ID CENTOS_RHSA-2013-0246.NASL Type nessus Reporter Tenable Modified 2016-01-27T00:00:00
Description
Updated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit.
Multiple improper permission check issues were discovered in the AWT, CORBA, JMX, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2013-0442, CVE-2013-0445, CVE-2013-0441, CVE-2013-1475, CVE-2013-1476, CVE-2013-0429, CVE-2013-0450, CVE-2013-0425, CVE-2013-0426, CVE-2013-0428)
Multiple flaws were found in the way image parsers in the 2D and AWT components handled image raster parameters. A specially crafted image could cause Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the virtual machine privileges.
(CVE-2013-1478, CVE-2013-1480)
A flaw was found in the AWT component's clipboard handling code. An untrusted Java application or applet could use this flaw to access clipboard data, bypassing Java sandbox restrictions. (CVE-2013-0432)
The default Java security properties configuration did not restrict access to certain com.sun.xml.internal packages. An untrusted Java application or applet could use this flaw to access information, bypassing certain Java sandbox restrictions. This update lists the whole package as restricted. (CVE-2013-0435)
Multiple improper permission check issues were discovered in the Libraries, Networking, and JAXP components. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2013-0427, CVE-2013-0433, CVE-2013-0434)
It was discovered that the RMI component's CGIHandler class used user inputs in error messages without any sanitization. An attacker could use this flaw to perform a cross-site scripting (XSS) attack.
(CVE-2013-0424)
It was discovered that the SSL/TLS implementation in the JSSE component did not properly enforce handshake message ordering, allowing an unlimited number of handshake restarts. A remote attacker could use this flaw to make an SSL/TLS server using JSSE consume an excessive amount of CPU by continuously restarting the handshake.
(CVE-2013-0440)
It was discovered that the JSSE component did not properly validate Diffie-Hellman public keys. An SSL/TLS client could possibly use this flaw to perform a small subgroup attack. (CVE-2013-0443)
This erratum also upgrades the OpenJDK package to IcedTea6 1.11.6.
Refer to the NEWS file, linked to in the References, for further information.
All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory RHSA-2013:0246 and
# CentOS Errata and Security Advisory 2013:0246 respectively.
#
if (NASL_LEVEL < 3000) exit(0);
include("compat.inc");
if (description)
{
script_id(64512);
script_version("$Revision: 1.8 $");
script_cvs_date("$Date: 2016/01/27 16:45:01 $");
script_cve_id("CVE-2013-0424", "CVE-2013-0425", "CVE-2013-0426", "CVE-2013-0427", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-0432", "CVE-2013-0433", "CVE-2013-0434", "CVE-2013-0435", "CVE-2013-0440", "CVE-2013-0441", "CVE-2013-0442", "CVE-2013-0443", "CVE-2013-0445", "CVE-2013-0450", "CVE-2013-1475", "CVE-2013-1476", "CVE-2013-1478", "CVE-2013-1480");
script_osvdb_id(89758, 89759, 89760, 89761, 89762, 89763, 89767, 89769, 89771, 89772, 89786, 89792, 89795, 89796, 89798, 89800, 89801, 89802, 89804, 89806);
script_xref(name:"RHSA", value:"2013:0246");
script_name(english:"CentOS 5 : java-1.6.0-openjdk (CESA-2013:0246)");
script_summary(english:"Checks rpm output for the updated packages");
script_set_attribute(
attribute:"synopsis",
value:"The remote CentOS host is missing one or more security updates."
);
script_set_attribute(
attribute:"description",
value:
"Updated java-1.6.0-openjdk packages that fix several security issues
are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS)
base scores, which give detailed severity ratings, are available for
each vulnerability from the CVE links in the References section.
These packages provide the OpenJDK 6 Java Runtime Environment and the
OpenJDK 6 Software Development Kit.
Multiple improper permission check issues were discovered in the AWT,
CORBA, JMX, and Libraries components in OpenJDK. An untrusted Java
application or applet could use these flaws to bypass Java sandbox
restrictions. (CVE-2013-0442, CVE-2013-0445, CVE-2013-0441,
CVE-2013-1475, CVE-2013-1476, CVE-2013-0429, CVE-2013-0450,
CVE-2013-0425, CVE-2013-0426, CVE-2013-0428)
Multiple flaws were found in the way image parsers in the 2D and AWT
components handled image raster parameters. A specially crafted image
could cause Java Virtual Machine memory corruption and, possibly, lead
to arbitrary code execution with the virtual machine privileges.
(CVE-2013-1478, CVE-2013-1480)
A flaw was found in the AWT component's clipboard handling code. An
untrusted Java application or applet could use this flaw to access
clipboard data, bypassing Java sandbox restrictions. (CVE-2013-0432)
The default Java security properties configuration did not restrict
access to certain com.sun.xml.internal packages. An untrusted Java
application or applet could use this flaw to access information,
bypassing certain Java sandbox restrictions. This update lists the
whole package as restricted. (CVE-2013-0435)
Multiple improper permission check issues were discovered in the
Libraries, Networking, and JAXP components. An untrusted Java
application or applet could use these flaws to bypass certain Java
sandbox restrictions. (CVE-2013-0427, CVE-2013-0433, CVE-2013-0434)
It was discovered that the RMI component's CGIHandler class used user
inputs in error messages without any sanitization. An attacker could
use this flaw to perform a cross-site scripting (XSS) attack.
(CVE-2013-0424)
It was discovered that the SSL/TLS implementation in the JSSE
component did not properly enforce handshake message ordering,
allowing an unlimited number of handshake restarts. A remote attacker
could use this flaw to make an SSL/TLS server using JSSE consume an
excessive amount of CPU by continuously restarting the handshake.
(CVE-2013-0440)
It was discovered that the JSSE component did not properly validate
Diffie-Hellman public keys. An SSL/TLS client could possibly use this
flaw to perform a small subgroup attack. (CVE-2013-0443)
This erratum also upgrades the OpenJDK package to IcedTea6 1.11.6.
Refer to the NEWS file, linked to in the References, for further
information.
All users of java-1.6.0-openjdk are advised to upgrade to these
updated packages, which resolve these issues. All running instances of
OpenJDK Java must be restarted for the update to take effect."
);
# http://lists.centos.org/pipermail/centos-announce/2013-February/019231.html
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?9cfaa478"
);
script_set_attribute(
attribute:"solution",
value:"Update the affected java-1.6.0-openjdk packages."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:java-1.6.0-openjdk");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:java-1.6.0-openjdk-demo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:java-1.6.0-openjdk-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:java-1.6.0-openjdk-javadoc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:java-1.6.0-openjdk-src");
script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:5");
script_set_attribute(attribute:"patch_publication_date", value:"2013/02/08");
script_set_attribute(attribute:"plugin_publication_date", value:"2013/02/10");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2013-2016 Tenable Network Security, Inc.");
script_family(english:"CentOS Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/CentOS/release")) audit(AUDIT_OS_NOT, "CentOS");
if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
flag = 0;
if (rpm_check(release:"CentOS-5", reference:"java-1.6.0-openjdk-1.6.0.0-1.33.1.11.6.el5_9")) flag++;
if (rpm_check(release:"CentOS-5", reference:"java-1.6.0-openjdk-demo-1.6.0.0-1.33.1.11.6.el5_9")) flag++;
if (rpm_check(release:"CentOS-5", reference:"java-1.6.0-openjdk-devel-1.6.0.0-1.33.1.11.6.el5_9")) flag++;
if (rpm_check(release:"CentOS-5", reference:"java-1.6.0-openjdk-javadoc-1.6.0.0-1.33.1.11.6.el5_9")) flag++;
if (rpm_check(release:"CentOS-5", reference:"java-1.6.0-openjdk-src-1.6.0.0-1.33.1.11.6.el5_9")) flag++;
if (flag)
{
if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
else security_hole(0);
exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
{"published": "2013-02-10T00:00:00", "id": "CENTOS_RHSA-2013-0246.NASL", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "history": [{"differentElements": ["cpe"], "edition": 1, "lastseen": "2016-09-26T17:23:56", "bulletin": {"enchantments": {}, "published": "2013-02-10T00:00:00", "id": "CENTOS_RHSA-2013-0246.NASL", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "history": [], "cpe": [], "hash": "facc9f83a5de07b1f1eab0717a74749da5fb6f96ae7ba7a05c6717cec6276f21", "description": "Updated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit.\n\nMultiple improper permission check issues were discovered in the AWT, CORBA, JMX, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2013-0442, CVE-2013-0445, CVE-2013-0441, CVE-2013-1475, CVE-2013-1476, CVE-2013-0429, CVE-2013-0450, CVE-2013-0425, CVE-2013-0426, CVE-2013-0428)\n\nMultiple flaws were found in the way image parsers in the 2D and AWT components handled image raster parameters. A specially crafted image could cause Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the virtual machine privileges.\n(CVE-2013-1478, CVE-2013-1480)\n\nA flaw was found in the AWT component's clipboard handling code. An untrusted Java application or applet could use this flaw to access clipboard data, bypassing Java sandbox restrictions. (CVE-2013-0432)\n\nThe default Java security properties configuration did not restrict access to certain com.sun.xml.internal packages. An untrusted Java application or applet could use this flaw to access information, bypassing certain Java sandbox restrictions. This update lists the whole package as restricted. (CVE-2013-0435)\n\nMultiple improper permission check issues were discovered in the Libraries, Networking, and JAXP components. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2013-0427, CVE-2013-0433, CVE-2013-0434)\n\nIt was discovered that the RMI component's CGIHandler class used user inputs in error messages without any sanitization. An attacker could use this flaw to perform a cross-site scripting (XSS) attack.\n(CVE-2013-0424)\n\nIt was discovered that the SSL/TLS implementation in the JSSE component did not properly enforce handshake message ordering, allowing an unlimited number of handshake restarts. A remote attacker could use this flaw to make an SSL/TLS server using JSSE consume an excessive amount of CPU by continuously restarting the handshake.\n(CVE-2013-0440)\n\nIt was discovered that the JSSE component did not properly validate Diffie-Hellman public keys. An SSL/TLS client could possibly use this flaw to perform a small subgroup attack. (CVE-2013-0443)\n\nThis erratum also upgrades the OpenJDK package to IcedTea6 1.11.6.\nRefer to the NEWS file, linked to in the References, for further information.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "type": "nessus", "pluginID": "64512", "lastseen": "2016-09-26T17:23:56", "edition": 1, "title": "CentOS 5 : java-1.6.0-openjdk (CESA-2013:0246)", "href": "https://www.tenable.com/plugins/index.php?view=single&id=64512", "modified": "2016-01-27T00:00:00", "bulletinFamily": "scanner", "viewCount": 0, "cvelist": ["CVE-2013-0426", "CVE-2013-0427", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-1475", "CVE-2013-0435", "CVE-2013-0442", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-1476", "CVE-2013-0445", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0450", "CVE-2013-0440", "CVE-2013-0425", "CVE-2013-0441"], "references": ["http://www.nessus.org/u?9cfaa478"], "naslFamily": "CentOS Local Security Checks", "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:0246 and \n# CentOS Errata and Security Advisory 2013:0246 respectively.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(64512);\n script_version(\"$Revision: 1.8 $\");\n script_cvs_date(\"$Date: 2016/01/27 16:45:01 $\");\n\n script_cve_id(\"CVE-2013-0424\", \"CVE-2013-0425\", \"CVE-2013-0426\", \"CVE-2013-0427\", \"CVE-2013-0428\", \"CVE-2013-0429\", \"CVE-2013-0432\", \"CVE-2013-0433\", \"CVE-2013-0434\", \"CVE-2013-0435\", \"CVE-2013-0440\", \"CVE-2013-0441\", \"CVE-2013-0442\", \"CVE-2013-0443\", \"CVE-2013-0445\", \"CVE-2013-0450\", \"CVE-2013-1475\", \"CVE-2013-1476\", \"CVE-2013-1478\", \"CVE-2013-1480\");\n script_osvdb_id(89758, 89759, 89760, 89761, 89762, 89763, 89767, 89769, 89771, 89772, 89786, 89792, 89795, 89796, 89798, 89800, 89801, 89802, 89804, 89806);\n script_xref(name:\"RHSA\", value:\"2013:0246\");\n\n script_name(english:\"CentOS 5 : java-1.6.0-openjdk (CESA-2013:0246)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.6.0-openjdk packages that fix several security issues\nare now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the\nOpenJDK 6 Software Development Kit.\n\nMultiple improper permission check issues were discovered in the AWT,\nCORBA, JMX, and Libraries components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to bypass Java sandbox\nrestrictions. (CVE-2013-0442, CVE-2013-0445, CVE-2013-0441,\nCVE-2013-1475, CVE-2013-1476, CVE-2013-0429, CVE-2013-0450,\nCVE-2013-0425, CVE-2013-0426, CVE-2013-0428)\n\nMultiple flaws were found in the way image parsers in the 2D and AWT\ncomponents handled image raster parameters. A specially crafted image\ncould cause Java Virtual Machine memory corruption and, possibly, lead\nto arbitrary code execution with the virtual machine privileges.\n(CVE-2013-1478, CVE-2013-1480)\n\nA flaw was found in the AWT component's clipboard handling code. An\nuntrusted Java application or applet could use this flaw to access\nclipboard data, bypassing Java sandbox restrictions. (CVE-2013-0432)\n\nThe default Java security properties configuration did not restrict\naccess to certain com.sun.xml.internal packages. An untrusted Java\napplication or applet could use this flaw to access information,\nbypassing certain Java sandbox restrictions. This update lists the\nwhole package as restricted. (CVE-2013-0435)\n\nMultiple improper permission check issues were discovered in the\nLibraries, Networking, and JAXP components. An untrusted Java\napplication or applet could use these flaws to bypass certain Java\nsandbox restrictions. (CVE-2013-0427, CVE-2013-0433, CVE-2013-0434)\n\nIt was discovered that the RMI component's CGIHandler class used user\ninputs in error messages without any sanitization. An attacker could\nuse this flaw to perform a cross-site scripting (XSS) attack.\n(CVE-2013-0424)\n\nIt was discovered that the SSL/TLS implementation in the JSSE\ncomponent did not properly enforce handshake message ordering,\nallowing an unlimited number of handshake restarts. A remote attacker\ncould use this flaw to make an SSL/TLS server using JSSE consume an\nexcessive amount of CPU by continuously restarting the handshake.\n(CVE-2013-0440)\n\nIt was discovered that the JSSE component did not properly validate\nDiffie-Hellman public keys. An SSL/TLS client could possibly use this\nflaw to perform a small subgroup attack. (CVE-2013-0443)\n\nThis erratum also upgrades the OpenJDK package to IcedTea6 1.11.6.\nRefer to the NEWS file, linked to in the References, for further\ninformation.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\"\n );\n # http://lists.centos.org/pipermail/centos-announce/2013-February/019231.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?9cfaa478\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1.6.0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.6.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.6.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.6.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.6.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.6.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2016 Tenable Network Security, Inc.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/CentOS/release\")) audit(AUDIT_OS_NOT, \"CentOS\");\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.6.0-openjdk-1.6.0.0-1.33.1.11.6.el5_9\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.6.0-openjdk-demo-1.6.0.0-1.33.1.11.6.el5_9\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.6.0-openjdk-devel-1.6.0.0-1.33.1.11.6.el5_9\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.0-1.33.1.11.6.el5_9\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.6.0-openjdk-src-1.6.0.0-1.33.1.11.6.el5_9\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "hashmap": [{"hash": "6055143de62d8035d6bbb729fac8151b", "key": "published"}, {"hash": "b7e0a5659cdab412fdc73bdfa8647220", "key": "pluginID"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "8f8213e8b86855939d5beea715ce3045", "key": "naslFamily"}, {"hash": "affe97ebe84ceacc088aaa7f3d9f11f7", "key": "references"}, {"hash": "c197e92f11a466dd5695d2fb3a68755c", "key": "sourceData"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "03708deed834a0b33bf863cd965c8644", "key": "href"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "12074a9d65b3a532f84cfd903b9f3717", "key": "title"}, {"hash": "4b8afb39a41acf9a8eb8d67a50f02ac2", "key": "modified"}, {"hash": "942a66e5726350ad9baf67bc37a36da4", "key": "cvelist"}, {"hash": "924fb03b4a5e2fdef3b8808f61240e08", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "objectVersion": "1.2"}}], "description": "Updated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit.\n\nMultiple improper permission check issues were discovered in the AWT, CORBA, JMX, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2013-0442, CVE-2013-0445, CVE-2013-0441, CVE-2013-1475, CVE-2013-1476, CVE-2013-0429, CVE-2013-0450, CVE-2013-0425, CVE-2013-0426, CVE-2013-0428)\n\nMultiple flaws were found in the way image parsers in the 2D and AWT components handled image raster parameters. A specially crafted image could cause Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the virtual machine privileges.\n(CVE-2013-1478, CVE-2013-1480)\n\nA flaw was found in the AWT component's clipboard handling code. An untrusted Java application or applet could use this flaw to access clipboard data, bypassing Java sandbox restrictions. (CVE-2013-0432)\n\nThe default Java security properties configuration did not restrict access to certain com.sun.xml.internal packages. An untrusted Java application or applet could use this flaw to access information, bypassing certain Java sandbox restrictions. This update lists the whole package as restricted. (CVE-2013-0435)\n\nMultiple improper permission check issues were discovered in the Libraries, Networking, and JAXP components. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2013-0427, CVE-2013-0433, CVE-2013-0434)\n\nIt was discovered that the RMI component's CGIHandler class used user inputs in error messages without any sanitization. An attacker could use this flaw to perform a cross-site scripting (XSS) attack.\n(CVE-2013-0424)\n\nIt was discovered that the SSL/TLS implementation in the JSSE component did not properly enforce handshake message ordering, allowing an unlimited number of handshake restarts. A remote attacker could use this flaw to make an SSL/TLS server using JSSE consume an excessive amount of CPU by continuously restarting the handshake.\n(CVE-2013-0440)\n\nIt was discovered that the JSSE component did not properly validate Diffie-Hellman public keys. An SSL/TLS client could possibly use this flaw to perform a small subgroup attack. (CVE-2013-0443)\n\nThis erratum also upgrades the OpenJDK package to IcedTea6 1.11.6.\nRefer to the NEWS file, linked to in the References, for further information.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "hash": "74eb5f84b080c68c9b096bdb24073de69ef384dd6aabc4e5758613db6aadbeb2", "enchantments": {"vulnersScore": 6.8}, "type": "nessus", "pluginID": "64512", "lastseen": "2017-10-29T13:35:56", "edition": 2, "cpe": ["p-cpe:/a:centos:centos:java-1.6.0-openjdk", "p-cpe:/a:centos:centos:java-1.6.0-openjdk-src", "p-cpe:/a:centos:centos:java-1.6.0-openjdk-javadoc", "p-cpe:/a:centos:centos:java-1.6.0-openjdk-demo", "p-cpe:/a:centos:centos:java-1.6.0-openjdk-devel", "cpe:/o:centos:centos:5"], "title": "CentOS 5 : java-1.6.0-openjdk (CESA-2013:0246)", "href": "https://www.tenable.com/plugins/index.php?view=single&id=64512", "modified": "2016-01-27T00:00:00", "bulletinFamily": "scanner", "viewCount": 0, "cvelist": ["CVE-2013-0426", "CVE-2013-0427", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-1475", "CVE-2013-0435", "CVE-2013-0442", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-1476", "CVE-2013-0445", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0450", "CVE-2013-0440", "CVE-2013-0425", "CVE-2013-0441"], "references": ["http://www.nessus.org/u?9cfaa478"], "naslFamily": "CentOS Local Security Checks", "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:0246 and \n# CentOS Errata and Security Advisory 2013:0246 respectively.