corretto / java-17-amazon-corretto-devel / java-17-amazon-corretto-headless / etc\");\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-19T19:29:26", "description": "The remote CentOS Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2022:1487 advisory.\n\n - OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)\n\n - OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)\n\n - OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n - OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n - OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-07-17T00:00:00", "type": "nessus", "title": "CentOS 7 : java-1.8.0-openjdk (CESA-2022:1487)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2023-07-17T00:00:00", "cpe": ["cpe:/o:centos:centos:7", "p-cpe:/a:centos:centos:java-1.8.0-openjdk", "p-cpe:/a:centos:centos:java-1.8.0-openjdk-demo", "p-cpe:/a:centos:centos:java-1.8.0-openjdk-devel", "p-cpe:/a:centos:centos:java-1.8.0-openjdk-headless", "p-cpe:/a:centos:centos:java-1.8.0-openjdk-javadoc", "p-cpe:/a:centos:centos:java-1.8.0-openjdk-src", "p-cpe:/a:centos:centos:java-1.8.0-openjdk-accessibility", "p-cpe:/a:centos:centos:java-1.8.0-openjdk-javadoc-zip"], "id": "CENTOS_RHSA-2022-1487.NASL", "href": "https://www.tenable.com/plugins/nessus/178330", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2022:1487 and\n# CentOS Errata and Security Advisory 2022:1487 respectively.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(178330);\n script_version(\"1.0\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/07/17\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n script_xref(name:\"RHSA\", value:\"2022:1487\");\n\n script_name(english:\"CentOS 7 : java-1.8.0-openjdk (CESA-2022:1487)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote CentOS Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote CentOS Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nCESA-2022:1487 advisory.\n\n - OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)\n (CVE-2022-21426)\n\n - OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)\n (CVE-2022-21434)\n\n - OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n - OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n - OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n # https://lists.centos.org/pipermail/centos-announce/2022-May/073583.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?92fa05a9\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 191, 400, 470, 770);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/05/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/07/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.8.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.8.0-openjdk-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.8.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.8.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.8.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.8.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.8.0-openjdk-javadoc-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.8.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CentOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/CentOS/release');\nif (isnull(os_release) || 'CentOS' >!< os_release) audit(AUDIT_OS_NOT, 'CentOS');\nvar os_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'CentOS');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '7')) audit(AUDIT_OS_NOT, 'CentOS 7.x', 'CentOS ' + os_ver);\n\nif (!get_kb_item('Host/CentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'CentOS', cpu);\n\nvar pkgs = [\n {'reference':'java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9', 'cpu':'i686', 'release':'CentOS-7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9', 'cpu':'x86_64', 'release':'CentOS-7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9', 'cpu':'i686', 'release':'CentOS-7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9', 'cpu':'x86_64', 'release':'CentOS-7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9', 'cpu':'i686', 'release':'CentOS-7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9', 'cpu':'x86_64', 'release':'CentOS-7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9', 'cpu':'i686', 'release':'CentOS-7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9', 'cpu':'x86_64', 'release':'CentOS-7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9', 'cpu':'i686', 'release':'CentOS-7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9', 'cpu':'x86_64', 'release':'CentOS-7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el7_9', 'release':'CentOS-7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el7_9', 'release':'CentOS-7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9', 'cpu':'i686', 'release':'CentOS-7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9', 'cpu':'x86_64', 'release':'CentOS-7', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && _release) {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-1.8.0-openjdk / java-1.8.0-openjdk-accessibility / java-1.8.0-openjdk-demo / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:44:09", "description": "This plugin has been deprecated following detection of an issue with overlapping filenames. It has been replaced by al2_ALASCORRETTO8-2022-002.nasl (plugin ID 160405).", "cvss3": {}, "published": "2022-04-28T00:00:00", "type": "nessus", "title": "Amazon Linux 2 : java-1.8.0-amazon-corretto (ALAS-2022-002) (deprecated)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-08-09T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:java-1.8.0-amazon-corretto", "p-cpe:/a:amazon:linux:java-1.8.0-amazon-corretto-devel", "cpe:/o:amazon:linux:2"], "id": "AL2_ALAS-2022-002.NASL", "href": "https://www.tenable.com/plugins/nessus/160314", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALAS-2022-002.\n#\n# @DEPRECATED\n#\n# Deisabled on 2022/05/02. Deprecated by al2_ALASCORRETTO8-2022-002.nasl (160405)\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160314);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/08/09\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n script_xref(name:\"IAVA\", value:\"2022-A-0170-S\");\n script_xref(name:\"ALAS\", value:\"2022-002\");\n\n script_name(english:\"Amazon Linux 2 : java-1.8.0-amazon-corretto (ALAS-2022-002) (deprecated)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"This plugin has been deprecated.\");\n script_set_attribute(attribute:\"description\", value:\n\"This plugin has been deprecated following detection of an issue with overlapping filenames. \nIt has been replaced by al2_ALASCORRETTO8-2022-002.nasl (plugin ID 160405).\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/AL2/ALASCORRETTO8-2022-002.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-21426.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-21434.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-21443.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-21476.