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(64512);\n script_version(\"$Revision: 1.8 $\");\n script_cvs_date(\"$Date: 2016/01/27 16:45:01 $\");\n\n script_cve_id(\"CVE-2013-0424\", \"CVE-2013-0425\", \"CVE-2013-0426\", \"CVE-2013-0427\", \"CVE-2013-0428\", \"CVE-2013-0429\", \"CVE-2013-0432\", \"CVE-2013-0433\", \"CVE-2013-0434\", \"CVE-2013-0435\", \"CVE-2013-0440\", \"CVE-2013-0441\", \"CVE-2013-0442\", \"CVE-2013-0443\", \"CVE-2013-0445\", \"CVE-2013-0450\", \"CVE-2013-1475\", \"CVE-2013-1476\", \"CVE-2013-1478\", \"CVE-2013-1480\");\n script_osvdb_id(89758, 89759, 89760, 89761, 89762, 89763, 89767, 89769, 89771, 89772, 89786, 89792, 89795, 89796, 89798, 89800, 89801, 89802, 89804, 89806);\n script_xref(name:\"RHSA\", value:\"2013:0246\");\n\n script_name(english:\"CentOS 5 : java-1.6.0-openjdk (CESA-2013:0246)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.6.0-openjdk packages that fix several security issues\nare now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the\nOpenJDK 6 Software Development Kit.\n\nMultiple improper permission check issues were discovered in the AWT,\nCORBA, JMX, and Libraries components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to bypass Java sandbox\nrestrictions. (CVE-2013-0442, CVE-2013-0445, CVE-2013-0441,\nCVE-2013-1475, CVE-2013-1476, CVE-2013-0429, CVE-2013-0450,\nCVE-2013-0425, CVE-2013-0426, CVE-2013-0428)\n\nMultiple flaws were found in the way image parsers in the 2D and AWT\ncomponents handled image raster parameters. A specially crafted image\ncould cause Java Virtual Machine memory corruption and, possibly, lead\nto arbitrary code execution with the virtual machine privileges.\n(CVE-2013-1478, CVE-2013-1480)\n\nA flaw was found in the AWT component's clipboard handling code. An\nuntrusted Java application or applet could use this flaw to access\nclipboard data, bypassing Java sandbox restrictions. (CVE-2013-0432)\n\nThe default Java security properties configuration did not restrict\naccess to certain com.sun.xml.internal packages. An untrusted Java\napplication or applet could use this flaw to access information,\nbypassing certain Java sandbox restrictions. This update lists the\nwhole package as restricted. (CVE-2013-0435)\n\nMultiple improper permission check issues were discovered in the\nLibraries, Networking, and JAXP components. An untrusted Java\napplication or applet could use these flaws to bypass certain Java\nsandbox restrictions. (CVE-2013-0427, CVE-2013-0433, CVE-2013-0434)\n\nIt was discovered that the RMI component's CGIHandler class used user\ninputs in error messages without any sanitization. An attacker could\nuse this flaw to perform a cross-site scripting (XSS) attack.\n(CVE-2013-0424)\n\nIt was discovered that the SSL/TLS implementation in the JSSE\ncomponent did not properly enforce handshake message ordering,\nallowing an unlimited number of handshake restarts. A remote attacker\ncould use this flaw to make an SSL/TLS server using JSSE consume an\nexcessive amount of CPU by continuously restarting the handshake.\n(CVE-2013-0440)\n\nIt was discovered that the JSSE component did not properly validate\nDiffie-Hellman public keys. An SSL/TLS client could possibly use this\nflaw to perform a small subgroup attack. (CVE-2013-0443)\n\nThis erratum also upgrades the OpenJDK package to IcedTea6 1.11.6.\nRefer to the NEWS file, linked to in the References, for further\ninformation.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\"\n );\n # http://lists.centos.org/pipermail/centos-announce/2013-February/019231.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?9cfaa478\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1.6.0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.6.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.6.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.6.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.6.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.6.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2016 Tenable Network Security, Inc.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/CentOS/release\")) audit(AUDIT_OS_NOT, \"CentOS\");\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.6.0-openjdk-1.6.0.0-1.33.1.11.6.el5_9\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.6.0-openjdk-demo-1.6.0.0-1.33.1.11.6.el5_9\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.6.0-openjdk-devel-1.6.0.0-1.33.1.11.6.el5_9\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.0-1.33.1.11.6.el5_9\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.6.0-openjdk-src-1.6.0.0-1.33.1.11.6.el5_9\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "hashmap": [{"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "e7c416bd6df41c000800c47459e9a752", "key": "cpe"}, {"hash": "942a66e5726350ad9baf67bc37a36da4", "key": "cvelist"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "924fb03b4a5e2fdef3b8808f61240e08", "key": "description"}, {"hash": "03708deed834a0b33bf863cd965c8644", "key": "href"}, {"hash": "4b8afb39a41acf9a8eb8d67a50f02ac2", "key": "modified"}, {"hash": "8f8213e8b86855939d5beea715ce3045", "key": "naslFamily"}, {"hash": "b7e0a5659cdab412fdc73bdfa8647220", "key": "pluginID"}, {"hash": "6055143de62d8035d6bbb729fac8151b", "key": "published"}, {"hash": "affe97ebe84ceacc088aaa7f3d9f11f7", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "c197e92f11a466dd5695d2fb3a68755c", "key": "sourceData"}, {"hash": "12074a9d65b3a532f84cfd903b9f3717", "key": "title"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}], "objectVersion": "1.3"}
{"result": {"cve": [{"id": "CVE-2013-0426", "type": "cve", "title": "CVE-2013-0426", "description": "Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2013-0425 and CVE-2013-0428. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to incorrect \"access control checks\" in the logging API that allow remote attackers to bypass Java sandbox restrictions.", "published": "2013-02-01T19:55:01", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0426", "cvelist": ["CVE-2013-0426"], "lastseen": "2017-09-19T13:38:34"}, {"id": "CVE-2013-0427", "type": "cve", "title": "CVE-2013-0427", "description": "Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, and 5.0 through Update 38, and OpenJDK 6 and 7, allows remote attackers to affect integrity via unknown vectors related to Libraries. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to interrupt certain threads that should not be interrupted.", "published": "2013-02-01T19:55:01", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0427", "cvelist": ["CVE-2013-0427"], "lastseen": "2017-09-19T13:38:34"}, {"id": "CVE-2013-1478", "type": "cve", "title": "CVE-2013-1478", "description": "Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to \"insufficient validation of raster parameters\" that can trigger an integer overflow and memory corruption.", "published": "2013-02-01T19:55:02", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1478", "cvelist": ["CVE-2013-1478"], "lastseen": "2017-09-19T13:38:40"}, {"id": "CVE-2013-0428", "type": "cve", "title": "CVE-2013-0428", "description": "Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2013-0425 and CVE-2013-0426. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to \"incorrect checks for proxy classes\" in the Reflection API.", "published": "2013-02-01T19:55:01", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0428", "cvelist": ["CVE-2013-0428"], "lastseen": "2017-09-19T13:38:34"}, {"id": "CVE-2013-0429", "type": "cve", "title": "CVE-2013-0429", "description": "Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, and 5.0 through Update 38, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue involves the creation of a single PresentationManager that is shared across multiple thread groups, which allows remote attackers to bypass Java sandbox restrictions.", "published": "2013-02-01T19:55:01", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0429", "cvelist": ["CVE-2013-0429"], "lastseen": "2017-09-19T13:38:34"}, {"id": "CVE-2013-1475", "type": "cve", "title": "CVE-2013-1475", "description": "Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to \"IIOP type reuse management\" in ObjectStreamClass.java.", "published": "2013-02-01T19:55:02", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1475", "cvelist": ["CVE-2013-1475"], "lastseen": "2017-09-19T13:38:40"}, {"id": "CVE-2013-0435", "type": "cve", "title": "CVE-2013-0435", "description": "Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality via vectors related to JAX-WS. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to improper restriction of com.sun.xml.internal packages and \"Better handling of UI elements.\"", "published": "2013-02-01T19:55:01", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0435", "cvelist": ["CVE-2013-0435"], "lastseen": "2017-09-19T13:38:34"}, {"id": "CVE-2013-0442", "type": "cve", "title": "CVE-2013-0442", "description": "Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to an improper check of \"privileges of the code\" that bypasses the sandbox.", "published": "2013-02-01T19:55:02", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0442", "cvelist": ["CVE-2013-0442"], "lastseen": "2017-09-19T13:38:34"}, {"id": "CVE-2013-0434", "type": "cve", "title": "CVE-2013-0434", "description": "Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality via vectors related to JAXP. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to the public declaration of the loadPropertyFile method in the JAXP FuncSystemProperty class, which allows remote attackers to obtain sensitive information.", "published": "2013-02-01T19:55:01", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0434", "cvelist": ["CVE-2013-0434"], "lastseen": "2017-09-19T13:38:34"}, {"id": "CVE-2013-0443", "type": "cve", "title": "CVE-2013-0443", "description": "Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality and integrity via vectors related to JSSE. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to incorrect validation of Diffie-Hellman keys, which allows remote attackers to conduct a \"small subgroup attack\" to force the use of weak session keys or obtain sensitive information about the private key.", "published": "2013-02-01T19:55:02", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0443", "cvelist": ["CVE-2013-0443"], "lastseen": "2017-09-19T13:38:34"}], "suse": [{"id": "SUSE-SU-2013:0440-3", "type": "suse", "title": "Security update for Java (important)", "description": "IBM Java 1.4.2 has been updated to SR13-FP15 which fixes\n various critical security issues and bugs.\n\n Please see the IBM JDK Alert page for more information:\n\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n <<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>>\n\n Security issues fixed:\n\n CVE-2013-1478, CVE-2013-1480, CVE-2013-1476, CVE-2013-0442,\n CVE-2013-0425, CVE-2013-0426, CVE-2013-0428,\n CVE-2013-1481, CVE-2013-0432, CVE-2013-0434,\n CVE-2013-0424, CVE-2013-0440, CVE-2013-0443.\n\n", "published": "2013-03-14T23:04:46", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00022.html", "cvelist": ["CVE-2013-0426", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0442", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-1480", "CVE-2013-1476", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0440", "CVE-2013-1481", "CVE-2013-0425"], "lastseen": "2016-09-04T11:29:41"}, {"id": "SUSE-SU-2013:0440-2", "type": "suse", "title": "Security update for Java (important)", "description": "IBM Java 1.4.2 has been updated to SR13-FP15 which fixes\n various critical security issues and bugs.\n\n Please see the IBM JDK Alert page for more information:\n\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n <<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>>\n\n Security issues fixed:\n\n CVE-2013-1478, CVE-2013-1480, CVE-2013-1476, CVE-2013-0442,\n CVE-2013-0425, CVE-2013-0426, CVE-2013-0428,\n CVE-2013-1481, CVE-2013-0432, CVE-2013-0434,\n CVE-2013-0424, CVE-2013-0440, CVE-2013-0443.\n\n", "published": "2013-03-13T18:04:30", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00016.html", "cvelist": ["CVE-2013-0426", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0442", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-1480", "CVE-2013-1476", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0440", "CVE-2013-1481", "CVE-2013-0425"], "lastseen": "2016-09-04T12:36:29"}, {"id": "SUSE-SU-2013:0478-1", "type": "suse", "title": "Security update for IBM Java2 JRE and SDK (important)", "description": "IBM Java 1.4.2 has been updated to SR13-FP15 which fixes\n various critical security issues and bugs.\n\n Please see the IBM JDK Alert page for more information:\n\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n <<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>>\n\n Security issues fixed:\n\n CVE-2013-1478, CVE-2013-1480, CVE-2013-1476, CVE-2013-0442,\n CVE-2013-0425, CVE-2013-0426, CVE-2013-0428,\n CVE-2013-1481, CVE-2013-0432, CVE-2013-0434,\n CVE-2013-0424, CVE-2013-0440, CVE-2013-0443.\n\n\n", "published": "2013-03-18T22:04:28", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00034.html", "cvelist": ["CVE-2013-0426", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0442", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-1480", "CVE-2013-1476", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0440", "CVE-2013-1481", "CVE-2013-0425"], "lastseen": "2016-09-04T11:51:43"}, {"id": "SUSE-SU-2013:0440-4", "type": "suse", "title": "Security update for Java (important)", "description": "IBM Java 5 has been updated to SR16 which fixes various\n critical security issues and bugs.\n\n Please see the IBM JDK Alert page for more information:\n\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n <<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>>\n\n Security issues fixed:\n\n CVE-2013-1486, CVE-2013-1478, CVE-2013-0445, CVE-2013-1480,\n CVE-2013-1476, CVE-2013-0442, CVE-2013-0425,\n CVE-2013-0426, CVE-2013-0428, CVE-2013-1481,\n CVE-2013-0432, CVE-2013-0434, CVE-2013-0409, CVE-2013-0427,\n CVE-2013-0433, CVE-2013-0424, CVE-2013-0440, CVE-2013-0443.\n\n\n", "published": "2013-03-15T20:04:28", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00030.html", "cvelist": ["CVE-2013-0426", "CVE-2013-0427", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0442", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-0409", "CVE-2013-1486", "CVE-2013-1476", "CVE-2013-0445", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0440", "CVE-2013-1481", "CVE-2013-0425"], "lastseen": "2016-09-04T11:50:34"}, {"id": "SUSE-SU-2013:0440-6", "type": "suse", "title": "Security update for Java (important)", "description": "IBM Java 5 has been updated to SR16 which fixes various\n critical security issues and bugs.\n\n Please see the IBM JDK Alert page for more information:\n\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n <<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>>\n\n Security issues fixed:\n\n CVE-2013-1486, CVE-2013-1478, CVE-2013-0445, CVE-2013-1480,\n CVE-2013-1476, CVE-2013-0442, CVE-2013-0425,\n CVE-2013-0426, CVE-2013-0428, CVE-2013-1481,\n CVE-2013-0432, CVE-2013-0434, CVE-2013-0409, CVE-2013-0427,\n CVE-2013-0433, CVE-2013-0424, CVE-2013-0440, CVE-2013-0443.\n\n\n", "published": "2013-03-18T21:04:29", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00033.html", "cvelist": ["CVE-2013-0426", "CVE-2013-0427", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0442", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-0409", "CVE-2013-1486", "CVE-2013-1476", "CVE-2013-0445", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0440", "CVE-2013-1481", "CVE-2013-0425"], "lastseen": "2016-09-04T11:45:49"}, {"id": "SUSE-SU-2013:0315-1", "type": "suse", "title": "Security update for Java 1.6.0 (important)", "description": "java-1_6_0-openjdk based on Icedtea6-1.12.2 was released,\n fixing various security issues:\n\n New in release 1.12.2 (2012-02-03):\n\n *\n\n Security fixes\n\n o S6563318, CVE-2013-0424: RMI data sanitization\n o S6664509, CVE-2013-0425: Add logging context o S6664528,\n CVE-2013-0426: Find log level matching its name or value\n given at construction time o S6776941: CVE-2013-0427:\n Improve thread pool shutdown o S7141694, CVE-2013-0429:\n Improving CORBA internals o S7173145: Improve in-memory\n representation of splashscreens o S7186945: Unpack200\n improvement o S7186946: Refine unpacker resource usage o\n S7186948: Improve Swing data validation o S7186952,\n CVE-2013-0432: Improve clipboard access o S7186954: Improve\n connection performance o S7186957: Improve Pack200 data\n validation o S7192392, CVE-2013-0443: Better validation of\n client keys o S7192393, CVE-2013-0440: Better Checking of\n order of TLS Messages o S7192977, CVE-2013-0442: Issue in\n toolkit thread o S7197546, CVE-2013-0428: (proxy) Reflect\n about creating reflective proxies o S7200491: Tighten up\n JTable layout code o S7200500: Launcher better input\n validation o S7201064: Better dialogue checking o S7201066,\n CVE-2013-0441: Change modifiers on unused fields o\n S7201068, CVE-2013-0435: Better handling of UI elements o\n S7201070: Serialization to conform to protocol o S7201071,\n CVE-2013-0433: InetSocketAddress serialization issue o\n S8000210: Improve JarFile code quality o S8000537,\n CVE-2013-0450: Contextualize RequiredModelMBean class o\n S8000540, CVE-2013-1475: Improve IIOP type reuse management\n o S8000631, CVE-2013-1476: Restrict access to class\n constructor o S8001235, CVE-2013-0434: Improve JAXP HTTP\n handling o S8001242: Improve RMI HTTP conformance o\n S8001307: Modify ACC_SUPER behavior o S8001972,\n CVE-2013-1478: Improve image processing o S8002325,\n CVE-2013-1480: Improve management of images\n *\n\n Backports\n\n o S7010849: 5/5 Extraneous javac source/target\n options when building sa-jdi o S8004341: Two JCK tests\n fails with 7u11 b06 o S8005615: Java Logger fails to load\n tomcat logger implementation (JULI)\n *\n\n Bug fixes\n\n o PR1297: cacao and jamvm parallel unpack\n failures o PR1301: PR1171 causes builds of Zero to fail\n\n", "published": "2013-02-20T16:04:20", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00015.html", "cvelist": ["CVE-2013-0426", "CVE-2013-0427", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-1475", "CVE-2013-0435", "CVE-2013-0442", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-1476", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0450", "CVE-2013-0440", "CVE-2013-0425", "CVE-2013-0441"], "lastseen": "2016-09-04T11:23:06"}, {"id": "OPENSUSE-SU-2013:0308-1", "type": "suse", "title": "java-1_6_0-openjdk to 1.12.2 (important)", "description": "OpenJDK (java-1_6_0-openjdk) was updated to 1.12.2 to fix\n bugs and security issues (bnc#801972)\n\n * Security fixes (on top of 1.12.0)\n - S6563318, CVE-2013-0424: RMI data sanitization\n - S6664509, CVE-2013-0425: Add logging context\n - S6664528, CVE-2013-0426: Find log level matching its\n name or value given at construction time\n - S6776941: CVE-2013-0427: Improve thread pool shutdown\n - S7141694, CVE-2013-0429: Improving CORBA internals\n - S7173145: Improve in-memory representation of\n splashscreens\n - S7186945: Unpack200 improvement\n - S7186946: Refine unpacker resource usage\n - S7186948: Improve Swing data validation\n - S7186952, CVE-2013-0432: Improve clipboard access\n - S7186954: Improve connection performance\n - S7186957: Improve Pack200 data validation\n - S7192392, CVE-2013-0443: Better validation of client\n keys\n - S7192393, CVE-2013-0440: Better Checking of order of\n TLS Messages\n - S7192977, CVE-2013-0442: Issue in toolkit thread\n - S7197546, CVE-2013-0428: (proxy) Reflect about creating\n reflective proxies\n - S7200491: Tighten up JTable layout code\n - S7200500: Launcher better input validation\n - S7201064: Better dialogue checking\n - S7201066, CVE-2013-0441: Change modifiers on unused\n fields\n - S7201068, CVE-2013-0435: Better handling of UI elements\n - S7201070: Serialization to conform to protocol\n - S7201071, CVE-2013-0433: InetSocketAddress\n serialization issue\n - S8000210: Improve JarFile code quality\n - S8000537, CVE-2013-0450: Contextualize\n RequiredModelMBean class\n - S8000540, CVE-2013-1475: Improve IIOP type reuse\n management\n - S8000631, CVE-2013-1476: Restrict access to class\n constructor\n - S8001235, CVE-2013-0434: Improve JAXP HTTP handling\n\n", "published": "2013-02-19T11:04:35", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00013.html", "cvelist": ["CVE-2013-0426", "CVE-2013-0427", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-1475", "CVE-2013-0435", "CVE-2013-0442", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0433", "CVE-2013-1476", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0450", "CVE-2013-0440", "CVE-2013-0425", "CVE-2013-0441"], "lastseen": "2016-09-04T11:41:29"}, {"id": "OPENSUSE-SU-2013:0312-1", "type": "suse", "title": "java-1_6_0-openjdk to 1.12.1 (important)", "description": "OpenJDK (java-1_6_0-openjdk) was updated to 1.12.1 to fix\n bugs and security issues (bnc#801972)\n\n * Security fixes (on top of 1.12.0)\n - S6563318, CVE-2013-0424: RMI data sanitization\n - S6664509, CVE-2013-0425: Add logging context\n - S6664528, CVE-2013-0426: Find log level matching its\n name or value given at construction time\n - S6776941: CVE-2013-0427: Improve thread pool shutdown\n - S7141694, CVE-2013-0429: Improving CORBA internals\n - S7173145: Improve in-memory representation of\n splashscreens\n - S7186945: Unpack200 improvement\n - S7186946: Refine unpacker resource usage\n - S7186948: Improve Swing data validation\n - S7186952, CVE-2013-0432: Improve clipboard access\n - S7186954: Improve connection performance\n - S7186957: Improve Pack200 data validation\n - S7192392, CVE-2013-0443: Better validation of client\n keys\n - S7192393, CVE-2013-0440: Better Checking of order of\n TLS Messages\n - S7192977, CVE-2013-0442: Issue in toolkit thread\n - S7197546, CVE-2013-0428: (proxy) Reflect about creating\n reflective proxies\n - S7200491: Tighten up JTable layout code\n - S7200500: Launcher better input validation\n - S7201064: Better dialogue checking\n - S7201066, CVE-2013-0441: Change modifiers on unused\n fields\n - S7201068, CVE-2013-0435: Better handling of UI elements\n - S7201070: Serialization to conform to protocol\n - S7201071, CVE-2013-0433: InetSocketAddress\n serialization issue\n - S8000210: Improve JarFile code quality\n - S8000537, CVE-2013-0450: Contextualize\n RequiredModelMBean class\n - S8000540, CVE-2013-1475: Improve IIOP type reuse\n management\n - S8000631, CVE-2013-1476: Restrict access to class\n constructor\n - S8001235, CVE-2013-0434: Improve JAXP HTTP handling\n\n", "published": "2013-02-19T15:04:26", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00014.html", "cvelist": ["CVE-2013-0426", "CVE-2013-0427", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-1475", "CVE-2013-0435", "CVE-2013-0442", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0433", "CVE-2013-1476", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0450", "CVE-2013-0440", "CVE-2013-0425", "CVE-2013-0441"], "lastseen": "2016-09-04T11:57:01"}, {"id": "OPENSUSE-SU-2013:0377-1", "type": "suse", "title": "java-1_7_0-openjdk: update to 2.3.6 (critical)", "description": "java-1_7_0-openjdk was updated to icedtea-2.3.6\n (bnc#803379) containing various security and bugfixes:\n\n * Security fixes\n - S6563318, CVE-2013-0424: RMI data sanitization\n - S6664509, CVE-2013-0425: Add logging context\n - S6664528, CVE-2013-0426: Find log level matching its\n name or value given at construction time\n - S6776941: CVE-2013-0427: Improve thread pool shutdown\n - S7141694, CVE-2013-0429: Improving CORBA internals\n - S7173145: Improve in-memory representation of\n splashscreens\n - S7186945: Unpack200 improvement\n - S7186946: Refine unpacker resource usage\n - S7186948: Improve Swing data validation\n - S7186952, CVE-2013-0432: Improve clipboard access\n - S7186954: Improve connection performance\n - S7186957: Improve Pack200 data validation\n - S7192392, CVE-2013-0443: Better validation of client\n keys\n - S7192393, CVE-2013-0440: Better Checking of order of\n TLS Messages\n - S7192977, CVE-2013-0442: Issue in toolkit thread\n - S7197546, CVE-2013-0428: (proxy) Reflect about creating\n reflective proxies\n - S7200491: Tighten up JTable layout code\n - S7200493, CVE-2013-0444: Improve cache handling\n - S7200499: Better data validation for options\n - S7200500: Launcher better input validation\n - S7201064: Better dialogue checking\n - S7201066, CVE-2013-0441: Change modifiers on unused\n fields\n - S7201068, CVE-2013-0435: Better handling of UI elements\n - S7201070: Serialization to conform to protocol\n - S7201071, CVE-2013-0433: InetSocketAddress\n serialization issue\n - S8000210: Improve JarFile code quality\n - S8000537, CVE-2013-0450: Contextualize\n RequiredModelMBean class\n - S8000539, CVE-2013-0431: Introspect JMX data handling\n - S8000540, CVE-2013-1475: Improve IIOP type reuse\n management\n - S8000631, CVE-2013-1476: Restrict access to class\n constructor\n - S8001235, CVE-2013-0434: Improve JAXP HTTP handling\n - S8001242: Improve RMI HTTP conformance\n - S8001307: Modify ACC_SUPER behavior\n - S8001972, CVE-2013-1478: Improve image processing\n - S8002325, CVE-2013-1480: Improve management of images\n * Backports\n - S7057320:\n test/java/util/concurrent/Executors/AutoShutdown.java\n failing intermittently\n - S7083664: TEST_BUG: test hard code of using c:/temp but\n this dir might not exist\n - S7107613: scalability blocker in\n javax.crypto.CryptoPermissions\n - S7107616: scalability blocker in\n javax.crypto.JceSecurityManager\n - S7146424: Wildcard expansion for single entry classpath\n - S7160609: [macosx] JDK crash in libjvm.dylib ( C\n [GeForceGLDriver+0x675a] gldAttachDrawable+0x941)\n - S7160951: [macosx] ActionListener called twice for\n JMenuItem using ScreenMenuBar\n - S7162488: VM not printing unknown -XX options\n - S7169395: Exception throws due to the changes in JDK 7\n object tranversal and break backward compatibility\n - S7175616: Port fix for TimeZone from JDK 8 to JDK 7\n - S7176485: (bf) Allow temporary buffer cache to grow to\n IOV_MAX\n - S7179908: Fork hs23.3 hsx from hs22.2 for jdk7u7 and\n reinitialize build number\n - S7184326: TEST_BUG:\n java/awt/Frame/7024749/bug7024749.java has a typo\n - S7185245: Licensee source bundle tries to compile JFR\n - S7185471: Avoid key expansion when AES cipher is\n re-init w/ the same key\n - S7186371: [macosx] Main menu shortcuts not displayed\n (7u6 regression)\n - S7187834: [macosx] Usage of private API in macosx 2d\n implementation causes Apple Store rejection\n - S7188114: (launcher) need an alternate command line\n parser for Windows\n - S7189136: Fork hs23.5 hsx from hs23.4 for jdk7u9 and\n reinitialize build number\n - S7189350: Fix failed for CR 7162144\n - S7190550: REGRESSION: Some closed/com/oracle/jfr/api\n tests fail to compile becuse of fix 7185245\n - S7193219: JComboBox serialization fails in JDK 1.7\n - S7193977: REGRESSION:Java 7's JavaBeans persistence\n ignoring the "transient" flag on properties\n - S7195106: REGRESSION : There is no way to get Icon inf,\n once Softreference is released\n - S7195301: XML Signature DOM implementation should not\n use instanceof to determine type of Node\n - S7195931: UnsatisfiedLinkError on\n PKCS11.C_GetOperationState while using NSS from jre7u6+\n - S7197071: Makefiles for various security providers\n aren't including the default manifest.\n - S7197652: Impossible to run any signed JNLP\n applications or applets, OCSP off by default\n - S7198146: Another new regression test does not compile\n on windows-amd64\n - S7198570: (tz) Support tzdata2012f\n - S7198640: new hotspot build - hs23.6-b04\n - S7199488: [TEST] runtime/7158800/InternTest.java failed\n due to false-positive on PID match.\n - S7199645: Increment build # of hs23.5 to b02\n - S7199669: Update tags in .hgtags file for CPU release\n rename\n - S7200720: crash in net.dll during NTLM authentication\n - S7200742: (se) Selector.select does not block when\n starting Coherence (sol11u1)\n - S7200762: [macosx] Stuck in\n sun.java2d.opengl.CGLGraphicsConfig.getMaxTextureSize(Native\n Method)\n - S8000285: Deadlock between PostEventQueue.noEvents,\n EventQueue.isDispatchThread and\n SwingUtilities.invokeLater\n - S8000286: [macosx] Views keep scrolling back to the\n drag position after DnD\n - S8000297: REGRESSION:\n closed/java/awt/EventQueue/PostEventOrderingTest.java\n fails\n - S8000307: Jre7cert: focusgained does not get called for\n all focus req when do alt + tab\n - S8000822: Fork hs23.7 hsx from hs23.6 for jdk7u11 and\n reinitialize build number\n - S8001124: jdk7u ProblemList.txt updates (10/2012)\n - S8001242: Improve RMI HTTP conformance\n - S8001808: Create a test for 8000327\n - S8001876: Create regtest for 8000283\n - S8002068: Build broken: corba code changes unable to\n use new JDK 7 classes\n - S8002091: tools/launcher/ToolsOpts.java test started to\n fail since 7u11 b01 on Windows\n - S8002114: fix failed for JDK-7160951: [macosx]\n ActionListener called twice for JMenuItem using\n ScreenMenuBar\n - S8002225: (tz) Support tzdata2012i\n - S8003402: (dc)\n test/java/nio/channels/DatagramChannel/SendToUnresovled.java\n failing after 7u11 cleanup issues\n - S8003403: Test ShortRSAKeyWithinTLS and\n ClientJSSEServerJSSE failing after 7u11 cleanup\n - S8003948: NTLM/Negotiate authentication problem\n - S8004175: Restricted packages added in java.security\n are missing in java.security-{macosx, solaris, windows}\n - S8004302: javax/xml/soap/Test7013971.java fails since\n jdk6u39b01\n - S8004341: Two JCK tests fails with 7u11 b06\n - S8005615: Java Logger fails to load tomcat logger\n implementation (JULI)\n * Bug fixes\n - Fix build using Zero's HotSpot so all patches apply\n again.\n - PR1295: jamvm parallel unpack failure\n * removed\n icedtea-2.3.2-fix-extract-jamvm-dependency.patch\n - removed\n icedtea-2.3.3-refresh-6924259-string_offset.patch\n\n - few missing /openjdk/%{origin}/ changes\n\n", "published": "2013-03-01T17:05:38", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00001.html", "cvelist": ["CVE-2013-0426", "CVE-2013-0427", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-1475", "CVE-2013-0435", "CVE-2013-0442", "CVE-2013-0431", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0444", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-1476", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0450", "CVE-2013-0440", "CVE-2013-0425", "CVE-2013-0441"], "lastseen": "2016-09-04T12:15:24"}, {"id": "SUSE-SU-2013:0440-5", "type": "suse", "title": "Security update for IBM Java5 JRE and SDK (important)", "description": "IBM Java 5 has been updated to SR16 which fixes various\n critical security issues and bugs.\n\n Please see the IBM JDK Alert page for more information:\n\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n <<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>>\n\n Security issues fixed:\n\n CVE-2013-1486, CVE-2013-1478, CVE-2013-0445, CVE-2013-1480,\n CVE-2013-1476, CVE-2013-0442, CVE-2013-0425,\n CVE-2013-0426, CVE-2013-0428, CVE-2013-1481,\n CVE-2013-0432, CVE-2013-0434, CVE-2013-0409, CVE-2013-0427,\n CVE-2013-0433, CVE-2013-0424, CVE-2013-0440, CVE-2013-0443.\n\n\n", "published": "2013-03-16T17:06:57", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00032.html", "cvelist": ["CVE-2013-0426", "CVE-2013-0427", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0442", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-0409", "CVE-2013-1486", "CVE-2013-1476", "CVE-2013-0445", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0440", "CVE-2013-1481", "CVE-2013-0425"], "lastseen": "2016-09-04T11:28:41"}], "nessus": [{"id": "SUSE_JAVA-1_4_2-IBM-8481.NASL", "type": "nessus", "title": "SuSE 10 Security Update : Java (ZYPP Patch Number 8481)", "description": "IBM Java 1.4.2 has been updated to SR13-FP15 which fixes various critical security issues and bugs.\n\nPlease see the IBM JDK Alert page for more information :\n\nhttp://www.ibm.com/developerworks/java/jdk/alerts/\n\nSecurity issues fixed :\n\n - / CVE-2013-0443. (CVE-2013-1478 / CVE-2013-1480 / CVE-2013-1476 / CVE-2013-0442 / CVE-2013-0425 / CVE-2013-0426 / CVE-2013-0428 / CVE-2013-1481 / CVE-2013-0432 / CVE-2013-0434 / CVE-2013-0424 / CVE-2013-0440)", "published": "2013-03-14T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=65546", "cvelist": ["CVE-2013-0426", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0442", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-1480", "CVE-2013-1476", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0440", "CVE-2013-1481", "CVE-2013-0425"], "lastseen": "2017-10-29T13:34:38"}, {"id": "SUSE_11_JAVA-1_4_2-IBM-130306.NASL", "type": "nessus", "title": "SuSE 11.2 Security Update : Java (SAT Patch Number 7450)", "description": "IBM Java 1.4.2 has been updated to SR13-FP15 which fixes various critical security issues and bugs.\n\nPlease see the IBM JDK Alert page for more information :\n\nhttp://www.ibm.com/developerworks/java/jdk/alerts/\n\nSecurity issues fixed :\n\n - / CVE-2013-0443. (CVE-2013-1478 / CVE-2013-1480 / CVE-2013-1476 / CVE-2013-0442 / CVE-2013-0425 / CVE-2013-0426 / CVE-2013-0428 / CVE-2013-1481 / CVE-2013-0432 / CVE-2013-0434 / CVE-2013-0424 / CVE-2013-0440)", "published": "2013-03-14T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=65545", "cvelist": ["CVE-2013-0426", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0442", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-1480", "CVE-2013-1476", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0440", "CVE-2013-1481", "CVE-2013-0425"], "lastseen": "2017-10-29T13:39:51"}, {"id": "REDHAT-RHSA-2013-0246.NASL", "type": "nessus", "title": "RHEL 5 : java-1.6.0-openjdk (RHSA-2013:0246)", "description": "Updated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit.\n\nMultiple improper permission check issues were discovered in the AWT, CORBA, JMX, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2013-0442, CVE-2013-0445, CVE-2013-0441, CVE-2013-1475, CVE-2013-1476, CVE-2013-0429, CVE-2013-0450, CVE-2013-0425, CVE-2013-0426, CVE-2013-0428)\n\nMultiple flaws were found in the way image parsers in the 2D and AWT components handled image raster parameters. A specially crafted image could cause Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the virtual machine privileges.\n(CVE-2013-1478, CVE-2013-1480)\n\nA flaw was found in the AWT component's clipboard handling code. An untrusted Java application or applet could use this flaw to access clipboard data, bypassing Java sandbox restrictions. (CVE-2013-0432)\n\nThe default Java security properties configuration did not restrict access to certain com.sun.xml.internal packages. An untrusted Java application or applet could use this flaw to access information, bypassing certain Java sandbox restrictions. This update lists the whole package as restricted. (CVE-2013-0435)\n\nMultiple improper permission check issues were discovered in the Libraries, Networking, and JAXP components. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2013-0427, CVE-2013-0433, CVE-2013-0434)\n\nIt was discovered that the RMI component's CGIHandler class used user inputs in error messages without any sanitization. An attacker could use this flaw to perform a cross-site scripting (XSS) attack.\n(CVE-2013-0424)\n\nIt was discovered that the SSL/TLS implementation in the JSSE component did not properly enforce handshake message ordering, allowing an unlimited number of handshake restarts. A remote attacker could use this flaw to make an SSL/TLS server using JSSE consume an excessive amount of CPU by continuously restarting the handshake.\n(CVE-2013-0440)\n\nIt was discovered that the JSSE component did not properly validate Diffie-Hellman public keys. An SSL/TLS client could possibly use this flaw to perform a small subgroup attack. (CVE-2013-0443)\n\nThis erratum also upgrades the OpenJDK package to IcedTea6 1.11.6.\nRefer to the NEWS file, linked to in the References, for further information.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "published": "2013-02-10T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=64519", "cvelist": ["CVE-2013-0426", "CVE-2013-0427", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-1475", "CVE-2013-0435", "CVE-2013-0442", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-1476", "CVE-2013-0445", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0450", "CVE-2013-0440", "CVE-2013-0425", "CVE-2013-0441"], "lastseen": "2017-10-29T13:34:34"}, {"id": "CENTOS_RHSA-2013-0245.NASL", "type": "nessus", "title": "CentOS 6 : java-1.6.0-openjdk (CESA-2013:0245)", "description": "Updated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit.\n\nMultiple improper permission check issues were discovered in the AWT, CORBA, JMX, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2013-0442, CVE-2013-0445, CVE-2013-0441, CVE-2013-1475, CVE-2013-1476, CVE-2013-0429, CVE-2013-0450, CVE-2013-0425, CVE-2013-0426, CVE-2013-0428)\n\nMultiple flaws were found in the way image parsers in the 2D and AWT components handled image raster parameters. A specially crafted image could cause Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the virtual machine privileges.\n(CVE-2013-1478, CVE-2013-1480)\n\nA flaw was found in the AWT component's clipboard handling code. An untrusted Java application or applet could use this flaw to access clipboard data, bypassing Java sandbox restrictions. (CVE-2013-0432)\n\nThe default Java security properties configuration did not restrict access to certain com.sun.xml.internal packages. An untrusted Java application or applet could use this flaw to access information, bypassing certain Java sandbox restrictions. This update lists the whole package as restricted. (CVE-2013-0435)\n\nMultiple improper permission check issues were discovered in the Libraries, Networking, and JAXP components. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2013-0427, CVE-2013-0433, CVE-2013-0434)\n\nIt was discovered that the RMI component's CGIHandler class used user inputs in error messages without any sanitization. An attacker could use this flaw to perform a cross-site scripting (XSS) attack.\n(CVE-2013-0424)\n\nIt was discovered that the SSL/TLS implementation in the JSSE component did not properly enforce handshake message ordering, allowing an unlimited number of handshake restarts. A remote attacker could use this flaw to make an SSL/TLS server using JSSE consume an excessive amount of CPU by continuously restarting the handshake.\n(CVE-2013-0440)\n\nIt was discovered that the JSSE component did not properly validate Diffie-Hellman public keys. An SSL/TLS client could possibly use this flaw to perform a small subgroup attack. (CVE-2013-0443)\n\nNote: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website.\n\nThis erratum also upgrades the OpenJDK package to IcedTea6 1.11.6.\nRefer to the NEWS file, linked to in the References, for further information.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "published": "2013-02-11T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=64536", "cvelist": ["CVE-2013-0426", "CVE-2013-0427", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-1475", "CVE-2013-0435", "CVE-2013-0442", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-1476", "CVE-2013-0445", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0450", "CVE-2013-0440", "CVE-2013-0425", "CVE-2013-0441"], "lastseen": "2017-10-29T13:34:40"}, {"id": "SUSE_JAVA-1_5_0-IBM-8483.NASL", "type": "nessus", "title": "SuSE 10 Security Update : Java (ZYPP Patch Number 8483)", "description": "IBM Java 5 has been updated to SR16 which fixes various critical security issues and bugs.\n\nPlease see the IBM JDK Alert page for more information :\n\nhttp://www.ibm.com/developerworks/java/jdk/alerts/\n\nSecurity issues fixed :\n\n - / CVE-2013-0443. (CVE-2013-1486 / CVE-2013-1478 / CVE-2013-0445 / CVE-2013-1480 / CVE-2013-1476 / CVE-2013-0442 / CVE-2013-0425 / CVE-2013-0426 / CVE-2013-0428 / CVE-2013-1481 / CVE-2013-0432 / CVE-2013-0434 / CVE-2013-0409 / CVE-2013-0427 / CVE-2013-0433 / CVE-2013-0424 / CVE-2013-0440)", "published": "2013-03-17T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=65599", "cvelist": ["CVE-2013-0426", "CVE-2013-0427", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0442", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-0409", "CVE-2013-1486", "CVE-2013-1476", "CVE-2013-0445", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0440", "CVE-2013-1481", "CVE-2013-0425"], "lastseen": "2017-10-29T13:35:40"}, {"id": "MANDRIVA_MDVSA-2013-010.NASL", "type": "nessus", "title": "Mandriva Linux Security Advisory : java-1.6.0-openjdk (MDVSA-2013:010)", "description": "Multiple security issues were identified and fixed in OpenJDK (icedtea6) :\n\n - S6563318, CVE-2013-0424: RMI data sanitization\n\n - S6664509, CVE-2013-0425: Add logging context\n\n - S6664528, CVE-2013-0426: Find log level matching its name or value given at construction time\n\n - S6776941: CVE-2013-0427: Improve thread pool shutdown\n\n - S7141694, CVE-2013-0429: Improving CORBA internals\n\n - S7173145: Improve in-memory representation of splashscreens\n\n - S7186945: Unpack200 improvement\n\n - S7186946: Refine unpacker resource usage\n\n - S7186948: Improve Swing data validation\n\n - S7186952, CVE-2013-0432: Improve clipboard access\n\n - S7186954: Improve connection performance\n\n - S7186957: Improve Pack200 data validation\n\n - S7192392, CVE-2013-0443: Better validation of client keys\n\n - S7192393, CVE-2013-0440: Better Checking of order of TLS Messages\n\n - S7192977, CVE-2013-0442: Issue in toolkit thread\n\n - S7197546, CVE-2013-0428: (proxy) Reflect about creating reflective proxies\n\n - S7200491: Tighten up JTable layout code\n\n - S7200500: Launcher better input validation\n\n - S7201064: Better dialogue checking\n\n - S7201066, CVE-2013-0441: Change modifiers on unused fields\n\n - S7201068, CVE-2013-0435: Better handling of UI elements\n\n - S7201070: Serialization to conform to protocol\n\n - S7201071, CVE-2013-0433: InetSocketAddress serialization issue\n\n - S8000210: Improve JarFile code quality\n\n - S8000537, CVE-2013-0450: Contextualize RequiredModelMBean class\n\n - S8000540, CVE-2013-1475: Improve IIOP type reuse management\n\n - S8000631, CVE-2013-1476: Restrict access to class constructor\n\n - S8001235, CVE-2013-0434: Improve JAXP HTTP handling\n\n - S8001242: Improve RMI HTTP conformance\n\n - S8001307: Modify ACC_SUPER behavior\n\n - S8001972, CVE-2013-1478: Improve image processing\n\n - S8002325, CVE-2013-1480: Improve management of images\n\n - Backports\n\n - S7010849: 5/5 Extraneous javac source/target options when building sa-jdi\n\nThe updated packages provides icedtea6-1.11.6 which is not vulnerable to these issues.", "published": "2013-02-12T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=64563", "cvelist": ["CVE-2013-0426", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-1475", "CVE-2013-0435", "CVE-2013-0442", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-1476", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0450", "CVE-2013-0440", "CVE-2013-0425", "CVE-2013-0441"], "lastseen": "2017-10-29T13:44:05"}, {"id": "REDHAT-RHSA-2013-0245.NASL", "type": "nessus", "title": "RHEL 6 : java-1.6.0-openjdk (RHSA-2013:0245)", "description": "Updated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit.\n\nMultiple improper permission check issues were discovered in the AWT, CORBA, JMX, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2013-0442, CVE-2013-0445, CVE-2013-0441, CVE-2013-1475, CVE-2013-1476, CVE-2013-0429, CVE-2013-0450, CVE-2013-0425, CVE-2013-0426, CVE-2013-0428)\n\nMultiple flaws were found in the way image parsers in the 2D and AWT components handled image raster parameters. A specially crafted image could cause Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the virtual machine privileges.\n(CVE-2013-1478, CVE-2013-1480)\n\nA flaw was found in the AWT component's clipboard handling code. An untrusted Java application or applet could use this flaw to access clipboard data, bypassing Java sandbox restrictions. (CVE-2013-0432)\n\nThe default Java security properties configuration did not restrict access to certain com.sun.xml.internal packages. An untrusted Java application or applet could use this flaw to access information, bypassing certain Java sandbox restrictions. This update lists the whole package as restricted. (CVE-2013-0435)\n\nMultiple improper permission check issues were discovered in the Libraries, Networking, and JAXP components. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2013-0427, CVE-2013-0433, CVE-2013-0434)\n\nIt was discovered that the RMI component's CGIHandler class used user inputs in error messages without any sanitization. An attacker could use this flaw to perform a cross-site scripting (XSS) attack.\n(CVE-2013-0424)\n\nIt was discovered that the SSL/TLS implementation in the JSSE component did not properly enforce handshake message ordering, allowing an unlimited number of handshake restarts. A remote attacker could use this flaw to make an SSL/TLS server using JSSE consume an excessive amount of CPU by continuously restarting the handshake.\n(CVE-2013-0440)\n\nIt was discovered that the JSSE component did not properly validate Diffie-Hellman public keys. An SSL/TLS client could possibly use this flaw to perform a small subgroup attack. (CVE-2013-0443)\n\nNote: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website.\n\nThis erratum also upgrades the OpenJDK package to IcedTea6 1.11.6.\nRefer to the NEWS file, linked to in the References, for further information.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "published": "2013-02-10T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=64518", "cvelist": ["CVE-2013-0426", "CVE-2013-0427", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-1475", "CVE-2013-0435", "CVE-2013-0442", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-1476", "CVE-2013-0445", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0450", "CVE-2013-0440", "CVE-2013-0425", "CVE-2013-0441"], "lastseen": "2017-10-29T13:37:20"}, {"id": "SL_20130208_JAVA_1_6_0_OPENJDK_ON_SL6_X.NASL", "type": "nessus", "title": "Scientific Linux Security Update : java-1.6.0-openjdk on SL6.x i386/x86_64", "description": "Multiple improper permission check issues were discovered in the AWT, CORBA, JMX, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2013-0442, CVE-2013-0445, CVE-2013-0441, CVE-2013-1475, CVE-2013-1476, CVE-2013-0429, CVE-2013-0450, CVE-2013-0425, CVE-2013-0426, CVE-2013-0428)\n\nMultiple flaws were found in the way image parsers in the 2D and AWT components handled image raster parameters. A specially crafted image could cause Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the virtual machine privileges.\n(CVE-2013-1478, CVE-2013-1480)\n\nA flaw was found in the AWT component's clipboard handling code. An untrusted Java application or applet could use this flaw to access clipboard data, bypassing Java sandbox restrictions. (CVE-2013-0432)\n\nThe default Java security properties configuration did not restrict access to certain com.sun.xml.internal packages. An untrusted Java application or applet could use this flaw to access information, bypassing certain Java sandbox restrictions. This update lists the whole package as restricted. (CVE-2013-0435)\n\nMultiple improper permission check issues were discovered in the Libraries, Networking, and JAXP components. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2013-0427, CVE-2013-0433, CVE-2013-0434)\n\nIt was discovered that the RMI component's CGIHandler class used user inputs in error messages without any sanitization. An attacker could use this flaw to perform a cross-site scripting (XSS) attack.\n(CVE-2013-0424)\n\nIt was discovered that the SSL/TLS implementation in the JSSE component did not properly enforce handshake message ordering, allowing an unlimited number of handshake restarts. A remote attacker could use this flaw to make an SSL/TLS server using JSSE consume an excessive amount of CPU by continuously restarting the handshake.\n(CVE-2013-0440)\n\nIt was discovered that the JSSE component did not properly validate Diffie- Hellman public keys. An SSL/TLS client could possibly use this flaw to perform a small subgroup attack. (CVE-2013-0443)\n\nNote: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website.\n\nThis erratum also upgrades the OpenJDK package to IcedTea6 1.11.6.\n\nAll running instances of OpenJDK Java must be restarted for the update to take effect.", "published": "2013-02-10T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=64522", "cvelist": ["CVE-2013-0426", "CVE-2013-0427", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-1475", "CVE-2013-0435", "CVE-2013-0442", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-1476", "CVE-2013-0445", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0450", "CVE-2013-0440", "CVE-2013-0425", "CVE-2013-0441"], "lastseen": "2017-10-29T13:34:10"}, {"id": "SUSE_11_JAVA-1_6_0-OPENJDK-130212.NASL", "type": "nessus", "title": "SuSE 11.2 Security Update : Java 1.6.0 (SAT Patch Number 7332)", "description": "java-1_6_0-openjdk based on Icedtea6-1.12.2 was released, fixing various security issues :\n\nNew in release 1.12.2 (2012-02-03) :\n\n - Security fixes\n\n - S6563318, CVE-2013-0424: RMI data sanitization\n\n - S6664509, CVE-2013-0425: Add logging context\n\n - S6664528, CVE-2013-0426: Find log level matching its name or value given at construction time\n\n - S6776941: CVE-2013-0427: Improve thread pool shutdown\n\n - S7141694, CVE-2013-0429: Improving CORBA internals\n\n - S7173145: Improve in-memory representation of splashscreens\n\n - S7186945: Unpack200 improvement\n\n - S7186946: Refine unpacker resource usage\n\n - S7186948: Improve Swing data validation\n\n - S7186952, CVE-2013-0432: Improve clipboard access\n\n - S7186954: Improve connection performance\n\n - S7186957: Improve Pack200 data validation\n\n - S7192392, CVE-2013-0443: Better validation of client keys\n\n - S7192393, CVE-2013-0440: Better Checking of order of TLS Messages\n\n - S7192977, CVE-2013-0442: Issue in toolkit thread\n\n - S7197546, CVE-2013-0428: (proxy) Reflect about creating reflective proxies\n\n - S7200491: Tighten up JTable layout code\n\n - S7200500: Launcher better input validation\n\n - S7201064: Better dialogue checking\n\n - S7201066, CVE-2013-0441: Change modifiers on unused fields\n\n - S7201068, CVE-2013-0435: Better handling of UI elements\n\n - S7201070: Serialization to conform to protocol\n\n - S7201071, CVE-2013-0433: InetSocketAddress serialization issue\n\n - S8000210: Improve JarFile code quality\n\n - S8000537, CVE-2013-0450: Contextualize RequiredModelMBean class\n\n - S8000540, CVE-2013-1475: Improve IIOP type reuse management\n\n - S8000631, CVE-2013-1476: Restrict access to class constructor\n\n - S8001235, CVE-2013-0434: Improve JAXP HTTP handling\n\n - S8001242: Improve RMI HTTP conformance\n\n - S8001307: Modify ACC_SUPER behavior\n\n - S8001972, CVE-2013-1478: Improve image processing\n\n - S8002325, CVE-2013-1480: Improve management of images\n\n - Backports\n\n - S7010849: 5/5 Extraneous javac source/target options when building sa-jdi\n\n - S8004341: Two JCK tests fails with 7u11 b06\n\n - S8005615: Java Logger fails to load tomcat logger implementation (JULI)\n\n - Bug fixes\n\n - PR1297: cacao and jamvm parallel unpack failures\n\n - PR1301: PR1171 causes builds of Zero to fail", "published": "2013-02-21T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=64780", "cvelist": ["CVE-2013-0426", "CVE-2013-0427", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-1475", "CVE-2013-0435", "CVE-2013-0442", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-1476", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0450", "CVE-2013-0440", "CVE-2013-0425", "CVE-2013-0441"], "lastseen": "2017-10-29T13:44:08"}, {"id": "OPENSUSE-2013-165.NASL", "type": "nessus", "title": "openSUSE Security Update : java-1_7_0-openjdk (openSUSE-SU-2013:0377-1)", "description": "java-1_7_0-openjdk was updated to icedtea-2.3.6 (bnc#803379) containing various security and bugfixes :\n\n - Security fixes\n\n - S6563318, CVE-2013-0424: RMI data sanitization\n\n - S6664509, CVE-2013-0425: Add logging context\n\n - S6664528, CVE-2013-0426: Find log level matching its name or value given at construction time\n\n - S6776941: CVE-2013-0427: Improve thread pool shutdown\n\n - S7141694, CVE-2013-0429: Improving CORBA internals\n\n - S7173145: Improve in-memory representation of splashscreens\n\n - S7186945: Unpack200 improvement\n\n - S7186946: Refine unpacker resource usage\n\n - S7186948: Improve Swing data validation\n\n - S7186952, CVE-2013-0432: Improve clipboard access\n\n - S7186954: Improve connection performance\n\n - S7186957: Improve Pack200 data validation\n\n - S7192392, CVE-2013-0443: Better validation of client keys\n\n - S7192393, CVE-2013-0440: Better Checking of order of TLS Messages\n\n - S7192977, CVE-2013-0442: Issue in toolkit thread\n\n - S7197546, CVE-2013-0428: (proxy) Reflect about creating reflective proxies\n\n - S7200491: Tighten up JTable layout code\n\n - S7200493, CVE-2013-0444: Improve cache handling\n\n - S7200499: Better data validation for options\n\n - S7200500: Launcher better input validation\n\n - S7201064: Better dialogue checking\n\n - S7201066, CVE-2013-0441: Change modifiers on unused fields\n\n - S7201068, CVE-2013-0435: Better handling of UI elements\n\n - S7201070: Serialization to conform to protocol\n\n - S7201071, CVE-2013-0433: InetSocketAddress serialization issue\n\n - S8000210: Improve JarFile code quality\n\n - S8000537, CVE-2013-0450: Contextualize RequiredModelMBean class\n\n - S8000539, CVE-2013-0431: Introspect JMX data handling\n\n - S8000540, CVE-2013-1475: Improve IIOP type reuse management\n\n - S8000631, CVE-2013-1476: Restrict access to class constructor\n\n - S8001235, CVE-2013-0434: Improve JAXP HTTP handling\n\n - S8001242: Improve RMI HTTP conformance\n\n - S8001307: Modify ACC_SUPER behavior\n\n - S8001972, CVE-2013-1478: Improve image processing\n\n - S8002325, CVE-2013-1480: Improve management of images\n\n - Backports\n\n - S7057320:\n test/java/util/concurrent/Executors/AutoShutdown.java failing intermittently\n\n - S7083664: TEST_BUG: test hard code of using c:/temp but this dir might not exist\n\n - S7107613: scalability blocker in javax.crypto.CryptoPermissions\n\n - S7107616: scalability blocker in javax.crypto.JceSecurityManager\n\n - S7146424: Wildcard expansion for single entry classpath\n\n - S7160609: [macosx] JDK crash in libjvm.dylib ( C [GeForceGLDriver+0x675a] gldAttachDrawable+0x941)\n\n - S7160951: [macosx] ActionListener called twice for JMenuItem using ScreenMenuBar\n\n - S7162488: VM not printing unknown -XX options\n\n - S7169395: Exception throws due to the changes in JDK 7 object tranversal and break backward compatibility\n\n - S7175616: Port fix for TimeZone from JDK 8 to JDK 7\n\n - S7176485: (bf) Allow temporary buffer cache to grow to IOV_MAX\n\n - S7179908: Fork hs23.3 hsx from hs22.2 for jdk7u7 and reinitialize build number\n\n - S7184326: TEST_BUG:\n java/awt/Frame/7024749/bug7024749.java has a typo\n\n - S7185245: Licensee source bundle tries to compile JFR\n\n - S7185471: Avoid key expansion when AES cipher is re-init w/ the same key\n\n - S7186371: [macosx] Main menu shortcuts not displayed (7u6 regression)\n\n - S7187834: [macosx] Usage of private API in macosx 2d implementation causes Apple Store rejection\n\n - S7188114: (launcher) need an alternate command line parser for Windows\n\n - S7189136: Fork hs23.5 hsx from hs23.4 for jdk7u9 and reinitialize build number\n\n - S7189350: Fix failed for CR 7162144\n\n - S7190550: REGRESSION: Some closed/com/oracle/jfr/api tests fail to compile because of fix 7185245\n\n - S7193219: JComboBox serialization fails in JDK 1.7\n\n - S7193977: REGRESSION:Java 7's JavaBeans persistence ignoring the 'transient' flag on properties\n\n - S7195106: REGRESSION : There is no way to get Icon inf, once Softreference is released\n\n - S7195301: XML Signature DOM implementation should not use instanceof to determine type of Node\n\n - S7195931: UnsatisfiedLinkError on PKCS11.C_GetOperationState while using NSS from jre7u6+\n\n - S7197071: Makefiles for various security providers aren't including the default manifest.\n\n - S7197652: Impossible to run any signed JNLP applications or applets, OCSP off by default\n\n - S7198146: Another new regression test does not compile on windows-amd64\n\n - S7198570: (tz) Support tzdata2012f\n\n - S7198640: new hotspot build - hs23.6-b04\n\n - S7199488: [TEST] runtime/7158800/InternTest.java failed due to false-positive on PID match.\n\n - S7199645: Increment build # of hs23.5 to b02\n\n - S7199669: Update tags in .hgtags file for CPU release rename\n\n - S7200720: crash in net.dll during NTLM authentication\n\n - S7200742: (se) Selector.select does not block when starting Coherence (sol11u1)\n\n - S7200762: [macosx] Stuck in sun.java2d.opengl.CGLGraphicsConfig.getMaxTextureSize(Na tive Method)\n\n - S8000285: Deadlock between PostEventQueue.noEvents, EventQueue.isDispatchThread and SwingUtilities.invokeLater\n\n - S8000286: [macosx] Views keep scrolling back to the drag position after DnD\n\n - S8000297: REGRESSION:\n closed/java/awt/EventQueue/PostEventOrderingTest.java fails\n\n - S8000307: Jre7cert: focusgained does not get called for all focus req when do alt + tab\n\n - S8000822: Fork hs23.7 hsx from hs23.6 for jdk7u11 and reinitialize build number\n\n - S8001124: jdk7u ProblemList.txt updates (10/2012)\n\n - S8001242: Improve RMI HTTP conformance\n\n - S8001808: Create a test for 8000327\n\n - S8001876: Create regtest for 8000283\n\n - S8002068: Build broken: corba code changes unable to use new JDK 7 classes\n\n - S8002091: tools/launcher/ToolsOpts.java test started to fail since 7u11 b01 on Windows\n\n - S8002114: fix failed for JDK-7160951: [macosx] ActionListener called twice for JMenuItem using ScreenMenuBar\n\n - S8002225: (tz) Support tzdata2012i\n\n - S8003402: (dc) test/java/nio/channels/DatagramChannel/SendToUnresovled.\n java failing after 7u11 cleanup issues\n\n - S8003403: Test ShortRSAKeyWithinTLS and ClientJSSEServerJSSE failing after 7u11 cleanup\n\n - S8003948: NTLM/Negotiate authentication problem\n\n - S8004175: Restricted packages added in java.security are missing in java.security-{macosx, solaris, windows}\n\n - S8004302: javax/xml/soap/Test7013971.java fails since jdk6u39b01\n\n - S8004341: Two JCK tests fails with 7u11 b06\n\n - S8005615: Java Logger fails to load tomcat logger implementation (JULI)\n\n - Bug fixes\n\n - Fix build using Zero's HotSpot so all patches apply again.\n\n - PR1295: jamvm parallel unpack failure\n\n - removed icedtea-2.3.2-fix-extract-jamvm-dependency.patch\n\n - removed icedtea-2.3.3-refresh-6924259-string_offset.patch\n\n - few missing /openjdk/%{origin}/ changes", "published": "2014-06-13T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=74907", "cvelist": ["CVE-2013-0426", "CVE-2013-0427", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-1475", "CVE-2013-0435", "CVE-2013-0442", "CVE-2013-0431", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0444", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-1476", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0450", "CVE-2013-0440", "CVE-2013-0425", "CVE-2013-0441"], "lastseen": "2017-10-29T13:46:01"}], "openvas": [{"id": "OPENVAS:1361412562310865337", "type": "openvas", "title": "Fedora Update for java-1.7.0-openjdk FEDORA-2013-2209", "description": "Check for the Version of java-1.7.0-openjdk", "published": "2013-02-11T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310865337", "cvelist": ["CVE-2013-0426", "CVE-2013-0427", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-1475", "CVE-2013-0435", "CVE-2013-0442", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-1476", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0450", "CVE-2013-0440", "CVE-2012-4681", "CVE-2013-0425", "CVE-2013-0441"], "lastseen": "2018-04-06T11:21:12"}, {"id": "OPENVAS:865341", "type": "openvas", "title": "Fedora Update for java-1.7.0-openjdk FEDORA-2013-2205", "description": "Check for the Version of java-1.7.0-openjdk", "published": "2013-02-11T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=865341", "cvelist": ["CVE-2013-0426", "CVE-2013-0427", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-1475", "CVE-2013-0435", "CVE-2013-0442", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-1476", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0450", "CVE-2013-0440", "CVE-2013-0425", "CVE-2013-0441"], "lastseen": "2018-02-06T13:09:54"}, {"id": "OPENVAS:850401", "type": "openvas", "title": "SuSE Update for java-1_6_0-openjdk openSUSE-SU-2013:0312-1 (java-1_6_0-openjdk)", "description": "Check for the Version of java-1_6_0-openjdk", "published": "2013-03-11T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=850401", "cvelist": ["CVE-2013-0426", "CVE-2013-0427", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-1475", "CVE-2013-0435", "CVE-2013-0442", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0433", "CVE-2013-1476", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0450", "CVE-2013-0440", "CVE-2013-0425", "CVE-2013-0441"], "lastseen": "2018-01-23T13:10:00"}, {"id": "OPENVAS:850402", "type": "openvas", "title": "SuSE Update for java-1_6_0-openjdk openSUSE-SU-2013:0308-1 (java-1_6_0-openjdk)", "description": "Check for the Version of java-1_6_0-openjdk", "published": "2013-03-11T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=850402", "cvelist": ["CVE-2013-0426", "CVE-2013-0427", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-1475", "CVE-2013-0435", "CVE-2013-0442", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0433", "CVE-2013-1476", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0450", "CVE-2013-0440", "CVE-2013-0425", "CVE-2013-0441"], "lastseen": "2018-01-23T13:09:34"}, {"id": "OPENVAS:1361412562310850402", "type": "openvas", "title": "SuSE Update for java-1_6_0-openjdk openSUSE-SU-2013:0308-1 (java-1_6_0-openjdk)", "description": "Check for the Version of java-1_6_0-openjdk", "published": "2013-03-11T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850402", "cvelist": ["CVE-2013-0426", "CVE-2013-0427", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-1475", "CVE-2013-0435", "CVE-2013-0442", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0433", "CVE-2013-1476", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0450", "CVE-2013-0440", "CVE-2013-0425", "CVE-2013-0441"], "lastseen": "2018-04-06T11:21:11"}, {"id": "OPENVAS:881597", "type": "openvas", "title": "CentOS Update for java CESA-2013:0246 centos5 ", "description": "Check for the Version of java", "published": "2013-02-11T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=881597", "cvelist": ["CVE-2013-0426", "CVE-2013-0427", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-1475", "CVE-2013-0435", "CVE-2013-0442", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-1476", "CVE-2013-0445", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0450", "CVE-2013-0440", "CVE-2013-0425", "CVE-2013-0441"], "lastseen": "2018-02-05T11:11:35"}, {"id": "OPENVAS:870905", "type": "openvas", "title": "RedHat Update for java-1.6.0-openjdk RHSA-2013:0246-01", "description": "Check for the Version of java-1.6.0-openjdk", "published": "2013-02-11T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=870905", "cvelist": ["CVE-2013-0426", "CVE-2013-0427", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-1475", "CVE-2013-0435", "CVE-2013-0442", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-1476", "CVE-2013-0445", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0450", "CVE-2013-0440", "CVE-2013-0425", "CVE-2013-0441"], "lastseen": "2018-01-18T11:09:34"}, {"id": "OPENVAS:1361412562310123729", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2013-0245", "description": "Oracle