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-21496.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"N/A\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.8.0-amazon-corretto\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.8.0-amazon-corretto-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\nexit(0, 'This plugin has been deprecated, use al2_ALASCORRETTO8-2022-002.nasl (plugin ID 160405) instead.');\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-12T13:31:16", "description": "The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2022:1442 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. (CVE-2022-21434)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. (CVE-2022-21443)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. (CVE-2022-21476)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.\n (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-11-07T00:00:00", "type": "nessus", "title": "Rocky Linux 8 : java-11-openjdk (RLSA-2022:1442)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2023-11-07T00:00:00", "cpe": ["p-cpe:/a:rocky:linux:java-11-openjdk", "p-cpe:/a:rocky:linux:java-11-openjdk-debuginfo", "p-cpe:/a:rocky:linux:java-11-openjdk-debugsource", "p-cpe:/a:rocky:linux:java-11-openjdk-demo", "p-cpe:/a:rocky:linux:java-11-openjdk-demo-fastdebug", "p-cpe:/a:rocky:linux:java-11-openjdk-demo-slowdebug", "p-cpe:/a:rocky:linux:java-11-openjdk-devel", "p-cpe:/a:rocky:linux:java-11-openjdk-devel-debuginfo", "p-cpe:/a:rocky:linux:java-11-openjdk-devel-fastdebug", "p-cpe:/a:rocky:linux:java-11-openjdk-devel-fastdebug-debuginfo", "p-cpe:/a:rocky:linux:java-11-openjdk-devel-slowdebug", "p-cpe:/a:rocky:linux:java-11-openjdk-devel-slowdebug-debuginfo", "p-cpe:/a:rocky:linux:java-11-openjdk-fastdebug", "p-cpe:/a:rocky:linux:java-11-openjdk-fastdebug-debuginfo", "p-cpe:/a:rocky:linux:java-11-openjdk-headless", "p-cpe:/a:rocky:linux:java-11-openjdk-headless-debuginfo", "p-cpe:/a:rocky:linux:java-11-openjdk-headless-fastdebug", "p-cpe:/a:rocky:linux:java-11-openjdk-headless-fastdebug-debuginfo", "p-cpe:/a:rocky:linux:java-11-openjdk-headless-slowdebug", "p-cpe:/a:rocky:linux:java-11-openjdk-headless-slowdebug-debuginfo", "p-cpe:/a:rocky:linux:java-11-openjdk-javadoc", "p-cpe:/a:rocky:linux:java-11-openjdk-javadoc-zip", "p-cpe:/a:rocky:linux:java-11-openjdk-jmods", "p-cpe:/a:rocky:linux:java-11-openjdk-jmods-fastdebug", "p-cpe:/a:rocky:linux:java-11-openjdk-jmods-slowdebug", "p-cpe:/a:rocky:linux:java-11-openjdk-slowdebug", "p-cpe:/a:rocky:linux:java-11-openjdk-slowdebug-debuginfo", "p-cpe:/a:rocky:linux:java-11-openjdk-src", "p-cpe:/a:rocky:linux:java-11-openjdk-src-fastdebug", "p-cpe:/a:rocky:linux:java-11-openjdk-src-slowdebug", "p-cpe:/a:rocky:linux:java-11-openjdk-static-libs", "p-cpe:/a:rocky:linux:java-11-openjdk-static-libs-fastdebug", "p-cpe:/a:rocky:linux:java-11-openjdk-static-libs-slowdebug", "cpe:/o:rocky:linux:8"], "id": "ROCKY_LINUX_RLSA-2022-1442.NASL", "href": "https://www.tenable.com/plugins/nessus/184924", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# Rocky Linux Security Advisory RLSA-2022:1442.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(184924);\n script_version(\"1.0\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/07\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n script_xref(name:\"RLSA\", value:\"2022:1442\");\n\n script_name(english:\"Rocky Linux 8 : java-11-openjdk (RLSA-2022:1442)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Rocky Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nRLSA-2022:1442 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise\n Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition\n accessible data. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. (CVE-2022-21434)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM\n Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. (CVE-2022-21443)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise\n Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients\n running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code\n (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability\n can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies\n data to the APIs. (CVE-2022-21476)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible\n data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.\n (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://errata.rockylinux.org/RLSA-2022:1442\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=2075788\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=2075793\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=2075836\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=2075842\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=2075849\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/11/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-11-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-11-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-11-openjdk-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-11-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-11-openjdk-demo-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-11-openjdk-demo-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-11-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-11-openjdk-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-11-openjdk-devel-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-11-openjdk-devel-fastdebug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-11-openjdk-devel-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-11-openjdk-devel-slowdebug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-11-openjdk-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-11-openjdk-fastdebug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-11-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-11-openjdk-headless-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-11-openjdk-headless-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-11-openjdk-headless-fastdebug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-11-openjdk-headless-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-11-openjdk-headless-slowdebug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-11-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-11-openjdk-javadoc-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-11-openjdk-jmods\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-11-openjdk-jmods-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-11-openjdk-jmods-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-11-openjdk-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-11-openjdk-slowdebug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-11-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-11-openjdk-src-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:rocky:linux:java-11-

Azul Zulu Java Multiple Vulnerabilities (2022-04-19)

Description

Related