Linux Local Security Checks ELSA-2013-0245", "published": "2015-10-06T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123729", "cvelist": ["CVE-2013-0426", "CVE-2013-0427", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-1475", "CVE-2013-0435", "CVE-2013-0442", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-1476", "CVE-2013-0445", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0450", "CVE-2013-0440", "CVE-2013-0425", "CVE-2013-0441"], "lastseen": "2017-07-24T12:54:03"}, {"id": "OPENVAS:1361412562310123727", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2013-0246", "description": "Oracle Linux Local Security Checks ELSA-2013-0246", "published": "2015-10-06T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123727", "cvelist": ["CVE-2013-0426", "CVE-2013-0427", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-1475", "CVE-2013-0435", "CVE-2013-0442", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-1476", "CVE-2013-0445", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0450", "CVE-2013-0440", "CVE-2013-0425", "CVE-2013-0441"], "lastseen": "2017-07-24T12:53:04"}, {"id": "OPENVAS:870906", "type": "openvas", "title": "RedHat Update for java-1.6.0-openjdk RHSA-2013:0245-01", "description": "Check for the Version of java-1.6.0-openjdk", "published": "2013-02-11T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=870906", "cvelist": ["CVE-2013-0426", "CVE-2013-0427", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-1475", "CVE-2013-0435", "CVE-2013-0442", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-1476", "CVE-2013-0445", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0450", "CVE-2013-0440", "CVE-2013-0425", "CVE-2013-0441"], "lastseen": "2017-07-27T10:51:33"}], "oraclelinux": [{"id": "ELSA-2013-0245", "type": "oraclelinux", "title": "java-1.6.0-openjdk security update", "description": "[1:1.6.0.0-1.54.1.11.6]\n- removed patch8 revertTwoWrongSecurityPatches2013-02-06.patch\n- added patch8: 7201064.patch to be reverted\n- added patch9: 8005615.patch to fix the 6664509.patch\n- Resolves: rhbz#906707\n[1:1.6.0.0-1.53.1.11.6]\n- added patch8 revertTwoWrongSecurityPatches2013-02-06.patch\n to remove 6664509 and 7201064 from 1.11.6 tarball\n- Resolves: rhbz#906707\n[1:1.6.0.0-1.51.1.11.6]\n- Updated to icedtea6 1.11.6\n- Rewritten java-1.6.0-openjdk-java-access-bridge-security.patch\n- Resolves: rhbz#906707", "published": "2013-02-08T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2013-0245.html", "cvelist": ["CVE-2013-0426", "CVE-2013-0427", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-1475", "CVE-2013-0435", "CVE-2013-0442", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-1476", "CVE-2013-0445", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0450", "CVE-2013-0440", "CVE-2013-0425", "CVE-2013-0441"], "lastseen": "2016-09-04T11:15:56"}, {"id": "ELSA-2013-0246", "type": "oraclelinux", "title": "java-1.6.0-openjdk security update", "description": "[ 1:1.6.0.0-1.33.1.11.6.0.1.el5_9]\n- Add oracle-enterprise.patch\n[1:1.6.0.0-1.33.1.11.6]\n- removed patch9 revertTwoWrongSecurityPatches2013-02-06.patch\n- added patch9: 7201064.patch to be reverted\n- added patch10: 8005615.patch to fix the 6664509.patch\n- Resolves: rhbz#906705\n[1:1.6.0.0-1.32.1.11.6]\n- added patch9 revertTwoWrongSecurityPatches2013-02-06.patch\n to remove 6664509 and 7201064 from 1.11.6 tarball\n- Resolves: rhbz#906705\n[1:1.6.0.0-1.31.1.11.6]\n- Updated to icedtea6 1.11.6\n- Rewritten java-1.6.0-openjdk-java-access-bridge-security.patch\n- Resolves: rhbz#906705", "published": "2013-02-08T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2013-0246.html", "cvelist": ["CVE-2013-0426", "CVE-2013-0427", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-1475", "CVE-2013-0435", "CVE-2013-0442", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-1476", "CVE-2013-0445", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0450", "CVE-2013-0440", "CVE-2013-0425", "CVE-2013-0441"], "lastseen": "2016-09-04T11:17:07"}, {"id": "ELSA-2013-0247", "type": "oraclelinux", "title": "java-1.7.0-openjdk security update", "description": "[1.7.0.9-2.3.5.3.0.1.el6_3]\n- Update DISTRO_NAME in specfile\n[1.7.0.9-2.3.5.3.el6_3]\n- Sync logging fixes with upstream (icedtea7-forest and jdk7u)\n[1.7.0.9-2.3.5.1.el6_3]\n- Removed 6664509 backout and added 8005615 to fix the issue\n[1.7.0.9-2.3.5.el6_3.1]\n- Backed out 6664509 and 7201064.patch which cause regressions\n[1.7.0.9-2.3.5.el6_3]\n- Bumped to 2.3.5\n- Changed BR to java7-devel >= 1:1.7.0 as required by CORBA changes in 2.3.5\n- Resolves: rhbz#906707", "published": "2013-02-08T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2013-0247.html", "cvelist": ["CVE-2013-0426", "CVE-2013-0427", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-1475", "CVE-2013-0435", "CVE-2013-0442", "CVE-2013-0431", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0444", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-1476", "CVE-2013-0445", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0450", "CVE-2013-0440", "CVE-2013-0425", "CVE-2013-0441"], "lastseen": "2016-09-04T11:15:56"}], "centos": [{"id": "CESA-2013:0246", "type": "centos", "title": "java security update", "description": "**CentOS Errata and Security Advisory** CESA-2013:0246\n\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the\nOpenJDK 6 Software Development Kit.\n\nMultiple improper permission check issues were discovered in the AWT,\nCORBA, JMX, and Libraries components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to bypass Java sandbox\nrestrictions. (CVE-2013-0442, CVE-2013-0445, CVE-2013-0441, CVE-2013-1475,\nCVE-2013-1476, CVE-2013-0429, CVE-2013-0450, CVE-2013-0425, CVE-2013-0426,\nCVE-2013-0428)\n\nMultiple flaws were found in the way image parsers in the 2D and AWT\ncomponents handled image raster parameters. A specially-crafted image could\ncause Java Virtual Machine memory corruption and, possibly, lead to\narbitrary code execution with the virtual machine privileges.\n(CVE-2013-1478, CVE-2013-1480)\n\nA flaw was found in the AWT component's clipboard handling code. An\nuntrusted Java application or applet could use this flaw to access\nclipboard data, bypassing Java sandbox restrictions. (CVE-2013-0432)\n\nThe default Java security properties configuration did not restrict access\nto certain com.sun.xml.internal packages. An untrusted Java application or\napplet could use this flaw to access information, bypassing certain Java\nsandbox restrictions. This update lists the whole package as restricted.\n(CVE-2013-0435)\n\nMultiple improper permission check issues were discovered in the Libraries,\nNetworking, and JAXP components. An untrusted Java application or applet\ncould use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2013-0427, CVE-2013-0433, CVE-2013-0434)\n\nIt was discovered that the RMI component's CGIHandler class used user\ninputs in error messages without any sanitization. An attacker could use\nthis flaw to perform a cross-site scripting (XSS) attack. (CVE-2013-0424)\n\nIt was discovered that the SSL/TLS implementation in the JSSE component\ndid not properly enforce handshake message ordering, allowing an unlimited\nnumber of handshake restarts. A remote attacker could use this flaw to\nmake an SSL/TLS server using JSSE consume an excessive amount of CPU by\ncontinuously restarting the handshake. (CVE-2013-0440)\n\nIt was discovered that the JSSE component did not properly validate\nDiffie-Hellman public keys. An SSL/TLS client could possibly use this flaw\nto perform a small subgroup attack. (CVE-2013-0443)\n\nThis erratum also upgrades the OpenJDK package to IcedTea6 1.11.6. Refer to\nthe NEWS file, linked to in the References, for further information.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2013-February/019231.html\n\n**Affected packages:**\njava-1.6.0-openjdk\njava-1.6.0-openjdk-demo\njava-1.6.0-openjdk-devel\njava-1.6.0-openjdk-javadoc\njava-1.6.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2013-0246.html", "published": "2013-02-08T22:39:51", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2013-February/019231.html", "cvelist": ["CVE-2013-0426", "CVE-2013-0427", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-1475", "CVE-2013-0435", "CVE-2013-0442", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-1476", "CVE-2013-0445", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0450", "CVE-2013-0440", "CVE-2013-0425", "CVE-2013-0441"], "lastseen": "2017-10-03T18:25:41"}, {"id": "CESA-2013:0245", "type": "centos", "title": "java security update", "description": "**CentOS Errata and Security Advisory** CESA-2013:0245\n\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the\nOpenJDK 6 Software Development Kit.\n\nMultiple improper permission check issues were discovered in the AWT,\nCORBA, JMX, and Libraries components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to bypass Java sandbox\nrestrictions. (CVE-2013-0442, CVE-2013-0445, CVE-2013-0441, CVE-2013-1475,\nCVE-2013-1476, CVE-2013-0429, CVE-2013-0450, CVE-2013-0425, CVE-2013-0426,\nCVE-2013-0428)\n\nMultiple flaws were found in the way image parsers in the 2D and AWT\ncomponents handled image raster parameters. A specially-crafted image could\ncause Java Virtual Machine memory corruption and, possibly, lead to\narbitrary code execution with the virtual machine privileges.\n(CVE-2013-1478, CVE-2013-1480)\n\nA flaw was found in the AWT component's clipboard handling code. An\nuntrusted Java application or applet could use this flaw to access\nclipboard data, bypassing Java sandbox restrictions. (CVE-2013-0432)\n\nThe default Java security properties configuration did not restrict access\nto certain com.sun.xml.internal packages. An untrusted Java application or\napplet could use this flaw to access information, bypassing certain Java\nsandbox restrictions. This update lists the whole package as restricted.\n(CVE-2013-0435)\n\nMultiple improper permission check issues were discovered in the Libraries,\nNetworking, and JAXP components. An untrusted Java application or applet\ncould use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2013-0427, CVE-2013-0433, CVE-2013-0434)\n\nIt was discovered that the RMI component's CGIHandler class used user\ninputs in error messages without any sanitization. An attacker could use\nthis flaw to perform a cross-site scripting (XSS) attack. (CVE-2013-0424)\n\nIt was discovered that the SSL/TLS implementation in the JSSE component\ndid not properly enforce handshake message ordering, allowing an unlimited\nnumber of handshake restarts. A remote attacker could use this flaw to\nmake an SSL/TLS server using JSSE consume an excessive amount of CPU by\ncontinuously restarting the handshake. (CVE-2013-0440)\n\nIt was discovered that the JSSE component did not properly validate\nDiffie-Hellman public keys. An SSL/TLS client could possibly use this flaw\nto perform a small subgroup attack. (CVE-2013-0443)\n\nNote: If the web browser plug-in provided by the icedtea-web package was\ninstalled, the issues exposed via Java applets could have been exploited\nwithout user interaction if a user visited a malicious website.\n\nThis erratum also upgrades the OpenJDK package to IcedTea6 1.11.6. Refer to\nthe NEWS file, linked to in the References, for further information.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2013-February/019233.html\n\n**Affected packages:**\njava-1.6.0-openjdk\njava-1.6.0-openjdk-demo\njava-1.6.0-openjdk-devel\njava-1.6.0-openjdk-javadoc\njava-1.6.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2013-0245.html", "published": "2013-02-09T11:03:54", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2013-February/019233.html", "cvelist": ["CVE-2013-0426", "CVE-2013-0427", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-1475", "CVE-2013-0435", "CVE-2013-0442", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-1476", "CVE-2013-0445", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0450", "CVE-2013-0440", "CVE-2013-0425", "CVE-2013-0441"], "lastseen": "2017-10-03T18:26:04"}, {"id": "CESA-2013:0247", "type": "centos", "title": "java security update", "description": "**CentOS Errata and Security Advisory** CESA-2013:0247\n\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nMultiple improper permission check issues were discovered in the AWT,\nCORBA, JMX, Libraries, and Beans components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to bypass Java sandbox\nrestrictions. (CVE-2013-0442, CVE-2013-0445, CVE-2013-0441, CVE-2013-1475,\nCVE-2013-1476, CVE-2013-0429, CVE-2013-0450, CVE-2013-0425, CVE-2013-0426,\nCVE-2013-0428, CVE-2013-0444)\n\nMultiple flaws were found in the way image parsers in the 2D and AWT\ncomponents handled image raster parameters. A specially-crafted image could\ncause Java Virtual Machine memory corruption and, possibly, lead to\narbitrary code execution with the virtual machine privileges.\n(CVE-2013-1478, CVE-2013-1480)\n\nA flaw was found in the AWT component's clipboard handling code. An\nuntrusted Java application or applet could use this flaw to access\nclipboard data, bypassing Java sandbox restrictions. (CVE-2013-0432)\n\nThe default Java security properties configuration did not restrict access\nto certain com.sun.xml.internal packages. An untrusted Java application or\napplet could use this flaw to access information, bypassing certain Java\nsandbox restrictions. This update lists the whole package as restricted.\n(CVE-2013-0435)\n\nMultiple improper permission check issues were discovered in the JMX,\nLibraries, Networking, and JAXP components. An untrusted Java application\nor applet could use these flaws to bypass certain Java sandbox\nrestrictions. (CVE-2013-0431, CVE-2013-0427, CVE-2013-0433, CVE-2013-0434)\n\nIt was discovered that the RMI component's CGIHandler class used user\ninputs in error messages without any sanitization. An attacker could use\nthis flaw to perform a cross-site scripting (XSS) attack. (CVE-2013-0424)\n\nIt was discovered that the SSL/TLS implementation in the JSSE component\ndid not properly enforce handshake message ordering, allowing an unlimited\nnumber of handshake restarts. A remote attacker could use this flaw to\nmake an SSL/TLS server using JSSE consume an excessive amount of CPU by\ncontinuously restarting the handshake. (CVE-2013-0440)\n\nIt was discovered that the JSSE component did not properly validate\nDiffie-Hellman public keys. An SSL/TLS client could possibly use this flaw\nto perform a small subgroup attack. (CVE-2013-0443)\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.5. Refer to\nthe NEWS file, linked to in the References, for further information.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2013-February/019232.html\nhttp://lists.centos.org/pipermail/centos-announce/2013-February/019234.html\n\n**Affected packages:**\njava-1.7.0-openjdk\njava-1.7.0-openjdk-demo\njava-1.7.0-openjdk-devel\njava-1.7.0-openjdk-javadoc\njava-1.7.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2013-0247.html", "published": "2013-02-09T00:57:50", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2013-February/019232.html", "cvelist": ["CVE-2013-0426", "CVE-2013-0427", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-1475", "CVE-2013-0435", "CVE-2013-0442", "CVE-2013-0431", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0444", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-1476", "CVE-2013-0445", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0450", "CVE-2013-0440", "CVE-2013-0425", "CVE-2013-0441"], "lastseen": "2017-10-03T18:24:26"}], "redhat": [{"id": "RHSA-2013:0246", "type": "redhat", "title": "(RHSA-2013:0246) Important: java-1.6.0-openjdk security update", "description": "These packages provide the OpenJDK 6 Java Runtime Environment and the\nOpenJDK 6 Software Development Kit.\n\nMultiple improper permission check issues were discovered in the AWT,\nCORBA, JMX, and Libraries components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to bypass Java sandbox\nrestrictions. (CVE-2013-0442, CVE-2013-0445, CVE-2013-0441, CVE-2013-1475,\nCVE-2013-1476, CVE-2013-0429, CVE-2013-0450, CVE-2013-0425, CVE-2013-0426,\nCVE-2013-0428)\n\nMultiple flaws were found in the way image parsers in the 2D and AWT\ncomponents handled image raster parameters. A specially-crafted image could\ncause Java Virtual Machine memory corruption and, possibly, lead to\narbitrary code execution with the virtual machine privileges.\n(CVE-2013-1478, CVE-2013-1480)\n\nA flaw was found in the AWT component's clipboard handling code. An\nuntrusted Java application or applet could use this flaw to access\nclipboard data, bypassing Java sandbox restrictions. (CVE-2013-0432)\n\nThe default Java security properties configuration did not restrict access\nto certain com.sun.xml.internal packages. An untrusted Java application or\napplet could use this flaw to access information, bypassing certain Java\nsandbox restrictions. This update lists the whole package as restricted.\n(CVE-2013-0435)\n\nMultiple improper permission check issues were discovered in the Libraries,\nNetworking, and JAXP components. An untrusted Java application or applet\ncould use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2013-0427, CVE-2013-0433, CVE-2013-0434)\n\nIt was discovered that the RMI component's CGIHandler class used user\ninputs in error messages without any sanitization. An attacker could use\nthis flaw to perform a cross-site scripting (XSS) attack. (CVE-2013-0424)\n\nIt was discovered that the SSL/TLS implementation in the JSSE component\ndid not properly enforce handshake message ordering, allowing an unlimited\nnumber of handshake restarts. A remote attacker could use this flaw to\nmake an SSL/TLS server using JSSE consume an excessive amount of CPU by\ncontinuously restarting the handshake. (CVE-2013-0440)\n\nIt was discovered that the JSSE component did not properly validate\nDiffie-Hellman public keys. An SSL/TLS client could possibly use this flaw\nto perform a small subgroup attack. (CVE-2013-0443)\n\nThis erratum also upgrades the OpenJDK package to IcedTea6 1.11.6. Refer to\nthe NEWS file, linked to in the References, for further information.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "published": "2013-02-08T05:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2013:0246", "cvelist": ["CVE-2013-0424", "CVE-2013-0425", "CVE-2013-0426", "CVE-2013-0427", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-0432", "CVE-2013-0433", "CVE-2013-0434", "CVE-2013-0435", "CVE-2013-0440", "CVE-2013-0441", "CVE-2013-0442", "CVE-2013-0443", "CVE-2013-0445", "CVE-2013-0450", "CVE-2013-1475", "CVE-2013-1476", "CVE-2013-1478", "CVE-2013-1480"], "lastseen": "2017-09-09T07:19:13"}, {"id": "RHSA-2013:0245", "type": "redhat", "title": "(RHSA-2013:0245) Critical: java-1.6.0-openjdk security update", "description": "These packages provide the OpenJDK 6 Java Runtime Environment and the\nOpenJDK 6 Software Development Kit.\n\nMultiple improper permission check issues were discovered in the AWT,\nCORBA, JMX, and Libraries components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to bypass Java sandbox\nrestrictions. (CVE-2013-0442, CVE-2013-0445, CVE-2013-0441, CVE-2013-1475,\nCVE-2013-1476, CVE-2013-0429, CVE-2013-0450, CVE-2013-0425, CVE-2013-0426,\nCVE-2013-0428)\n\nMultiple flaws were found in the way image parsers in the 2D and AWT\ncomponents handled image raster parameters. A specially-crafted image could\ncause Java Virtual Machine memory corruption and, possibly, lead to\narbitrary code execution with the virtual machine privileges.\n(CVE-2013-1478, CVE-2013-1480)\n\nA flaw was found in the AWT component's clipboard handling code. An\nuntrusted Java application or applet could use this flaw to access\nclipboard data, bypassing Java sandbox restrictions. (CVE-2013-0432)\n\nThe default Java security properties configuration did not restrict access\nto certain com.sun.xml.internal packages. An untrusted Java application or\napplet could use this flaw to access information, bypassing certain Java\nsandbox restrictions. This update lists the whole package as restricted.\n(CVE-2013-0435)\n\nMultiple improper permission check issues were discovered in the Libraries,\nNetworking, and JAXP components. An untrusted Java application or applet\ncould use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2013-0427, CVE-2013-0433, CVE-2013-0434)\n\nIt was discovered that the RMI component's CGIHandler class used user\ninputs in error messages without any sanitization. An attacker could use\nthis flaw to perform a cross-site scripting (XSS) attack. (CVE-2013-0424)\n\nIt was discovered that the SSL/TLS implementation in the JSSE component\ndid not properly enforce handshake message ordering, allowing an unlimited\nnumber of handshake restarts. A remote attacker could use this flaw to\nmake an SSL/TLS server using JSSE consume an excessive amount of CPU by\ncontinuously restarting the handshake. (CVE-2013-0440)\n\nIt was discovered that the JSSE component did not properly validate\nDiffie-Hellman public keys. An SSL/TLS client could possibly use this flaw\nto perform a small subgroup attack. (CVE-2013-0443)\n\nNote: If the web browser plug-in provided by the icedtea-web package was\ninstalled, the issues exposed via Java applets could have been exploited\nwithout user interaction if a user visited a malicious website.\n\nThis erratum also upgrades the OpenJDK package to IcedTea6 1.11.6. Refer to\nthe NEWS file, linked to in the References, for further information.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "published": "2013-02-08T05:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2013:0245", "cvelist": ["CVE-2013-0424", "CVE-2013-0425", "CVE-2013-0426", "CVE-2013-0427", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-0432", "CVE-2013-0433", "CVE-2013-0434", "CVE-2013-0435", "CVE-2013-0440", "CVE-2013-0441", "CVE-2013-0442", "CVE-2013-0443", "CVE-2013-0445", "CVE-2013-0450", "CVE-2013-1475", "CVE-2013-1476", "CVE-2013-1478", "CVE-2013-1480"], "lastseen": "2017-12-25T20:05:50"}, {"id": "RHSA-2013:0247", "type": "redhat", "title": "(RHSA-2013:0247) Important: java-1.7.0-openjdk security update", "description": "These packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nMultiple improper permission check issues were discovered in the AWT,\nCORBA, JMX, Libraries, and Beans components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to bypass Java sandbox\nrestrictions. (CVE-2013-0442, CVE-2013-0445, CVE-2013-0441, CVE-2013-1475,\nCVE-2013-1476, CVE-2013-0429, CVE-2013-0450, CVE-2013-0425, CVE-2013-0426,\nCVE-2013-0428, CVE-2013-0444)\n\nMultiple flaws were found in the way image parsers in the 2D and AWT\ncomponents handled image raster parameters. A specially-crafted image could\ncause Java Virtual Machine memory corruption and, possibly, lead to\narbitrary code execution with the virtual machine privileges.\n(CVE-2013-1478, CVE-2013-1480)\n\nA flaw was found in the AWT component's clipboard handling code. An\nuntrusted Java application or applet could use this flaw to access\nclipboard data, bypassing Java sandbox restrictions. (CVE-2013-0432)\n\nThe default Java security properties configuration did not restrict access\nto certain com.sun.xml.internal packages. An untrusted Java application or\napplet could use this flaw to access information, bypassing certain Java\nsandbox restrictions. This update lists the whole package as restricted.\n(CVE-2013-0435)\n\nMultiple improper permission check issues were discovered in the JMX,\nLibraries, Networking, and JAXP components. An untrusted Java application\nor applet could use these flaws to bypass certain Java sandbox\nrestrictions. (CVE-2013-0431, CVE-2013-0427, CVE-2013-0433, CVE-2013-0434)\n\nIt was discovered that the RMI component's CGIHandler class used user\ninputs in error messages without any sanitization. An attacker could use\nthis flaw to perform a cross-site scripting (XSS) attack. (CVE-2013-0424)\n\nIt was discovered that the SSL/TLS implementation in the JSSE component\ndid not properly enforce handshake message ordering, allowing an unlimited\nnumber of handshake restarts. A remote attacker could use this flaw to\nmake an SSL/TLS server using JSSE consume an excessive amount of CPU by\ncontinuously restarting the handshake. (CVE-2013-0440)\n\nIt was discovered that the JSSE component did not properly validate\nDiffie-Hellman public keys. An SSL/TLS client could possibly use this flaw\nto perform a small subgroup attack. (CVE-2013-0443)\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.5. Refer to\nthe NEWS file, linked to in the References, for further information.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "published": "2013-02-08T05:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2013:0247", "cvelist": ["CVE-2013-0424", "CVE-2013-0425", "CVE-2013-0426", "CVE-2013-0427", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-0431", "CVE-2013-0432", "CVE-2013-0433", "CVE-2013-0434", "CVE-2013-0435", "CVE-2013-0440", "CVE-2013-0441", "CVE-2013-0442", "CVE-2013-0443", "CVE-2013-0444", "CVE-2013-0445", "CVE-2013-0450", "CVE-2013-1475", "CVE-2013-1476", "CVE-2013-1478", "CVE-2013-1480"], "lastseen": "2017-12-25T20:05:52"}, {"id": "RHSA-2013:0624", "type": "redhat", "title": "(RHSA-2013:0624) Critical: java-1.5.0-ibm security update", "description": "IBM J2SE version 5.0 includes the IBM Java Runtime Environment and the IBM\nJava Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Detailed\nvulnerability descriptions are linked from the IBM Security alerts page,\nlisted in the References section. (CVE-2013-0409, CVE-2013-0424,\nCVE-2013-0425, CVE-2013-0426, CVE-2013-0427, CVE-2013-0428, CVE-2013-0432,\nCVE-2013-0433, CVE-2013-0434, CVE-2013-0440, CVE-2013-0442, CVE-2013-0443,\nCVE-2013-0445, CVE-2013-0450, CVE-2013-0809, CVE-2013-1476, CVE-2013-1478,\nCVE-2013-1480, CVE-2013-1481, CVE-2013-1486, CVE-2013-1493)\n\nAll users of java-1.5.0-ibm are advised to upgrade to these updated\npackages, containing the IBM J2SE 5.0 SR16 release. All running instances\nof IBM Java must be restarted for this update to take effect.\n", "published": "2013-03-11T04:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2013:0624", "cvelist": ["CVE-2012-5085", "CVE-2013-0409", "CVE-2013-0424", "CVE-2013-0425", "CVE-2013-0426", "CVE-2013-0427", "CVE-2013-0428", "CVE-2013-0432", "CVE-2013-0433", "CVE-2013-0434", "CVE-2013-0440", "CVE-2013-0442", "CVE-2013-0443", "CVE-2013-0445", "CVE-2013-0450", "CVE-2013-0809", "CVE-2013-1476", "CVE-2013-1478", "CVE-2013-1480", "CVE-2013-1481", "CVE-2013-1486", "CVE-2013-1493"], "lastseen": "2017-09-08T08:04:56"}, {"id": "RHSA-2013:0236", "type": "redhat", "title": "(RHSA-2013:0236) Critical: java-1.6.0-sun security update", "description": "Oracle Java SE version 6 includes the Oracle Java Runtime Environment and\nthe Oracle Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the Oracle Java Runtime\nEnvironment and the Oracle Java Software Development Kit. Further\ninformation about these flaws can be found on the Oracle Java SE Critical\nPatch Update Advisory page, listed in the References section.\n(CVE-2012-1541, CVE-2012-3213, CVE-2012-3342, CVE-2013-0351, CVE-2013-0409,\nCVE-2013-0419, CVE-2013-0423, CVE-2013-0424, CVE-2013-0425, CVE-2013-0426,\nCVE-2013-0427, CVE-2013-0428, CVE-2013-0429, CVE-2013-0430, CVE-2013-0432,\nCVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0438, CVE-2013-0440,\nCVE-2013-0441, CVE-2013-0442, CVE-2013-0443, CVE-2013-0445, CVE-2013-0446,\nCVE-2013-0450, CVE-2013-1473, CVE-2013-1475, CVE-2013-1476, CVE-2013-1478,\nCVE-2013-1480, CVE-2013-1481)\n\nAll users of java-1.6.0-sun are advised to upgrade to these updated\npackages, which provide Oracle Java 6 Update 39. All running instances of\nOracle Java must be restarted for the update to take effect.\n", "published": "2013-02-04T05:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2013:0236", "cvelist": ["CVE-2012-1541", "CVE-2012-3213", "CVE-2012-3342", "CVE-2013-0351", "CVE-2013-0409", "CVE-2013-0419", "CVE-2013-0423", "CVE-2013-0424", "CVE-2013-0425", "CVE-2013-0426", "CVE-2013-0427", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-0430", "CVE-2013-0432", "CVE-2013-0433", "CVE-2013-0434", "CVE-2013-0435", "CVE-2013-0438", "CVE-2013-0440", "CVE-2013-0441", "CVE-2013-0442", "CVE-2013-0443", "CVE-2013-0445", "CVE-2013-0446", "CVE-2013-0450", "CVE-2013-1473", "CVE-2013-1475", "CVE-2013-1476", "CVE-2013-1478", "CVE-2013-1480", "CVE-2013-1481"], "lastseen": "2017-09-09T07:20:12"}, {"id": "RHSA-2013:0625", "type": "redhat", "title": "(RHSA-2013:0625) Critical: java-1.6.0-ibm security update", "description": "IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM\nJava Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Detailed\nvulnerability descriptions are linked from the IBM Security alerts page,\nlisted in the References section. (CVE-2012-1541, CVE-2012-3213,\nCVE-2012-3342, CVE-2013-0351, CVE-2013-0409, CVE-2013-0419, CVE-2013-0423,\nCVE-2013-0424, CVE-2013-0425, CVE-2013-0426, CVE-2013-0427, CVE-2013-0428,\nCVE-2013-0432, CVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0438,\nCVE-2013-0440, CVE-2013-0441, CVE-2013-0442, CVE-2013-0443, CVE-2013-0445,\nCVE-2013-0446, CVE-2013-0450, CVE-2013-0809, CVE-2013-1473, CVE-2013-1476,\nCVE-2013-1478, CVE-2013-1480, CVE-2013-1481, CVE-2013-1486, CVE-2013-1487,\nCVE-2013-1493)\n\nAll users of java-1.6.0-ibm are advised to upgrade to these updated\npackages, containing the IBM Java SE 6 SR13 release. All running instances\nof IBM Java must be restarted for the update to take effect.\n", "published": "2013-03-11T04:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2013:0625", "cvelist": ["CVE-2012-1541", "CVE-2012-3213", "CVE-2012-3342", "CVE-2012-5085", "CVE-2013-0351", "CVE-2013-0409", "CVE-2013-0419", "CVE-2013-0423", "CVE-2013-0424", "CVE-2013-0425", "CVE-2013-0426", "CVE-2013-0427", "CVE-2013-0428", "CVE-2013-0432", "CVE-2013-0433", "CVE-2013-0434", "CVE-2013-0435", "CVE-2013-0438", "CVE-2013-0440", "CVE-2013-0441", "CVE-2013-0442", "CVE-2013-0443", "CVE-2013-0445", "CVE-2013-0446", "CVE-2013-0450", "CVE-2013-0809", "CVE-2013-1473", "CVE-2013-1476", "CVE-2013-1478", "CVE-2013-1480", "CVE-2013-1481", "CVE-2013-1486", "CVE-2013-1487", "CVE-2013-1493"], "lastseen": "2017-09-09T07:19:53"}, {"id": "RHSA-2013:0626", "type": "redhat", "title": "(RHSA-2013:0626) Critical: java-1.7.0-ibm security update", "description": "IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM\nJava Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Detailed\nvulnerability descriptions are linked from the IBM Security alerts page,\nlisted in the References section. (CVE-2012-1541, CVE-2012-3174,\nCVE-2012-3213, CVE-2012-3342, CVE-2013-0351, CVE-2013-0409, CVE-2013-0419,\nCVE-2013-0422, CVE-2013-0423, CVE-2013-0424, CVE-2013-0425, CVE-2013-0426,\nCVE-2013-0427, CVE-2013-0428, CVE-2013-0431, CVE-2013-0432, CVE-2013-0433,\nCVE-2013-0434, CVE-2013-0435, CVE-2013-0437, CVE-2013-0438, CVE-2013-0440,\nCVE-2013-0441, CVE-2013-0442, CVE-2013-0443, CVE-2013-0444, CVE-2013-0445,\nCVE-2013-0446, CVE-2013-0449, CVE-2013-0450, CVE-2013-0809, CVE-2013-1473,\nCVE-2013-1476, CVE-2013-1478, CVE-2013-1480, CVE-2013-1484, CVE-2013-1485,\nCVE-2013-1486, CVE-2013-1487, CVE-2013-1493)\n\nAll users of java-1.7.0-ibm are advised to upgrade to these updated\npackages, containing the IBM Java SE 7 SR4 release. All running instances\nof IBM Java must be restarted for the update to take effect.\n", "published": "2013-03-11T04:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2013:0626", "cvelist": ["CVE-2012-1541", "CVE-2012-3174", "CVE-2012-3213", "CVE-2012-3342", "CVE-2012-5085", "CVE-2013-0351", "CVE-2013-0409", "CVE-2013-0419", "CVE-2013-0422", "CVE-2013-0423", "CVE-2013-0424", "CVE-2013-0425", "CVE-2013-0426", "CVE-2013-0427", "CVE-2013-0428", "CVE-2013-0431", "CVE-2013-0432", "CVE-2013-0433", "CVE-2013-0434", "CVE-2013-0435", "CVE-2013-0437", "CVE-2013-0438", "CVE-2013-0440", "CVE-2013-0441", "CVE-2013-0442", "CVE-2013-0443", "CVE-2013-0444", "CVE-2013-0445", "CVE-2013-0446", "CVE-2013-0449", "CVE-2013-0450", "CVE-2013-0809", "CVE-2013-1473", "CVE-2013-1476", "CVE-2013-1478", "CVE-2013-1480", "CVE-2013-1484", "CVE-2013-1485", "CVE-2013-1486", "CVE-2013-1487", "CVE-2013-1493"], "lastseen": "2017-09-09T07:19:55"}, {"id": "RHSA-2013:0237", "type": "redhat", "title": "(RHSA-2013:0237) Critical: java-1.7.0-oracle security update", "description": "Oracle Java SE version 7 includes the Oracle Java Runtime Environment and\nthe Oracle Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the Oracle Java Runtime\nEnvironment and the Oracle Java Software Development Kit. Further\ninformation about these flaws can be found on the Oracle Java SE Critical\nPatch Update Advisory page, listed in the References section.\n(CVE-2012-1541, CVE-2012-3213, CVE-2012-3342, CVE-2013-0351, CVE-2013-0409,\nCVE-2013-0419, CVE-2013-0423, CVE-2013-0424, CVE-2013-0425, CVE-2013-0426,\nCVE-2013-0427, CVE-2013-0428, CVE-2013-0429, CVE-2013-0430, CVE-2013-0431,\nCVE-2013-0432, CVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0437,\nCVE-2013-0438, CVE-2013-0440, CVE-2013-0441, CVE-2013-0442, CVE-2013-0443,\nCVE-2013-0444, CVE-2013-0445, CVE-2013-0446, CVE-2013-0448, CVE-2013-0449,\nCVE-2013-0450, CVE-2013-1473, CVE-2013-1475, CVE-2013-1476, CVE-2013-1478,\nCVE-2013-1479, CVE-2013-1480, CVE-2013-1489)\n\nAll users of java-1.7.0-oracle are advised to upgrade to these updated\npackages, which provide Oracle Java 7 Update 13 and resolve these issues.\nAll running instances of Oracle Java must be restarted for the update to\ntake effect.\n", "published": "2013-02-04T05:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2013:0237", "cvelist": ["CVE-2012-1541", "CVE-2012-3213", "CVE-2012-3342", "CVE-2013-0351", "CVE-2013-0409", "CVE-2013-0419", "CVE-2013-0423", "CVE-2013-0424", "CVE-2013-0425", "CVE-2013-0426", "CVE-2013-0427", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-0430", "CVE-2013-0431", "CVE-2013-0432", "CVE-2013-0433", "CVE-2013-0434", "CVE-2013-0435", "CVE-2013-0437", "CVE-2013-0438", "CVE-2013-0440", "CVE-2013-0441", "CVE-2013-0442", "CVE-2013-0443", "CVE-2013-0444", "CVE-2013-0445", "CVE-2013-0446", "CVE-2013-0448", "CVE-2013-0449", "CVE-2013-0450", "CVE-2013-1473", "CVE-2013-1475", "CVE-2013-1476", "CVE-2013-1478", "CVE-2013-1479", "CVE-2013-1480", "CVE-2013-1489"], "lastseen": "2017-07-28T10:57:47"}, {"id": "RHSA-2013:1456", "type": "redhat", "title": "(RHSA-2013:1456) Low: Red Hat Network Satellite server IBM Java Runtime security update", "description": "This update corrects several security vulnerabilities in the IBM Java\nRuntime Environment shipped as part of Red Hat Network Satellite Server\n5.5. In a typical operating environment, these are of low security risk as\nthe runtime is not used on untrusted applets.\n\nSeveral flaws were fixed in the IBM Java 2 Runtime Environment.\n(CVE-2012-0547, CVE-2012-0551, CVE-2012-1531, CVE-2012-1532, CVE-2012-1533,\nCVE-2012-1541, CVE-2012-1682, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717,\nCVE-2012-1718, CVE-2012-1719, CVE-2012-1721, CVE-2012-1722, CVE-2012-1725,\nCVE-2012-3143, CVE-2012-3159, CVE-2012-3213, CVE-2012-3216, CVE-2012-3342,\nCVE-2012-4820, CVE-2012-4822, CVE-2012-4823, CVE-2012-5068, CVE-2012-5069,\nCVE-2012-5071, CVE-2012-5072, CVE-2012-5073, CVE-2012-5075, CVE-2012-5079,\nCVE-2012-5081, CVE-2012-5083, CVE-2012-5084, CVE-2012-5089, CVE-2013-0169,\nCVE-2013-0351, CVE-2013-0401, CVE-2013-0409, CVE-2013-0419, CVE-2013-0423,\nCVE-2013-0424, CVE-2013-0425, CVE-2013-0426, CVE-2013-0427, CVE-2013-0428,\nCVE-2013-0432, CVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0438,\nCVE-2013-0440, CVE-2013-0441, CVE-2013-0442, CVE-2013-0443, CVE-2013-0445,\nCVE-2013-0446, CVE-2013-0450, CVE-2013-0809, CVE-2013-1473, CVE-2013-1476,\nCVE-2013-1478, CVE-2013-1480, CVE-2013-1481, CVE-2013-1486, CVE-2013-1487,\nCVE-2013-1491, CVE-2013-1493, CVE-2013-1500, CVE-2013-1537, CVE-2013-1540,\nCVE-2013-1557, CVE-2013-1563, CVE-2013-1569, CVE-2013-1571, CVE-2013-2383,\nCVE-2013-2384, CVE-2013-2394, CVE-2013-2407, CVE-2013-2412, CVE-2013-2417,\nCVE-2013-2418, CVE-2013-2419, CVE-2013-2420, CVE-2013-2422, CVE-2013-2424,\nCVE-2013-2429, CVE-2013-2430, CVE-2013-2432, CVE-2013-2433, CVE-2013-2435,\nCVE-2013-2437, CVE-2013-2440, CVE-2013-2442, CVE-2013-2443, CVE-2013-2444,\nCVE-2013-2446, CVE-2013-2447, CVE-2013-2448, CVE-2013-2450, CVE-2013-2451,\nCVE-2013-2452, CVE-2013-2453, CVE-2013-2454, CVE-2013-2455, CVE-2013-2456,\nCVE-2013-2457, CVE-2013-2459, CVE-2013-2463, CVE-2013-2464, CVE-2013-2465,\nCVE-2013-2466, CVE-2013-2468, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471,\nCVE-2013-2472, CVE-2013-2473, CVE-2013-3743)\n\nUsers of Red Hat Network Satellite Server 5.5 are advised to upgrade to\nthese updated packages, which contain the IBM Java SE 6 SR14 release. For\nthis update to take effect, Red Hat Network Satellite Server must be\nrestarted (\"/usr/sbin/rhn-satellite restart\"), as well as all running\ninstances of IBM Java.\n", "published": "2013-10-23T04:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2013:1456", "cvelist": ["CVE-2013-2418", "CVE-2012-5089", "CVE-2013-0426", "CVE-2013-2468", "CVE-2013-2420", "CVE-2013-2384", "CVE-2013-1491", "CVE-2013-1571", "CVE-2012-1541", "CVE-2013-2417", "CVE-2013-2433", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-0401", "CVE-2012-5073", "CVE-2013-0427", "CVE-2012-1725", "CVE-2013-2424", "CVE-2013-2407", "CVE-2012-1533", "CVE-2013-1478", "CVE-2013-2456", "CVE-2013-0428", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-0169", "CVE-2012-1719", "CVE-2013-2394", "CVE-2012-3159", "CVE-2013-0435", "CVE-2013-0809", "CVE-2013-0442", "CVE-2013-2452", "CVE-2012-3342", "CVE-2013-2451", "CVE-2013-2473", "CVE-2012-5079", "CVE-2012-5075", "CVE-2013-1473", "CVE-2013-0434", "CVE-2012-5081", "CVE-2013-0443", "CVE-2013-2419", "CVE-2013-2463", "CVE-2013-1563", "CVE-2013-2469", "CVE-2013-0351", "CVE-2013-2465", "CVE-2013-1537", "CVE-2013-3743", "CVE-2012-0551", "CVE-2013-0433", "CVE-2013-1480", "CVE-2012-1717", "CVE-2012-1721", "CVE-2013-0409", "CVE-2013-0438", "CVE-2012-1713", "CVE-2012-1716", "CVE-2012-5083", "CVE-2013-2429", "CVE-2013-2471", "CVE-2012-1532", "CVE-2013-1486", "CVE-2013-1476", "CVE-2012-4823", "CVE-2013-1487", "CVE-2013-0445", "CVE-2012-5069", "CVE-2012-3216", "CVE-2012-4820", "CVE-2013-0432", "CVE-2012-5084", "CVE-2012-4822", "CVE-2012-1718", "CVE-2013-2440", "CVE-2013-2464", "CVE-2013-0424", "CVE-2012-3213", "CVE-2013-2459", "CVE-2013-0450", "CVE-2012-5071", "CVE-2013-2442", "CVE-2013-0446", "CVE-2013-0440", "CVE-2013-2432", "CVE-2012-1722", "CVE-2013-2443", "CVE-2013-1481", "CVE-2013-2446", "CVE-2012-0547", "CVE-2012-5072", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-1540", "CVE-2013-1493", "CVE-2012-1531", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2437", "CVE-2013-2453", "CVE-2013-1557", "CVE-2013-2455", "CVE-2013-2422", "CVE-2013-2435", "CVE-2013-2383", "CVE-2013-0425", "CVE-2012-5068", "CVE-2012-1682", "CVE-2013-0441", "CVE-2012-3143", "CVE-2013-1569", "CVE-2013-2412", "CVE-2013-2430", "CVE-2013-2466", "CVE-2013-0423", "CVE-2013-0419"], "lastseen": "2017-03-04T13:18:38"}, {"id": "RHSA-2013:1455", "type": "redhat", "title": "(RHSA-2013:1455) Low: Red Hat Network Satellite server IBM Java Runtime security update", "description": "This update corrects several security vulnerabilities in the IBM Java\nRuntime Environment shipped as part of Red Hat Network Satellite Server\n5.4. In a typical operating environment, these are of low security risk as\nthe runtime is not used on untrusted applets.\n\nSeveral flaws were fixed in the IBM Java 2 Runtime Environment.\n(CVE-2011-0802, CVE-2011-0814, CVE-2011-0862, CVE-2011-0863, CVE-2011-0865,\nCVE-2011-0867, CVE-2011-0868, CVE-2011-0869, CVE-2011-0871, CVE-2011-0873,\nCVE-2011-3389, CVE-2011-3516, CVE-2011-3521, CVE-2011-3544, CVE-2011-3545,\nCVE-2011-3546, CVE-2011-3547, CVE-2011-3548, CVE-2011-3549, CVE-2011-3550,\nCVE-2011-3551, CVE-2011-3552, CVE-2011-3553, CVE-2011-3554, CVE-2011-3556,\nCVE-2011-3557, CVE-2011-3560, CVE-2011-3561, CVE-2011-3563, CVE-2011-5035,\nCVE-2012-0497, CVE-2012-0498, CVE-2012-0499, CVE-2012-0500, CVE-2012-0501,\nCVE-2012-0502, CVE-2012-0503, CVE-2012-0505, CVE-2012-0506, CVE-2012-0507,\nCVE-2012-0547, CVE-2012-0551, CVE-2012-1531, CVE-2012-1532, CVE-2012-1533,\nCVE-2012-1541, CVE-2012-1682, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717,\nCVE-2012-1718, CVE-2012-1719, CVE-2012-1721, CVE-2012-1722, CVE-2012-1725,\nCVE-2012-3143, CVE-2012-3159, CVE-2012-3213, CVE-2012-3216, CVE-2012-3342,\nCVE-2012-4820, CVE-2012-4822, CVE-2012-4823, CVE-2012-5068, CVE-2012-5069,\nCVE-2012-5071, CVE-2012-5072, CVE-2012-5073, CVE-2012-5075, CVE-2012-5079,\nCVE-2012-5081, CVE-2012-5083, CVE-2012-5084, CVE-2012-5089, CVE-2013-0169,\nCVE-2013-0351, CVE-2013-0401, CVE-2013-0409, CVE-2013-0419, CVE-2013-0423,\nCVE-2013-0424, CVE-2013-0425, CVE-2013-0426, CVE-2013-0427, CVE-2013-0428,\nCVE-2013-0432, CVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0438,\nCVE-2013-0440, CVE-2013-0441, CVE-2013-0442, CVE-2013-0443, CVE-2013-0445,\nCVE-2013-0446, CVE-2013-0450, CVE-2013-0809, CVE-2013-1473, CVE-2013-1476,\nCVE-2013-1478, CVE-2013-1480, CVE-2013-1481, CVE-2013-1486, CVE-2013-1487,\nCVE-2013-1491, CVE-2013-1493, CVE-2013-1500, CVE-2013-1537, CVE-2013-1540,\nCVE-2013-1557, CVE-2013-1563, CVE-2013-1569, CVE-2013-1571, CVE-2013-2383,\nCVE-2013-2384, CVE-2013-2394, CVE-2013-2407, CVE-2013-2412, CVE-2013-2417,\nCVE-2013-2418, CVE-2013-2419, CVE-2013-2420, CVE-2013-2422, CVE-2013-2424,\nCVE-2013-2429, CVE-2013-2430, CVE-2013-2432, CVE-2013-2433, CVE-2013-2435,\nCVE-2013-2437, CVE-2013-2440, CVE-2013-2442, CVE-2013-2443, CVE-2013-2444,\nCVE-2013-2446, CVE-2013-2447, CVE-2013-2448, CVE-2013-2450, CVE-2013-2451,\nCVE-2013-2452, CVE-2013-2453, CVE-2013-2454, CVE-2013-2455, CVE-2013-2456,\nCVE-2013-2457, CVE-2013-2459, CVE-2013-2463, CVE-2013-2464, CVE-2013-2465,\nCVE-2013-2466, CVE-2013-2468, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471,\nCVE-2013-2472, CVE-2013-2473, CVE-2013-3743)\n\nUsers of Red Hat Network Satellite Server 5.4 are advised to upgrade to\nthese updated packages, which contain the IBM Java SE 6 SR14 release. For\nthis update to take effect, Red Hat Network Satellite Server must be\nrestarted (\"/usr/sbin/rhn-satellite restart\"), as well as all running\ninstances of IBM Java.\n", "published": "2013-10-23T04:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2013:1455", "cvelist": ["CVE-2013-2418", "CVE-2012-5089", "CVE-2013-0426", "CVE-2013-2468", "CVE-2013-2420", "CVE-2011-0865", "CVE-2013-2384", "CVE-2013-1491", "CVE-2013-1571", "CVE-2011-3557", "CVE-2012-1541", "CVE-2013-2417", "CVE-2013-2433", "CVE-2013-1500", "CVE-2013-2448", "CVE-2011-3551", "CVE-2013-0401", "CVE-2012-5073", "CVE-2013-0427", "CVE-2012-1725", "CVE-2013-2424", "CVE-2013-2407", "CVE-2012-1533", "CVE-2013-1478", "CVE-2011-3549", "CVE-2013-2456", "CVE-2011-0802", "CVE-2011-0868", "CVE-2013-0428", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-0169", "CVE-2012-1719", "CVE-2013-2394", "CVE-2011-3563", "CVE-2012-3159", "CVE-2013-0435", "CVE-2013-0809", "CVE-2013-0442", "CVE-2011-3561", "CVE-2013-2452", "CVE-2012-3342", "CVE-2013-2451", "CVE-2011-0869", "CVE-2013-2473", "CVE-2011-0863", "CVE-2012-5079", "CVE-2012-0507", "CVE-2012-5075", "CVE-2013-1473", "CVE-2013-0434", "CVE-2011-3548", "CVE-2012-5081", "CVE-2011-3547", "CVE-2012-0503", "CVE-2011-3521", "CVE-2013-0443", "CVE-2011-5035", "CVE-2013-2419", "CVE-2013-2463", "CVE-2013-1563", "CVE-2011-3389", "CVE-2013-2469", "CVE-2013-0351", "CVE-2013-2465", "CVE-2013-1537", "CVE-2013-3743", "CVE-2012-0498", "CVE-2011-3544", "CVE-2012-0551", "CVE-2011-3553", "CVE-2012-0506", "CVE-2013-0433", "CVE-2013-1480", "CVE-2012-1717", "CVE-2012-1721", "CVE-2011-3516", "CVE-2013-0409", "CVE-2011-0873", "CVE-2013-0438", "CVE-2012-1713", "CVE-2012-1716", "CVE-2012-5083", "CVE-2013-2429", "CVE-2013-2471", "CVE-2012-0497", "CVE-2012-1532", "CVE-2013-1486", "CVE-2013-1476", "CVE-2012-4823", "CVE-2013-1487", "CVE-2013-0445", "CVE-2012-5069", "CVE-2012-3216", "CVE-2012-4820", "CVE-2013-0432", "CVE-2012-0505", "CVE-2012-5084", "CVE-2011-3546", "CVE-2012-4822", "CVE-2012-1718", "CVE-2013-2440", "CVE-2013-2464", "CVE-2011-3554", "CVE-2013-0424", "CVE-2012-3213", "CVE-2013-2459", "CVE-2013-0450", "CVE-2012-5071", "CVE-2011-0867", "CVE-2013-2442", "CVE-2012-0499", "CVE-2012-0501", "CVE-2013-0446", "CVE-2013-0440", "CVE-2013-2432", "CVE-2012-1722", "CVE-2013-2443", "CVE-2013-1481", "CVE-2013-2446", "CVE-2011-3556", "CVE-2012-0547", "CVE-2012-5072", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-1540", "CVE-2012-0500", "CVE-2011-3560", "CVE-2013-1493", "CVE-2012-1531", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2437", "CVE-2013-2453", "CVE-2013-1557", "CVE-2013-2455", "CVE-2011-3545", "CVE-2013-2422", "CVE-2013-2435", "CVE-2013-2383", "CVE-2013-0425", "CVE-2011-3552", "CVE-2012-5068", "CVE-2012-1682", "CVE-2013-0441", "CVE-2012-3143", "CVE-2012-0502", "CVE-2011-3550", "CVE-2013-1569", "CVE-2013-2412", "CVE-2011-0862", "CVE-2013-2430", "CVE-2011-0871", "CVE-2013-2466", "CVE-2011-0814", "CVE-2013-0423", "CVE-2013-0419"], "lastseen": "2017-03-04T13:18:30"}], "amazon": [{"id": "ALAS-2013-156", "type": "amazon", "title": "Important: java-1.7.0-openjdk", "description": "**Issue Overview:**\n\nMultiple improper permission check issues were discovered in the AWT, CORBA, JMX, Libraries, and Beans components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. ([CVE-2013-0442 __](<https://access.redhat.com/security/cve/CVE-2013-0442>), [CVE-2013-0445 __](<https://access.redhat.com/security/cve/CVE-2013-0445>), [CVE-2013-0441 __](<https://access.redhat.com/security/cve/CVE-2013-0441>), [CVE-2013-1475 __](<https://access.redhat.com/security/cve/CVE-2013-1475>), [CVE-2013-1476 __](<https://access.redhat.com/security/cve/CVE-2013-1476>), [CVE-2013-0429 __](<https://access.redhat.com/security/cve/CVE-2013-0429>), [CVE-2013-0450 __](<https://access.redhat.com/security/cve/CVE-2013-0450>), [CVE-2013-0425 __](<https://access.redhat.com/security/cve/CVE-2013-0425>), [CVE-2013-0426 __](<https://access.redhat.com/security/cve/CVE-2013-0426>), [CVE-2013-0428 __](<https://access.redhat.com/security/cve/CVE-2013-0428>), [CVE-2013-0444 __](<https://access.redhat.com/security/cve/CVE-2013-0444>))\n\nMultiple flaws were found in the way image parsers in the 2D and AWT components handled image raster parameters. A specially-crafted image could cause Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the virtual machine privileges. ([CVE-2013-1478 __](<https://access.redhat.com/security/cve/CVE-2013-1478>), [CVE-2013-1480 __](<https://access.redhat.com/security/cve/CVE-2013-1480>))\n\nA flaw was found in the AWT component's clipboard handling code. An untrusted Java application or applet could use this flaw to access clipboard data, bypassing Java sandbox restrictions. ([CVE-2013-0432 __](<https://access.redhat.com/security/cve/CVE-2013-0432>))\n\nThe default Java security properties configuration did not restrict access to certain com.sun.xml.internal packages. An untrusted Java application or applet could use this flaw to access information, bypassing certain Java sandbox restrictions. This update lists the whole package as restricted. ([CVE-2013-0435 __](<https://access.redhat.com/security/cve/CVE-2013-0435>))\n\nMultiple improper permission check issues were discovered in the JMX, Libraries, Networking, and JAXP components. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. ([CVE-2013-0431 __](<https://access.redhat.com/security/cve/CVE-2013-0431>), [CVE-2013-0427 __](<https://access.redhat.com/security/cve/CVE-2013-0427>), [CVE-2013-0433 __](<https://access.redhat.com/security/cve/CVE-2013-0433>), [CVE-2013-0434 __](<https://access.redhat.com/security/cve/CVE-2013-0434>))\n\nIt was discovered that the RMI component's CGIHandler class used user inputs in error messages without any sanitization. An attacker could use this flaw to perform a cross-site scripting (XSS) attack. ([CVE-2013-0424 __](<https://access.redhat.com/security/cve/CVE-2013-0424>))\n\nIt was discovered that the SSL/TLS implementation in the JSSE component did not properly enforce handshake message ordering, allowing an unlimited number of handshake restarts. A remote attacker could use this flaw to make an SSL/TLS server using JSSE consume an excessive amount of CPU by continuously restarting the handshake. ([CVE-2013-0440 __](<https://access.redhat.com/security/cve/CVE-2013-0440>))\n\nIt was discovered that the JSSE component did not properly validate Diffie-Hellman public keys. An SSL/TLS client could possibly use this flaw to perform a small subgroup attack. ([CVE-2013-0443 __](<https://access.redhat.com/security/cve/CVE-2013-0443>))\n\n \n**Affected Packages:** \n\n\njava-1.7.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.7.0-openjdk_ to update your system. \n\n \n**New Packages:**\n \n \n i686: \n java-1.7.0-openjdk-demo-1.7.0.9-2.3.5.3.17.amzn1.i686 \n java-1.7.0-openjdk-devel-1.7.0.9-2.3.5.3.17.amzn1.i686 \n java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.5.3.17.amzn1.i686 \n java-1.7.0-openjdk-src-1.7.0.9-2.3.5.3.17.amzn1.i686 \n java-1.7.0-openjdk-1.7.0.9-2.3.5.3.17.amzn1.i686 \n \n noarch: \n java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.5.3.17.amzn1.noarch \n \n src: \n java-1.7.0-openjdk-1.7.0.9-2.3.5.3.17.amzn1.src \n \n x86_64: \n java-1.7.0-openjdk-devel-1.7.0.9-2.3.5.3.17.amzn1.x86_64 \n java-1.7.0-openjdk-1.7.0.9-2.3.5.3.17.amzn1.x86_64 \n java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.5.3.17.amzn1.x86_64 \n java-1.7.0-openjdk-demo-1.7.0.9-2.3.5.3.17.amzn1.x86_64 \n java-1.7.0-openjdk-src-1.7.0.9-2.3.5.3.17.amzn1.x86_64 \n \n \n", "published": "2013-02-17T15:35:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://alas.aws.amazon.com/ALAS-2013-156.html", "cvelist": ["CVE-2013-0426", "CVE-2013-0427", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-1475", "CVE-2013-0435", "CVE-2013-0442", "CVE-2013-0431", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0444", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-1476", "CVE-2013-0445", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0450", "CVE-2013-0440", "CVE-2013-0425", "CVE-2013-0441"], "lastseen": "2016-09-28T21:04:05"}, {"id": "ALAS-2013-155", "type": "amazon", "title": "Important: java-1.6.0-openjdk", "description": "**Issue Overview:**\n\nMultiple improper permission check issues were discovered in the AWT, CORBA, JMX, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.\n\nMultiple flaws were found in the way image parsers in the 2D and AWT components handled image raster parameters. A specially-crafted image could cause Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the virtual machine privileges.\n\nA flaw was found in the AWT component's clipboard handling code. An untrusted Java application or applet could use this flaw to access clipboard data, bypassing Java sandbox restrictions.\n\nThe default Java security properties configuration did not restrict access to certain com.sun.xml.internal packages. An untrusted Java application or applet could use this flaw to access information, bypassing certain Java sandbox restrictions. This update lists the whole package as restricted.\n\nMultiple improper permission check issues were discovered in the Libraries, Networking, and JAXP components. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.\n\nIt was discovered that the RMI component's CGIHandler class used user inputs in error messages without any sanitization. An attacker could use this flaw to perform a cross-site scripting (XSS) attack.\n\nIt was discovered that the SSL/TLS implementation in the JSSE component did not properly enforce handshake message ordering, allowing an unlimited number of handshake restarts. A remote attacker could use this flaw to make an SSL/TLS server using JSSE consume an excessive amount of CPU by continuously restarting the handshake.\n\nIt was discovered that the JSSE component did not properly validate Diffie-Hellman public keys. An SSL/TLS client could possibly use this flaw to perform a small subgroup attack.\n\n \n**Affected Packages:** \n\n\njava-1.6.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.6.0-openjdk_ to update your system. \n\n \n**New Packages:**\n \n \n i686: \n java-1.6.0-openjdk-src-1.6.0.0-54.1.11.6.48.amzn1.i686 \n java-1.6.0-openjdk-demo-1.6.0.0-54.1.11.6.48.amzn1.i686 \n java-1.6.0-openjdk-javadoc-1.6.0.0-54.1.11.6.48.amzn1.i686 \n java-1.6.0-openjdk-devel-1.6.0.0-54.1.11.6.48.amzn1.i686 \n java-1.6.0-openjdk-1.6.0.0-54.1.11.6.48.amzn1.i686 \n java-1.6.0-openjdk-debuginfo-1.6.0.0-54.1.11.6.48.amzn1.i686 \n \n src: \n java-1.6.0-openjdk-1.6.0.0-54.1.11.6.48.amzn1.src \n \n x86_64: \n java-1.6.0-openjdk-1.6.0.0-54.1.11.6.48.amzn1.x86_64 \n java-1.6.0-openjdk-javadoc-1.6.0.0-54.1.11.6.48.amzn1.x86_64 \n java-1.6.0-openjdk-demo-1.6.0.0-54.1.11.6.48.amzn1.x86_64 \n java-1.6.0-openjdk-debuginfo-1.6.0.0-54.1.11.6.48.amzn1.x86_64 \n java-1.6.0-openjdk-src-1.6.0.0-54.1.11.6.48.amzn1.x86_64 \n java-1.6.0-openjdk-devel-1.6.0.0-54.1.11.6.48.amzn1.x86_64 \n \n \n", "published": "2013-02-17T15:35:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://alas.aws.amazon.com/ALAS-2013-155.html", "cvelist": ["CVE-2013-0427", "CVE-2013-1478", "CVE-2013-0435", "CVE-2013-0442", "CVE-2013-0443", "CVE-2013-0432", "CVE-2013-0424", "CVE-2013-0440"], "lastseen": "2016-09-28T21:04:03"}], "ubuntu": [{"id": "USN-1724-1", "type": "ubuntu", "title": "OpenJDK vulnerabilities", "description": "Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure and data integrity. An attacker could exploit these to cause a denial of service. (CVE-2012-1541, CVE-2012-3342, CVE-2013-0351, CVE-2013-0419, CVE-2013-0423, CVE-2013-0446, CVE-2012-3213, CVE-2013-0425, CVE-2013-0426, CVE-2013-0428, CVE-2013-0429, CVE-2013-0430, CVE-2013-0441, CVE-2013-0442, CVE-2013-0445, CVE-2013-0450, CVE-2013-1475, CVE-2013-1476, CVE-2013-1478, CVE-2013-1480)\n\nVulnerabilities were discovered in the OpenJDK JRE related to information disclosure. (CVE-2013-0409, CVE-2013-0434, CVE-2013-0438)\n\nSeveral data integrity vulnerabilities were discovered in the OpenJDK JRE. (CVE-2013-0424, CVE-2013-0427, CVE-2013-0433, CVE-2013-1473)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to information disclosure and data integrity. (CVE-2013-0432, CVE-2013-0435, CVE-2013-0443)\n\nA vulnerability was discovered in the OpenJDK JRE related to availability. An attacker could exploit this to cause a denial of service. (CVE-2013-0440)\n\nA vulnerability was discovered in the OpenJDK JRE related to information disclosure and data integrity. An attacker could exploit this to cause a denial of service. This issue only affected Ubuntu 12.10. (CVE-2013-0444)\n\nA data integrity vulnerability was discovered in the OpenJDK JRE. This issue only affected Ubuntu 12.10. (CVE-2013-0448)\n\nAn information disclosure vulnerability was discovered in the OpenJDK JRE. This issue only affected Ubuntu 12.10. (CVE-2013-0449)\n\nA vulnerability was discovered in the OpenJDK JRE related to information disclosure and data integrity. An attacker could exploit this to cause a denial of service. This issue did not affect Ubuntu 12.10. (CVE-2013-1481)", "published": "2013-02-14T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/1724-1/", "cvelist": ["CVE-2013-0426", "CVE-2012-1541", "CVE-2013-0427", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0448", "CVE-2013-0429", "CVE-2013-1475", "CVE-2013-0435", "CVE-2013-0442", "CVE-2012-3342", "CVE-2013-1473", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0351", "CVE-2013-0444", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-0409", "CVE-2013-0438", "CVE-2013-1476", "CVE-2013-0430", "CVE-2013-0445", "CVE-2013-0432", "CVE-2013-0424", "CVE-2012-3213", "CVE-2013-0450", "CVE-2013-0446", "CVE-2013-0440", "CVE-2013-1481", "CVE-2013-0425", "CVE-2013-0441", "CVE-2013-0449", "CVE-2013-0423", "CVE-2013-0419"], "lastseen": "2018-03-29T18:17:47"}], "cert": [{"id": "VU:858729", "type": "cert", "title": "Oracle Java contains multiple vulnerabilities", "description": "### Overview\n\nJava 7 Update 11, Java 6 Update 38, and earlier versions of Java contain vulnerabilities that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description\n\nThe Oracle Java Runtime Environment (JRE) allows users to run Java applications in a browser or as standalone programs. Oracle has made the JRE available for multiple operating systems. \n\nThe Java JRE plug-in provides its own [Security Manager](<http://docs.oracle.com/javase/7/docs/api/java/lang/System.html#setSecurityManager%28java.lang.SecurityManager%29>). Typically, a web applet runs with a security manager provided by the browser or Java Web Start plugin. Oracle's document [states](<http://docs.oracle.com/javase/1.5.0/docs/api/java/lang/System.html#setSecurityManager%28java.lang.SecurityManager%29>), _\"If there is a security manager already installed, this method first calls the security manager's _`_checkPermission_`_ method with a _`_RuntimePermission(\"setSecurityManager\")_`_ permission to ensure it's safe to replace the existing security manager. This may result in throwing a _`_SecurityException\"_`_._ \n \nBy leveraging a number of vulnerabilities, an untrusted Java applet can escalate its privileges to allow full privileges, without requiring code signing. Other vulnerabilities can cause exploitable memory corruption, which could affect Java applets, as well as Java applications, depending on what the Java application does and how it may process untrusted data. Oracle Java 7 Update 11, Java 6 Update 38, and earlier Java versions are affected. \n \nAt least one of these vulnerabilities is reportedly being exploited in the wild. \n \n--- \n \n### Impact\n\nBy convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system. Note that applications that use the Internet Explorer web content rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for these vulnerabilities. The vulnerabilities that affect server deployments of Java may be exploited by causing a Java server application to process untrusted data. \n \n--- \n \n### Solution\n\n**Apply an update** \n \nThese issues are addressed in Java 7 Update 13 and Java 6 Update 39. Please see the [Oracle Java SE Critical Patch Update Advisory](<http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html>) \\- February 2013 for more details. \n \n--- \n \n**Disable Java in web browsers** \n \nStarting with Java 7 Update 10, it is possible to [disable Java content in web browsers](<http://www.java.com/en/download/help/disable_browser.xml>) through the Java control panel applet. Please see the [Java documentation](<http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html#disable>) for more details. \n \nSystem administrators wishing to deploy Java 7 Update 10 or later with the \"Enable Java content in the browser\" feature disabled can invoke the Java installer with the `WEB_JAVA=0` command-line option. More details are available in the [Java documentation](<http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html#install>). \n \nAlternatively, Microsoft has released a [Fix it](<http://blogs.technet.com/b/srd/archive/2013/05/29/java-when-you-cannot-let-go.aspx>) that disables Java in the Internet Explorer web browser. \n \n**Restrict access to Java applets** \n \nNetwork administrators unable to disable Java in web browsers may be able to help mitigate this and other Java vulnerabilities by restricting access to Java applets. This may be accomplished by using proxy server rules, for example. Blocking or whitelisting web requests to `.jar` and `.class` files can help to prevent Java from being used by untrusted sources. Filtering requests that contain a Java User-Agent header may also be effective. For example, this technique can be used in environments where Java is required on the local intranet. The proxy can be configured to allow Java requests locally, but block them when the destination is a site on the internet. \n \n--- \n \n### Vendor Information \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nApple Inc.| | -| 05 Feb 2013 \nOracle Corporation| | -| 01 Feb 2013 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23858729 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 10.0 | AV:N/AC:L/Au:N/C:C/I:C/A:C \nTemporal | 8.7 | E:H/RL:OF/RC:C \nEnvironmental | 8.7 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND \n \n### References\n\n * <http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html>\n * <http://www.oracle.com/technetwork/topics/security/javacpufeb2013verbose-1841196.html>\n * <http://taosecurity.blogspot.com/2012/11/do-devs-care-about-java-insecurity.html?showComment=1353874245992#c4794680666510382012>\n * <http://codeascraft.etsy.com/2013/03/18/java-not-even-once/>\n * <http://blogs.technet.com/b/srd/archive/2013/05/29/java-when-you-cannot-let-go.aspx>\n\n### Credit\n\nThese vulnerabilities were reported by Oracle.\n\nThis document was written by Will Dormann.\n\n### Other Information\n\n * CVE IDs: [CVE-2012-1541](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1541>) [CVE-2012-1543](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1543>) [CVE-2012-3213](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3213>) [CVE-2012-3342](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3342>) [CVE-2012-4301](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4301>) [CVE-2012-4305](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4305>) [CVE-2013-0351](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0351>) [CVE-2013-0409](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0409>) [CVE-2013-0419](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0419>) [CVE-2013-0423](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0423>) [CVE-2013-0424](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0424>) [CVE-2013-0425](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0425>) [CVE-2013-0426](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0426>) [CVE-2013-0427](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0427>) [CVE-2013-0428](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0428>) [CVE-2013-0429](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0429>) [CVE-2013-0430](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0430>) [CVE-2013-0431](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0431>) [CVE-2013-0432](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0432>) [CVE-2013-0433](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0433>) [CVE-2013-0434](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0434>) [CVE-2013-0435](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0435>) [CVE-2013-0436](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0436>) [CVE-2013-0437](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0437>) [CVE-2013-0438](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0438>) [CVE-2013-0439](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0439>) [CVE-2013-0440](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0440>) [CVE-2013-0441](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0441>) [CVE-2013-0442](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0442>) [CVE-2013-0443](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0443>) [CVE-2013-0444](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0444>) [CVE-2013-0445](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0445>) [CVE-2013-0446](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0446>) [CVE-2013-0447](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0447>) [CVE-2013-0448](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0448>) [CVE-2013-0449](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0449>) [CVE-2013-0450](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0450>) [CVE-2013-1472](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1472>) [CVE-2013-1473](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1473>) [CVE-2013-1474](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1474>) [CVE-2013-1475](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1475>) [CVE-2013-1476](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1476>) [CVE-2013-1477](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1477>) [CVE-2013-1478](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1478>) [CVE-2013-1479](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1479>) [CVE-2013-1480](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1480>) [CVE-2013-1481](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1481>) [CVE-2013-1482](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1482>) [CVE-2013-1483](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1483>) [CVE-2013-1489](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1489>)\n * US-CERT Alert: [TA13-032A](<http://www.us-cert.gov/cas/techalerts/TA13-032A.html>)\n * Date Public: 01 Feb 2013\n * Date First Published: 01 Feb 2013\n * Date Last Updated: 14 Jun 2013\n * Document Revision: 34\n\n", "published": "2013-02-01T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.kb.cert.org/vuls/id/858729", "cvelist": ["CVE-2013-0426", "CVE-2013-0426", "CVE-2012-1541", "CVE-2012-1541", "CVE-2013-0427", "CVE-2013-0427", "CVE-2013-1478", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-0428", "CVE-2013-0448", "CVE-2013-0448", "CVE-2013-1479", "CVE-2013-1479", "CVE-2013-0429", "CVE-2013-0429", "CVE-2013-1475", "CVE-2013-1475", "CVE-2013-0435", "CVE-2013-0435", "CVE-2013-0442", "CVE-2013-0442", "CVE-2012-3342", "CVE-2012-3342", "CVE-2013-0431", "CVE-2013-0431", "CVE-2013-1472", "CVE-2013-1472", "CVE-2013-1473", "CVE-2013-1473", "CVE-2012-4301", "CVE-2012-4301", "CVE-2013-0434", "CVE-2013-0434", "CVE-2013-0443", "CVE-2013-0443", "CVE-2013-0351", "CVE-2013-0351", "CVE-2013-0444", "CVE-2013-0444", "CVE-2013-0433", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-1480", "CVE-2013-1483", "CVE-2013-1483", "CVE-2013-1474", "CVE-2013-1474", "CVE-2013-0409", "CVE-2013-0409", "CVE-2013-0438", "CVE-2013-0438", "CVE-2013-0439", "CVE-2013-0439", "CVE-2013-1477", "CVE-2013-1477", "CVE-2013-1476", "CVE-2013-1476", "CVE-2013-0447", "CVE-2013-0447", "CVE-2013-0430", "CVE-2013-0430", "CVE-2013-0445", "CVE-2013-0445", "CVE-2013-0432", "CVE-2013-0432", "CVE-2012-4305", "CVE-2012-4305", "CVE-2013-0424", "CVE-2013-0424", "CVE-2012-3213", "CVE-2012-3213", "CVE-2013-0450", "CVE-2013-0450", "CVE-2013-0446", "CVE-2013-0446", "CVE-2013-0440", "CVE-2013-0440", "CVE-2013-1481", "CVE-2013-1481", "CVE-2013-0436", "CVE-2013-0436", "CVE-2013-0437", "CVE-2013-0437", "CVE-2013-0425", "CVE-2013-0425", "CVE-2013-0441", "CVE-2013-0441", "CVE-2013-1482", "CVE-2013-1482", "CVE-2013-1489", "CVE-2013-1489", "CVE-2012-1543", "CVE-2012-1543", "CVE-2013-0449", "CVE-2013-0449", "CVE-2013-0423", "CVE-2013-0423", "CVE-2013-0419", "CVE-2013-0419"], "lastseen": "2016-02-03T09:12:09"}], "gentoo": [{"id": "GLSA-201406-32", "type": "gentoo", "title": "IcedTea JDK: Multiple vulnerabilities", "description": "### Background\n\nIcedTea is a distribution of the Java OpenJDK source code built with free build tools. \n\n### Description\n\nMultiple vulnerabilities have been discovered in the IcedTea JDK. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, obtain sensitive information, bypass intended security policies, or have other unspecified impact. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll IcedTea JDK users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-java/icedtea-bin-6.1.13.3\"", "published": "2014-06-29T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://security.gentoo.org/glsa/201406-32", "cvelist": ["CVE-2012-5089", "CVE-2013-0426", "CVE-2013-2431", "CVE-2010-3562", "CVE-2013-2420", "CVE-2011-0865", "CVE-2013-2384", "CVE-2013-2415", "CVE-2012-1711", "CVE-2014-2397", "CVE-2013-1571", "CVE-2013-5782", "CVE-2011-3557", "CVE-2013-2417", "CVE-2013-1500", "CVE-2013-2448", "CVE-2010-3557", "CVE-2011-3551", "CVE-2013-4002", "CVE-2013-0401", "CVE-2012-5074", "CVE-2012-5073", "CVE-2013-0427", "CVE-2012-1725", "CVE-2013-2424", "CVE-2014-0457", "CVE-2013-5850", "CVE-2013-2407", "CVE-2013-5778", "CVE-2013-1478", "CVE-2013-2456", "CVE-2010-3551", "CVE-2011-0868", "CVE-2013-0428", "CVE-2014-0446", "CVE-2013-2436", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-1485", "CVE-2013-0169", "CVE-2010-3553", "CVE-2012-1719", "CVE-2014-1876", "CVE-2014-0458", "CVE-2013-0429", "CVE-2014-2427", "CVE-2011-3563", "CVE-2013-1475", "CVE-2013-2421", "CVE-2013-1518", "CVE-2013-0435", "CVE-2012-5087", "CVE-2013-0809", "CVE-2013-0442", "CVE-2010-3566", "CVE-2013-2452", "CVE-2013-2451", "CVE-2013-5842", "CVE-2010-4448", "CVE-2013-0431", "CVE-2010-4465", "CVE-2012-5085", "CVE-2012-4540", "CVE-2011-0869", "CVE-2010-3565", "CVE-2012-5076", "CVE-2013-5830", "CVE-2013-2473", "CVE-2013-6954", "CVE-2012-4416", "CVE-2012-5075", "CVE-2014-0453", "CVE-2013-1488", "CVE-2012-0424", "CVE-2013-0434", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2011-3548", "CVE-2012-5081", "CVE-2011-3547", "CVE-2013-5817", "CVE-2010-4469", "CVE-2012-0503", "CVE-2011-3521", "CVE-2013-0443", "CVE-2011-5035", "CVE-2013-2419", "CVE-2014-0461", "CVE-2012-1723", "CVE-2013-2463", "CVE-2011-3571", "CVE-2010-3860", "CVE-2011-3389", "CVE-2013-2469", "CVE-2014-0459", "CVE-2014-0456", "CVE-2010-4450", "CVE-2012-1726", "CVE-2013-2465", "CVE-2013-1537", "CVE-2014-0429", "CVE-2013-5806", "CVE-2010-3574", "CVE-2011-3544", "CVE-2013-5805", "CVE-2011-3553", "CVE-2013-0444", "CVE-2012-0506", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-5825", "CVE-2012-1717", "CVE-2013-2423", "CVE-2010-3541", "CVE-2013-5823", "CVE-2011-3558", "CVE-2014-2403", "CVE-2012-1713", "CVE-2013-2461", "CVE-2012-1716", "CVE-2009-3555", "CVE-2013-2429", "CVE-2013-5849", "CVE-2014-2412", "CVE-2010-2548", "CVE-2012-5086", "CVE-2013-2471", "CVE-2012-0497", "CVE-2012-5077", "CVE-2013-1486", "CVE-2013-1476", "CVE-2010-4476", "CVE-2010-4472", "CVE-2013-5780", "CVE-2010-4471", "CVE-2014-2421", "CVE-2012-5069", "CVE-2012-3216", "CVE-2014-0460", "CVE-2011-0870", "CVE-2011-0815", "CVE-2013-0432", "CVE-2012-0505", "CVE-2012-5084", "CVE-2012-1718", "CVE-2010-2783", "CVE-2013-2458", "CVE-2011-3554", "CVE-2013-0424", "CVE-2013-2459", "CVE-2013-0450", "CVE-2012-5071", "CVE-2013-5814", "CVE-2010-3561", "CVE-2011-0025", "CVE-2012-0501", "CVE-2010-3564", "CVE-2013-0440", "CVE-2013-2443", "CVE-2010-3549", "CVE-2012-3422", "CVE-2013-2446", "CVE-2011-3556", "CVE-2012-0547", "CVE-2013-5829", "CVE-2010-3554", "CVE-2013-5803", "CVE-2012-5072", "CVE-2013-2450", "CVE-2013-2472", "CVE-2014-2423", "CVE-2010-4470", "CVE-2011-0822", "CVE-2011-3560", "CVE-2013-1493", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2010-4351", "CVE-2011-0864", "CVE-2013-2453", "CVE-2013-1557", "CVE-2013-2426", "CVE-2013-2455", "CVE-2013-2422", "CVE-2013-2383", "CVE-2013-0425", "CVE-2013-1484", "CVE-2011-3552", "CVE-2013-5774", "CVE-2012-1724", "CVE-2010-3567", "CVE-2010-3573", "CVE-2013-6629", "CVE-2012-5068", "CVE-2013-3829", "CVE-2013-0441", "CVE-2010-3548", "CVE-2011-0706", "CVE-2012-5979", "CVE-2012-0502", "CVE-2013-5783", "CVE-2010-4467", "CVE-2012-3423", "CVE-2013-5800", "CVE-2013-5820", "CVE-2013-5790", "CVE-2014-2398", "CVE-2010-3568", "CVE-2014-0451", "CVE-2013-1569", "CVE-2013-2412", "CVE-2014-0452", "CVE-2011-0862", "CVE-2013-2445", "CVE-2013-2430", "CVE-2013-2460", "CVE-2013-5840", "CVE-2014-2414", "CVE-2010-3569", "CVE-2011-0871", "CVE-2013-2449", "CVE-2011-0872", "CVE-2012-5070", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2016-09-06T19:46:20"}, {"id": "GLSA-201401-30", "type": "gentoo", "title": "Oracle JRE/JDK: Multiple vulnerabilities", "description": "### Background\n\nThe Oracle Java Development Kit (JDK) (formerly known as Sun JDK) and the Oracle Java Runtime Environment (JRE) (formerly known as Sun JRE) provide the Oracle Java platform (formerly known as Sun Java Platform). \n\n### Description\n\nMultiple vulnerabilities have been reported in the Oracle Java implementation. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nAn unauthenticated, remote attacker could exploit these vulnerabilities to execute arbitrary code. Furthermore, a local or remote attacker could exploit these vulnerabilities to cause unspecified impact, possibly including remote execution of arbitrary code. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Oracle JDK 1.7 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=dev-java/oracle-jdk-bin-1.7.0.51\"\n \n\nAll Oracle JRE 1.7 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=dev-java/oracle-jre-bin-1.7.0.51\"\n \n\nAll users of the precompiled 32-bit Oracle JRE should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=app-emulation/emul-linux-x86-java-1.7.0.51\"\n \n\nAll Sun Microsystems JDK/JRE 1.6 users are suggested to upgrade to one of the newer Oracle packages like dev-java/oracle-jdk-bin or dev-java/oracle-jre-bin or choose another alternative we provide; eg. the IBM JDK/JRE or the open source IcedTea. \n\nNOTE: As Oracle has revoked the DLJ license for its Java implementation, the packages can no longer be updated automatically.", "published": "2014-01-27T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://security.gentoo.org/glsa/201401-30", "cvelist": ["CVE-2013-2418", "CVE-2012-5089", "CVE-2013-2431", "CVE-2013-2468", "CVE-2013-2420", "CVE-2013-5889", "CVE-2013-2384", "CVE-2013-2415", "CVE-2013-5848", "CVE-2012-1711", "CVE-2013-1491", "CVE-2013-1571", "CVE-2013-5782", "CVE-2013-5846", "CVE-2012-1541", "CVE-2013-2417", "CVE-2013-0402", "CVE-2013-5818", "CVE-2013-2433", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2416", "CVE-2013-2427", "CVE-2013-0401", "CVE-2012-5074", "CVE-2012-5073", "CVE-2012-1725", "CVE-2014-0385", "CVE-2013-2424", "CVE-2013-5878", "CVE-2013-5850", "CVE-2013-2407", "CVE-2012-1533", "CVE-2013-5778", "CVE-2013-2456", "CVE-2013-0448", "CVE-2014-0410", "CVE-2013-2436", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-1485", "CVE-2013-1479", "CVE-2013-2462", "CVE-2013-0169", "CVE-2014-0415", "CVE-2013-2414", "CVE-2012-1719", "CVE-2013-2394", "CVE-2011-3563", "CVE-2013-5870", "CVE-2013-2421", "CVE-2012-3159", "CVE-2013-1518", "CVE-2013-5776", "CVE-2012-5087", "CVE-2013-5788", "CVE-2013-5905", "CVE-2013-0809", "CVE-2013-5904", "CVE-2013-5888", "CVE-2013-2452", "CVE-2012-3342", "CVE-2013-2451", "CVE-2013-5893", "CVE-2013-5842", "CVE-2014-0387", "CVE-2012-5085", "CVE-2012-5076", "CVE-2013-5810", "CVE-2013-5830", "CVE-2013-2473", "CVE-2012-5079", "CVE-2012-4416", "CVE-2013-5898", "CVE-2012-0507", "CVE-2012-5075", "CVE-2013-1473", "CVE-2013-5832", "CVE-2012-3136", "CVE-2013-1488", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2014-0375", "CVE-2012-5081", "CVE-2012-5067", "CVE-2013-5817", "CVE-2012-0503", "CVE-2012-3174", "CVE-2011-5035", "CVE-2013-2419", "CVE-2012-1723", "CVE-2013-2463", "CVE-2013-1563", "CVE-2013-2469", "CVE-2013-5787", "CVE-2013-5852", "CVE-2012-1726", "CVE-2014-0418", "CVE-2013-0351", "CVE-2013-2465", "CVE-2014-0373", "CVE-2013-1537", "CVE-2013-3743", "CVE-2013-5854", "CVE-2012-0498", "CVE-2013-5806", "CVE-2013-5805", "CVE-2013-5887", "CVE-2012-0506", "CVE-2014-0408", "CVE-2013-5825", "CVE-2012-1717", "CVE-2012-1721", "CVE-2014-0376", "CVE-2013-2423", "CVE-2014-0422", "CVE-2013-5789", "CVE-2014-0411", "CVE-2013-2439", "CVE-2013-1561", "CVE-2013-5823", "CVE-2013-0409", "CVE-2013-5895", "CVE-2013-0438", "CVE-2012-1713", "CVE-2013-2461", "CVE-2012-1716", "CVE-2013-2428", "CVE-2012-5083", "CVE-2013-5843", "CVE-2012-5088", "CVE-2013-5899", "CVE-2013-2429", "CVE-2013-5812", "CVE-2013-5849", "CVE-2012-5086", "CVE-2013-5896", "CVE-2013-2471", "CVE-2012-0497", "CVE-2012-1532", "CVE-2012-5077", "CVE-2013-1486", "CVE-2014-0417", "CVE-2013-5780", "CVE-2013-5910", "CVE-2013-1487", "CVE-2013-5906", "CVE-2013-0430", "CVE-2013-0445", "CVE-2012-5069", "CVE-2014-0428", "CVE-2012-3216", "CVE-2014-0382", "CVE-2012-0505", "CVE-2013-5824", "CVE-2012-5084", "CVE-2013-5831", "CVE-2012-1718", "CVE-2013-2440", "CVE-2013-2434", "CVE-2013-2464", "CVE-2013-2458", "CVE-2012-3213", "CVE-2013-2459", "CVE-2012-5071", "CVE-2013-5814", "CVE-2013-2442", "CVE-2012-0499", "CVE-2012-0501", "CVE-2013-0446", "CVE-2013-2432", "CVE-2012-1722", "CVE-2014-0368", "CVE-2013-2443", "CVE-2014-0423", "CVE-2013-1481", "CVE-2013-5775", "CVE-2013-2446", "CVE-2012-0547", "CVE-2013-5829", "CVE-2013-5803", "CVE-2012-5072", "CVE-2013-2450", "CVE-2013-2400", "CVE-2013-2472", "CVE-2013-2438", "CVE-2013-1540", "CVE-2012-0500", "CVE-2013-2467", "CVE-2013-5907", "CVE-2013-1493", "CVE-2013-5902", "CVE-2012-1531", "CVE-2013-2444", "CVE-2013-3744", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-5844", "CVE-2013-0437", "CVE-2012-4681", "CVE-2013-2437", "CVE-2013-2453", "CVE-2013-1557", "CVE-2012-0504", "CVE-2013-2426", "CVE-2014-0424", "CVE-2013-2455", "CVE-2013-5819", "CVE-2013-2422", "CVE-2013-2435", "CVE-2013-2383", "CVE-2013-1484", "CVE-2013-1564", "CVE-2013-1558", "CVE-2013-5774", "CVE-2012-1724", "CVE-2013-0422", "CVE-2012-5068", "CVE-2014-0403", "CVE-2013-3829", "CVE-2012-1682", "CVE-2012-3143", "CVE-2012-0502", "CVE-2013-5783", "CVE-2013-5800", "CVE-2013-5820", "CVE-2013-2425", "CVE-2013-5777", "CVE-2013-5790", "CVE-2013-1569", "CVE-2013-5838", "CVE-2013-2412", "CVE-2013-0449", "CVE-2013-2445", "CVE-2013-2430", "CVE-2013-2460", "CVE-2013-5840", "CVE-2013-5801", "CVE-2014-0416", "CVE-2013-2449", "CVE-2013-2466", "CVE-2012-5070", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-0423", "CVE-2013-5772", "CVE-2013-0419"], "lastseen": "2016-09-06T19:46:14"}], "freebsd": [{"id": "D5E0317E-5E45-11E2-A113-C48508086173", "type": "freebsd", "title": "java 7.x -- security manager bypass", "description": "\nUS CERT reports:\n\nJava 7 Update 10 and earlier versions of Java 7 contain a\n\t vulnerability that can allow a remote, unauthenticated\n\t attacker to execute arbitrary code on a vulnerable\n\t system.\nThe Java JRE plug-in provides its own Security Manager.\n\t Typically, a web applet runs with a security manager\n\t provided by the browser or Java Web Start plugin. Oracle's\n\t document states, \"If there is a security manager already\n\t installed, this method first calls the security manager's\n\t checkPermission method with a\n\t RuntimePermission(\"setSecurityManager\") permission to ensure\n\t it's safe to replace the existing security manager. This may\n\t result in throwing a SecurityException\".\nBy leveraging the vulnerability in the Java Management\n\t Extensions (JMX) MBean components, unprivileged Java code\n\t can access restricted classes. By using that vulnerability\n\t in conjunction with a second vulnerability involving the\n\t Reflection API and the invokeWithArguments method of the\n\t MethodHandle class, an untrusted Java applet can escalate\n\t its privileges by calling the the setSecurityManager()\n\t function to allow full privileges, without requiring code\n\t signing. Oracle Java 7 update 10 and earlier Java 7 versions\n\t are affected. The invokeWithArguments method was introduced\n\t with Java 7, so therefore Java 6 is not affected.\nThis vulnerability is being attacked in the wild, and is\n\t reported to be incorporated into exploit kits. Exploit code\n\t for this vulnerability is also publicly available.\n\nEsteban Guillardoy from Immunity Inc. additionally clarifies\n\t on the recursive reflection exploitation technique:\n\nThe real issue is in the native\n\t sun.reflect.Reflection.getCallerClass method.\nWe can see the following information in the Reflection\n\t source code:\nReturns the class of the method realFramesToSkip frames\n\t up the stack (zero-based), ignoring frames associated with\n\t java.lang.reflect.Method.invoke() and its\n\t implementation.\nSo what is happening here is that they forgot to skip the\n\t frames related to the new Reflection API and only the old\n\t reflection API is taken into account.\n\nThis exploit does not only affect Java applets, but every\n\t piece of software that relies on the Java Security Manager for\n\t sandboxing executable code is affected: malicious code can\n\t totally disable Security Manager.\nFor users who are running native Web browsers with enabled\n\t Java plugin, the workaround is to remove the java/icedtea-web\n\t port and restart all browser instances.\nFor users who are running Linux Web browser flavors, the\n\t workaround is either to disable the Java plugin in browser\n\t or to upgrade linux-sun-* packages to the non-vulnerable\n\t version.\nIt is not recommended to run untrusted applets using\n\t appletviewer, since this may lead to the execution of the\n\t malicious code on vulnerable versions on JDK/JRE.\n", "published": "2013-01-10T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://vuxml.freebsd.org/freebsd/d5e0317e-5e45-11e2-a113-c48508086173.html", "cvelist": ["CVE-2013-0433"], "lastseen": "2016-09-26T17:24:33"}], "zdi": [{"id": "ZDI-13-022", "type": "zdi", "title": "Oracle Java AWT Image Transform Remote Code Execution Vulnerability", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the Java AWT Image Transform library functions. For certain image transformation functions, Java fails to take the 'numBands' into account during the allocation of heap memory and instead uses a static value of 0x4. The allocated memory is later written to inside a loop that uses the 'numBands' value which can result in a memory corruption. This can lead to remote code execution under the context of the current process.", "published": "2013-02-11T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.zerodayinitiative.com/advisories/ZDI-13-022", "cvelist": ["CVE-2013-1480"], "lastseen": "2016-11-09T00:17:54"}], "seebug": [{"id": "SSV:60629", "type": "seebug", "title": "Oracle Java SE JMX\u5b50\u7ec4\u4ef6\u8fdc\u7a0bJRE\u6f0f\u6d1e(CVE-2013-0450)", "description": "BUGTRAQ ID: 57703\r\nCVE(CAN) ID: CVE-2013-0450\r\n\r\nOracle Java Runtime Environment (JRE)\u662f\u4e00\u6b3e\u4e3aJAVA\u5e94\u7528\u7a0b\u5e8f\u63d0\u4f9b\u53ef\u9760\u8fd0\u884c\u73af\u5883\u7684\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\nJava Runtime Environment\u7ec4\u4ef6\u7684JMX\u5b50\u7ec4\u4ef6\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u672a\u8ba4\u8bc1\u7684\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u5f71\u54cd\u5176\u673a\u5bc6\u6027\u3001\u5b8c\u6574\u6027\u3001\u53ef\u7528\u6027\u3002\r\n0\r\nOracle Sun JRE <= JavaFX 2.2.4\r\nOracle Sun JRE <= 7 Update 11\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nOracle\r\n------\r\nOracle\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08javacpufeb2013verbose-1841196\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\njavacpufeb2013verbose-1841196\uff1aText Form of Oracle Java SE Critical Patch Update - February 2013 Risk Matrices\r\n\u94fe\u63a5\uff1ahttp://www.oracle.com/technetwork/topics/security/javacpufeb2013verbose-1841196.html", "published": "2013-02-06T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.seebug.org/vuldb/ssvid-60629", "cvelist": ["CVE-2013-0450"], "lastseen": "2017-11-19T17:46:39"}, {"id": "SSV:60997", "type": "seebug", "title": "IBM Security AppScan Enterprise \u5f31\u5bc6\u7801\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e(CVE-2013-0531)", "description": "BUGTRAQ ID: 62179\r\nCVE(CAN) ID: CVE-2013-0531\r\n\r\nIBM Securityl AppScan Enterprise \u662f\u4e00\u4e2a\u57fa\u4e8eWeb \u7684\u591a\u7528\u6237Web \u5e94\u7528\u7a0b\u5e8f\u5b89\u5168\u89e3\u51b3\u65b9\u6848\uff0c\u63d0\u4f9b\u96c6\u4e2d\u7684\u5b89\u5168\u6027\u626b\u63cf\u3001\u6570\u636e\u5408\u5e76\u548c\u62a5\u544a\u3001\u8865\u6551\u529f\u80fd\u3001\u6267\u884c\u4eea\u8868\u677f\u7b49\u529f\u80fd\r\n\r\nIBM Security AppScan Enterprise (\u5373\u4e4b\u524d\u7684IBM Rational AppScan Enterprise) \u652f\u6301\u4f7f\u7528\u5f31\u52a0\u5bc6\u7b97\u6cd5\u7684SSL\u5957\u4ef6\uff0c\u653b\u51fb\u8005\u65e0\u9700\u672c\u5730\u7f51\u7edc\u8bbf\u95ee\u53ca\u8eab\u4efd\u9a8c\u8bc1\uff0c\u5373\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u89e3\u5bc6\u5ba2\u6237\u7aef\u548c\u670d\u52a1\u5668\u4e4b\u95f4\u7684\u901a\u8baf\uff0c\u6216\u5728\u5ba2\u6237\u7aef\u4e0a\u6267\u884c\u4e2d\u95f4\u4eba\u653b\u51fb\uff0c\u4ece\u800c\u83b7\u53d6\u654f\u611f\u4fe1\u606f\uff0c\u6267\u884c\u672a\u6388\u6743\u64cd\u4f5c\r\n0\r\nIBM Rational AppScan Enterprise 5.6-8.7\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nIBM\r\n---\r\nIBM\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff081640352\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\n1640352\uff1aMultiple vulnerabilities in IBM Security AppScan Enterprise (CVE-2013-0531, CVE-2013-0440, CVE-2013-2997)\r\n\u94fe\u63a5\uff1ahttp://www-01.ibm.com/support/docview.wss?uid=swg21640352", "published": "2013-09-13T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-60997", "cvelist": ["CVE-2013-0440", "CVE-2013-0531", "CVE-2013-2997"], "lastseen": "2017-11-19T17:40:35"}]}}
